Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Date: Fri, 6 Dec 2019 16:14:42 +0300
From: ValdikSS <iam@...dikss.org.ru>
To: oss-security@...ts.openwall.com
Cc: "William J. Tolley" <william@...akpointingbad.com>,
 Noel Kuntze <noel.kuntze+oss-security@...rmi.consulting>
Subject: Re: [CVE-2019-14899] Inferring and hijacking VPN-tunneled TCP
 connections.

Please also note that my kind of attack could be performed over the Internet, without direct
connectivity between the attacker and victim, Wi-Fi network or anything.

It has been tested in a real-world Internet environment in 2015, and it worked flawlessly.


On 06.12.2019 16:07, ValdikSS wrote:
> Please also check my article on this topic from 2015
> https://medium.com/@ValdikSS/another-critical-vpn-vulnerability-and-why-port-fail-is-bullshit-352b2ebd22e2
> 
> I used the same technique but with UDP, and it works (at least worked) with Linux, OS X, Windows and Android.
> 
> I used it with old p2p Skype, which allowed to get users' IP address using special "resolver" software or services,
> by user nick name. After getting IP address, you could send UDP packet to the user from your IP address (without
> spoofing) and receive the reply from Skype user, but with VPN source IP address, which allowed to detect
> whether the exact Skype user is connected to the VPN, and to which one, given that his connection is direct (without NAT).
> 
> This also (still) applies to Bittorrent uTP protocol.
> 
> 
> On 05.12.2019 05:38, unknown wrote:
>> Posted by William J. Tolley on Dec 04
>>
>> Hi all,
>>
>> I am reporting a vulnerability that exists on most Linux distros, and
>> other *nix operating systems which allows a network adjacent attacker
>> to determine if another user is connected to a VPN, the virtual IP
>> address they have been assigned by the VPN server, and whether or not
>> there is an active connection to a given website. Additionally, we are
>> able to determine the exact seq and ack numbers by counting encrypted
>> packets and/or...
>>
>>
> 
> 



Download attachment "signature.asc" of type "application/pgp-signature" (869 bytes)

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.