With WAN-IP=LOCAL Firefox asks for router's user/password

Discussions about the Application Boundaries Enforcer (ABE) module
bomm
Posts: 4
Joined: Sun Aug 16, 2015 8:23 am
Location: Germany

With WAN-IP=LOCAL Firefox asks for router's user/password

Post by bomm » Sun Aug 16, 2015 8:27 am

Hello,

I think, NoScript tries to access my router triggering an authentication popup.

Longer explanation:

I recently installed NoScript while I was connected a hotel's WLAN and did not see anything suspicious.
At home I noticed that Firefox opened an authentication popup on startup asking for username and pasword for an IP address, which I later found out is my WAN address.
To track it down I first closed all tabs, then disabled add-ons one by one and restarted firefox. I found out that the popup does not appear when I disable the NoScript add-on or when I uncheck WLAN-IP=LOCAL in its settings.

My router is a LEAF Bering uClibc 3.1 which uses HTTP authentication for its webconf interface. Commercial routers usually have a login form, so an HTTP connection will not make Firefox ask for authentication.

I know that NoScript has to use an external server to find out the WAN-IP, but I don't think it needs to contact my router.

Can you confirm that NoScript sends an HTTP request to the router?
If yes, why?

Bodo
Mozilla/5.0 (Windows NT 6.1; rv:40.0) Gecko/20100101 Firefox/40.0

barbaz
Senior Member
Posts: 9282
Joined: Sat Aug 03, 2013 5:45 pm

Re: With WAN-IP=LOCAL Firefox asks for router's user/passwor

Post by barbaz » Sun Aug 16, 2015 2:08 pm

Yes, it *does* send an HTTP request to your WAN IP, it's fingerprinting the device on your WAN IP so that it can help protect it better. I don't know the details of why or what exactly information it's looking for.
(see also viewtopic.php?f=7&t=19435 )

Given that a connection to your WAN IP is normal for NoScript, is it expected that with your networking setup it would ask for a password? Image
*Always* check the changelogs BEFORE updating that important software!
-

bomm
Posts: 4
Joined: Sun Aug 16, 2015 8:23 am
Location: Germany

Re: With WAN-IP=LOCAL Firefox asks for router's user/passwor

Post by bomm » Sun Aug 16, 2015 5:57 pm

barbaz wrote:(see also viewtopic.php?f=7&t=19435 )

This leads me to https://hackademix.net/2010/07/28/abe-p ... r-routers/
According to this page it is expected to do the fingerprinting every 5 minutes. And I may be able to disable the fingerprinting by sending a specific header "X-ABE-Fingerprint: Off", but I don't have time to fiddle with the webserver on my router. So I will probably disable WAN-IP=LOCAL for now. I will harden the firewall rules on my router later.

barbaz wrote:Given that a connection to your WAN IP is normal for NoScript, is it expected that with your networking setup it would ask for a password?

My router is a PCEngines ALIX board running LEAF Bering uClibc 3.1 (Linux Embedded Appliance Framework) http://leaf.sourceforge.net/bering-uclibc/
When I manually connect to the Webconf interface, it will ask for username and password. So it's doing the same when NoScript tries to connect.

Obviously NoScript uses the same mechanism as if I entered the same address manually into the address field. This lets Firefox request favicon and handle the authentication.

With Wireshark I can see this communication:

Code: Select all

> GET /favicon.ico HTTP/1.1
< HTTP/1.1 404 Not Found

> GET /favicon.ico HTTP/1.1
< HTTP/1.1 404 Not Found

> GET / HTTP/1.1
< HTTP/1.1 401 Unauthorized
...
< WWW-Authenticate: Basic realm="."

This obviously makes firefox show the normal authentication popup as if I manually connect to the same URL.
The requests for favicon.ico seem to originate from Firefox internally, the request for / originate from ABE.

TCP streams recorded with Wireshark:

Code: Select all

GET /favicon.ico HTTP/1.1
Host: 79.222.108.xxx
User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:40.0) Gecko/20100101 Firefox/40.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de,en-US;q=0.7,en;q=0.3
Accept-Encoding: gzip, deflate
DNT: 1
Cookie: UI=basic
Connection: keep-alive

HTTP/1.1 404 Not Found
Server: mini_httpd/1.19 19dec2003
Date: Sun, 16 Aug 2015 17:09:42 GMT
Cache-Control: no-cache,no-store
Content-Type: text/html; charset=%s
Cache-Control: max-age=0
Expires: Sun, 16 Aug 2015 17:09:42 GMT
Connection: close

<HTML>
<HEAD><TITLE>404 Not Found</TITLE></HEAD>
<BODY>
<H4>404 Not Found</H4>
File not found.
<HR>
<ADDRESS><A HREF="http://www.acme.com/software/mini_httpd/">mini_httpd/1.19 19dec2003</A></ADDRESS>
</BODY>
</HTML>


GET / HTTP/1.1
Host: 79.222.108.xxx
User-Agent: Mozilla/5.0 (ABE, https://noscript.net/abe/wan)
Cookie: UI=basic
Connection: keep-alive
Pragma: no-cache
Cache-Control: no-cache

HTTP/1.1 401 Unauthorized
Server: mini_httpd/1.19 19dec2003
Date: Sun, 16 Aug 2015 17:09:44 GMT
Cache-Control: no-cache,no-store
WWW-Authenticate: Basic realm="."
Content-Type: text/html; charset=%s
Cache-Control: max-age=0
Expires: Sun, 16 Aug 2015 17:09:44 GMT
Connection: close

<HTML>
<HEAD><TITLE>401 Unauthorized</TITLE></HEAD>
<BODY>
<H4>401 Unauthorized</H4>
Authorization required.
<HR>
<ADDRESS><A HREF="http://www.acme.com/software/mini_httpd/">mini_httpd/1.19 19dec2003</A></ADDRESS>
</BODY>
</HTML>


Bodo
Mozilla/5.0 (Windows NT 6.1; rv:40.0) Gecko/20100101 Firefox/40.0

barbaz
Senior Member
Posts: 9282
Joined: Sat Aug 03, 2013 5:45 pm

Re: With WAN-IP=LOCAL Firefox asks for router's user/passwor

Post by barbaz » Sun Aug 16, 2015 7:05 pm

You could also turn off the WAN IP LOCAL feature & enter the displayed WAN IP in the SYSTEM rule manually?
So it'd look like this

Code: Select all

Site LOCAL [your-wan-ip]
Accept from LOCAL [your-wan-ip]
Deny


This way it won't fingerprint your device but you'll still protecting your WAN IP.
It's probably fine as a stopgap measure for until you can get to sending the X-ABE-Fingerprint header (I'm not sure the difference actually, but obviously there is a fairly major one).
*Always* check the changelogs BEFORE updating that important software!
-

bomm
Posts: 4
Joined: Sun Aug 16, 2015 8:23 am
Location: Germany

Re: With WAN-IP=LOCAL Firefox asks for router's user/passwor

Post by bomm » Sun Aug 16, 2015 8:07 pm

Thanks for your help.

barbaz wrote:You could also turn off the WAN IP LOCAL feature & enter the displayed WAN IP in the SYSTEM rule manually?

It would work, but I have a dynamic IP address, so it's not a good idea to manage the rules manually.
If I understood the explanation about this fingerprinting correct, it is done to check if the WAN IP address changed without placing too much load on the server used to find out the IP address.

barbaz wrote:It's probably fine as a stopgap measure for until you can get to sending the X-ABE-Fingerprint header (I'm not sure the difference actually, but obviously there is a fairly major one).

When I turn off fingerprinting it is no longer possible to use it for detecting IP address changes. Either ABE can no longer detect changes or it would have to contact some server. (Don't know how it's implemented.)

The best solution would be if the router itself could block packets for the WAN IP on the local interface. It is better if the router can protect itself than to expect every browser in the local net to protect the router. LEAF Bering uses Shorewall and I can fully control all firewall rules. So all I have to do is to read the docs...

I guess I don't have to hurry. My router is fairly uncommon, so the risk of attacks is relatively low.
Mozilla/5.0 (Windows NT 6.1; rv:40.0) Gecko/20100101 Firefox/40.0

barbaz
Senior Member
Posts: 9282
Joined: Sat Aug 03, 2013 5:45 pm

Re: With WAN-IP=LOCAL Firefox asks for router's user/passwor

Post by barbaz » Sun Aug 16, 2015 9:52 pm

bomm wrote:Thanks for your help.

You're welcome.

bomm wrote:I have a dynamic IP address, so it's not a good idea to manage the rules manually.

Well how dynamic is dynamic? Meaning, how often does it change?
Some ISPs give out "dynamic" IPs that stick for a long time (can be several months) even through completely powering off the device (although not if the device is powered off for too long)...

bomm wrote:The best solution would be if the router itself could block packets for the WAN IP on the local interface.

I think the ABE rule would do more than that, as ABE blocks by address not just by interface... so with only measures working by interface, I would have to wonder if there is even theoretical possibility for sites to use your web browser to trick your router into sending requests from its public interface back to its public interface. Firewalling by address doesn't have any such limitation.
You might see if your router has a placeholder in its firewall for its own WAN IP.

Basically, what I'm trying say is if there is a way of having your router filter by WAN IP / address instead of by interface, I would think it's a more robust solution than protecting by interface.

bomm wrote:My router is fairly uncommon, so the risk of attacks is relatively low.

That is not a valid line of reasoning. Being "different" (in and of itself) is always orthogonal to security.
If the risk of attacks is relatively low on your router vs. others, that wouldn't be the reason why. (I would think the reason to be - at some level - along the lines of you being a competent sysadmin.)
Last edited by barbaz on Mon Aug 17, 2015 1:54 am, edited 1 time in total.
Reason: clarify statements that were so vague as to be interpretable as bad advice
*Always* check the changelogs BEFORE updating that important software!
-

User avatar
Thrawn
Senior Member
Posts: 3106
Joined: Mon Jan 16, 2012 3:46 am
Location: Australia
Contact:

Re: With WAN-IP=LOCAL Firefox asks for router's user/passwor

Post by Thrawn » Mon Aug 17, 2015 12:59 am

barbaz wrote:
bomm wrote:The best solution would be if the router itself could block packets for the WAN IP on the local interface.

I think the ABE rule would do more than that, as ABE blocks by address not just by interface... so with only the router measure, I would have to wonder if there is even theoretical possibility for sites to use your web browser to trick your router into sending requests from its public interface back to its public interface. Firewalling by address doesn't have any such limitation.

No, I think bomm is correct, the best solution is for the router to properly isolate its public and private addresses. If it does that, then the WAN address check shouldn't be needed.
======
Thrawn
------------
Religion is not the opium of the masses. Daily life is the opium of the masses.

True religion, which dares to acknowledge death and challenge the way we live, is an attempt to wake up.
Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:40.0) Gecko/20100101 Firefox/40.0

barbaz
Senior Member
Posts: 9282
Joined: Sat Aug 03, 2013 5:45 pm

Re: With WAN-IP=LOCAL Firefox asks for router's user/passwor

Post by barbaz » Mon Aug 17, 2015 1:48 am

My point was that I think firewalling by address is probably better than firewalling by router interface - *not* that ABE is a good replacement for a router firewall :o
sorry for being unclear (I'll fix it above)
*Always* check the changelogs BEFORE updating that important software!
-

bomm
Posts: 4
Joined: Sun Aug 16, 2015 8:23 am
Location: Germany

Re: With WAN-IP=LOCAL Firefox asks for router's user/passwor

Post by bomm » Mon Aug 17, 2015 6:02 am

barbaz wrote:
bomm wrote:The best solution would be if the router itself could block packets for the WAN IP on the local interface.

I think the ABE rule would do more than that, as ABE blocks by address not just by interface... so with only measures working by interface, I would have to wonder if there is even theoretical possibility for sites to use your web browser to trick your router into sending requests from its public interface back to its public interface. Firewalling by address doesn't have any such limitation.
You might see if your router has a placeholder in its firewall for its own WAN IP.

Basically, what I'm trying say is if there is a way of having your router filter by WAN IP / address instead of by interface, I would think it's a more robust solution than protecting by interface.

I have to check what is possible. For the webconf interface (and other connections I expect only from the local net) it would be sufficient to block the WAN IP address. But there are connections expected from the outside. I will try to implement a combination of interface and address.

barbaz wrote:
bomm wrote:My router is fairly uncommon, so the risk of attacks is relatively low.

That is not a valid line of reasoning.(I would think the reason to be - at some level - along the lines of you being a competent sysadmin.)

You may be right.
I didn't want to say I don't need to protect my router because it is uncommon. But I think about what is necessary to use this type of attack against my router: The attacker must implement code to interact with the webinterface of my router and he must place this code on some website and trick someone in my local net to access this site.
I don't know what details the attacker can find out about my router from the outside. Probably he can see that it's a Linux system unsing an nmap scan. He can find two SSH servers, maybe he can see one dropbear and one other. I'm not sure if he can see other useful information.
If the attacker can already run scripts in my local net, he will first see the HTTP authentication and my router tells him that it's running mini_httpd. That doesn't really tell the attacker how the web interface works, so he can try some password cracking...

When I was the attacker and if I want to attack any system, not specifically my systems, I would probably write malicious scripting code for common routers not for exotic ones. That's why I think the risk for this specific type of attack is low compared to very common router types, e.g. AVM Fritzbox or the devices from the big providers.
Of cource that doesn't mean my router is not a target of attacks in general. I have already seen someone trying to login using SSH.
And if the attacker has a reason to access my system instead of any system, things will be different.

Bodo
Mozilla/5.0 (Windows NT 6.1; rv:40.0) Gecko/20100101 Firefox/40.0

Post Reply