Date: Thu, 21 Jan 1999 01:18:50 -0800 From: John Stanley <stanley@PEAK.ORG> Subject: WebRamp M3 remote network access bug To: BUGTRAQ@NETSPACE.ORG I have not seen this problem mentioned on this list. I defer to the moderator's memory and hope this is valuable information... The WebRamp M3 is a small SOHO router with 4 10baseT ports on the local side and three serial ports on the remote side. It acts as the net gateway and makes dial-up PPP connections automatically when necessary. It also has NAT functions, so you can use a non-routable local network address and still communicate worldwide. It monitors the load through the first modem and will make a second dialup connection if the load is higher than a configurable value. It will make a third connection if the first two are reaching capacity. It will not split one connection across two modems, however, so when you ftp the latest source from somewhere, you are stuck with single-modem speeds. You can define what they call a "visible computer", which is simply a default local IP address to which the M3 will pass all otherwise unknown packets from the outside. Unless you configure the M3 otherwise, smtp, nfsd, routed, etc connections from the outside go to the visible computer. You can also disable visible computer. The M3 has a rather cryptic command language that can be accessed via a command serial port or via a telnet connection. It also has a web-based admin capability. All in all, it is a rather nice little box, EXCEPT... I had a visible computer enabled so I could track where outside packets were coming from. I started doing this because the M3 has a problem determining activity. It is supposed to time out after a set time if there is no activity, but it counts the reception of any packet from the outside as activity, even if the packet is never sent to the local side of the net. I wanted to see where the activity was coming from[%]. Then I turned "visible computer" off. To test that it was really off, I tried telnetting into my network from outside. I expected a timeout. I was surprised to see the WebRamp M3 answer the telnet request with a login prompt. Part of the "visible computer" configuration web page is a check-box that determines if outside telnet packets are to be redirected to the M3. This box was not checked. Just to be sure, I sent the unchecked configuration back to the M3. I did this MANY times, just to be sure. There was nothing I could do to stop the M3 from answering telnet requests from outside except to turn "visible computer" back on with a non-existant local IP address as the destination. (Using an active local IP address would mean the local system would get the telnet request, as well as any connections to nfsd or mountd or SMTP...) The customer support[*] at RampNet has continued to tell me that this is simply a configuration error on my part, that I am confused by the check boxes in the web form, and that the web browser is caching pages. "This is not a bug." The customer support[*] person asked me to send her my remote IP address and admin password for the box so she could log into the box and examine my configuration. I tried explaining that dialup IP means I can get a different IP address every time the M3 dials in, that my M3 was not dialed in so there was no IP address for it at the current time, and that sending passwords over the net in the clear wasn't a bright idea. ("Here's the IP address of my computer, and the root password is..."). Finally, the customer support[*] person sent me a series of commands to send to the M3 over the command serial port that would set my configuration properly. I sent the commands, and, of course, the M3 still accepted my remote telnet request and allowed me to log in. WebRamp/RampNet customer support[*] has had sufficient time to respond to the problem, and frankly, I am tired of being told that I am too stupid to configure their hardware properly. This is the same answer I got when I reported that they were counting packets that were being thrown away as valid activity and keeping the dialup connection up longer than it should be. ("Just shut if off when you are done." The fact that they are selling a box that allows automatic, unattended dialup-on-demand must have slipped their minds.) IF YOU ARE USING THIS BOX, you should test it for this problem. All you need to do to see if your M3 has this problem is to try telnetting to it from a system on a remote network. The telnet packets must come to the M3 via the modem; the M3 will always accept telnet connections coming from the local network. If you see the prompt "WebRamp login: " your M3 is letting anyone in the world connect to it. Work down the web admin pages through Advanced/Applications/Visible Computer and make sure you have not checked the "Divert" options, unless you really want your M3 talking to the world (and vice versa.) If you are using this box, and you see this bug, and you have NOT changed the admin password from the default, DO SO IMMEDIATELY. If you aren't using this box now, don't. [*] ROTFL [%] A PowWow user had registered the dialup port IP address, and the PowWow client for a user in Alaska was trying to locate his "buddy" on my system -- several times a minute for hours at a stretch. I've also seen Windows networking name service packets leaking through the terminal server, as well as cracker port scanning attempts.