![[LWN Logo]](/images/lwn.banner.gif)
Date: Thu, 21 Jan 1999 01:18:50 -0800
From: John Stanley <stanley@PEAK.ORG>
Subject: WebRamp M3 remote network access bug
To: BUGTRAQ@NETSPACE.ORG
I have not seen this problem mentioned on this list. I defer to the
moderator's memory and hope this is valuable information...
The WebRamp M3 is a small SOHO router with 4 10baseT ports on the local
side and three serial ports on the remote side. It acts as the net gateway
and makes dial-up PPP connections automatically when necessary. It also
has NAT functions, so you can use a non-routable local network address and
still communicate worldwide. It monitors the load through the first modem
and will make a second dialup connection if the load is higher than a
configurable value. It will make a third connection if the first two are
reaching capacity. It will not split one connection across two modems,
however, so when you ftp the latest source from somewhere, you are stuck
with single-modem speeds.
You can define what they call a "visible computer", which is simply a
default local IP address to which the M3 will pass all otherwise unknown
packets from the outside. Unless you configure the M3 otherwise, smtp,
nfsd, routed, etc connections from the outside go to the visible computer.
You can also disable visible computer.
The M3 has a rather cryptic command language that can be accessed via a
command serial port or via a telnet connection. It also has a web-based
admin capability.
All in all, it is a rather nice little box, EXCEPT...
I had a visible computer enabled so I could track where outside packets
were coming from. I started doing this because the M3 has a problem
determining activity. It is supposed to time out after a set time if there
is no activity, but it counts the reception of any packet from the outside
as activity, even if the packet is never sent to the local side of the
net. I wanted to see where the activity was coming from[%].
Then I turned "visible computer" off. To test that it was really off, I
tried telnetting into my network from outside. I expected a timeout. I was
surprised to see the WebRamp M3 answer the telnet request with a login
prompt.
Part of the "visible computer" configuration web page is a check-box that
determines if outside telnet packets are to be redirected to the M3. This
box was not checked. Just to be sure, I sent the unchecked configuration
back to the M3. I did this MANY times, just to be sure.
There was nothing I could do to stop the M3 from answering telnet requests
from outside except to turn "visible computer" back on with a non-existant
local IP address as the destination. (Using an active local IP address
would mean the local system would get the telnet request, as well as any
connections to nfsd or mountd or SMTP...)
The customer support[*] at RampNet has continued to tell me that this is
simply a configuration error on my part, that I am confused by the check
boxes in the web form, and that the web browser is caching pages. "This is
not a bug." The customer support[*] person asked me to send her my remote
IP address and admin password for the box so she could log into the box
and examine my configuration. I tried explaining that dialup IP means I
can get a different IP address every time the M3 dials in, that my M3 was
not dialed in so there was no IP address for it at the current time, and
that sending passwords over the net in the clear wasn't a bright idea.
("Here's the IP address of my computer, and the root password is...").
Finally, the customer support[*] person sent me a series of commands to
send to the M3 over the command serial port that would set my
configuration properly. I sent the commands, and, of course, the M3 still
accepted my remote telnet request and allowed me to log in.
WebRamp/RampNet customer support[*] has had sufficient time to respond to
the problem, and frankly, I am tired of being told that I am too stupid to
configure their hardware properly. This is the same answer I got when I
reported that they were counting packets that were being thrown away as
valid activity and keeping the dialup connection up longer than it should
be. ("Just shut if off when you are done." The fact that they are selling
a box that allows automatic, unattended dialup-on-demand must have slipped
their minds.)
IF YOU ARE USING THIS BOX, you should test it for this problem. All you
need to do to see if your M3 has this problem is to try telnetting to it
from a system on a remote network. The telnet packets must come to the M3
via the modem; the M3 will always accept telnet connections coming from
the local network. If you see the prompt "WebRamp login: " your M3
is letting anyone in the world connect to it. Work down the web admin
pages through Advanced/Applications/Visible Computer and make sure you
have not checked the "Divert" options, unless you really want your M3
talking to the world (and vice versa.)
If you are using this box, and you see this bug, and you have NOT changed
the admin password from the default, DO SO IMMEDIATELY.
If you aren't using this box now, don't.
[*] ROTFL
[%] A PowWow user had registered the dialup port IP address, and the
PowWow client for a user in Alaska was trying to locate his "buddy" on my
system -- several times a minute for hours at a stretch. I've also seen
Windows networking name service packets leaking through the terminal
server, as well as cracker port scanning attempts.