Port Forwarding Services Are Forwarding Security Risks

Haoyuan Wang1, Yue Xue1, Xuan Feng2, Chao Zhou1, Xianghang Mi1
1University of Science and Technology of China, 2Microsoft Research Asia
Paper arXiv Code

Abstract

We conduct the first comprehensive security study on representative port forwarding services (PFS), which emerge in recent years and make the web services deployed in internal networks available on the Internet along with better usability but less complexity compared to traditional techniques (e.g., NAT traversal techniques). Our study is made possible through a set of novel methodologies, which are designed to uncover the technical mechanisms of PFS, experiment attack scenarios for PFS protocols, automatically discover and snapshot port-forwarded websites (PFWs) at scale, and classify PFWs into well-observed categories. Leveraging these methodologies, we have observed the widespread adoption of PFS with millions of PFWs distributed across tens of thousands of ISPs worldwide. Furthermore, 32.31% PFWs have been classified into website categories that serve access to critical data or infrastructure, such as, web consoles for industrial control systems, IoT controllers, code repositories, and office automation systems. And 18.57% PFWs didn't enforce any access control for external visitors. Also identified are two types of attacks inherent in the protocols of Oray (one well-adopted PFS provider), and the notable abuse of PFSes by malicious actors in activities such as malware distribution, botnet operation and phishing.

Port Forwarding Services

Port Forwarding Services (PFS) are designed as an out-of-the-box service to help ordinary users carry out port forwarding tasks. It can circumvent the necessity of configuring NAT traversal techniques. In the scenario of a PFS, a PFS agent is deployed to be co-located inside the same private network with the internal network services to be exposed/forwarded, and is instructed to proactively establish one or more persistent tunnels to a PFS server. After the port forwarding tunnels are established, the traffic visiting the PFS server will be redirected to the PFS agent, and then forwarded to the internal network services.

PFS scenario

Representative PFS Protocols

Ngrok Protocol

Ngrok Protocol

Once the Ngrok agent program is started, it connects to the Ngrok server (tunnel.ngrok.com) through a single persistent HTTPS connection, which serves both as the data plane relaying traffic to and from the internal web service, and as the control plane transmitting control data (e.g., the authorization token) between the agent and the Ngrok server. When multiple PFWs are forwarded by the same Ngrok agent, they share the same HTTPS tunnel connection. Given the tunnel connection setup, when an HTTP request arrives at the agent, it will be further forwarded to the internal web server through a plaintext HTTP connection.

Oray Protocol

Oray Protocol

Oray implements a more complicated interaction process so as to support more flexible functionalities, such as dynamically updating the port forwarding rules without the need of stopping and restarting the Oray agent.

The Oray agent first queries the Oray control server (hsk-embed.oray.com) through an HTTPS connection, and extracts a set of configurations including which local service to forward traffic to, which Oray data server to connect to set up the tunnel connection, among others. Upon these configurations, the agent moves to setup a long-lived TCP connection with the specified Oray data server as the data tunnel, to relay HTTP traffic between the internal web service and the external visitor.

Oray also provides a web console for its customers to update the tunneling configurations, e.g., change which local service to forward the traffic to without interrupting the tunnel. To achieve this, the agent sets up another long-lived TCP connection with another Oray control server and uses it as the control plane for the server to push configuration updates back to the agent.

Port-Forwarded Website

To get a deep understanding of the PFS ecosystem, it is critical to know what websites have been tunnelled by PFS, especially considering that port forwarding a website is the most common use case of port forwarding services. We refer to such websites as port-forwarded websites (PFWs).

We design a PFW collector to automatically discover PFW domain names through querying passive DNS, and snapshot the discovered PFWs in an efficient and distributed manner. To understand what kinds of websites have been exposed as PFWs, a PFW classifier, with 95% of the micro average accuracy/recall/precision, is tailored for PFW categories.

Leveraging these methodologies, we have observed the widespread adoption of PFS with millions of PFWs distributed across tens of thousands of ISPs worldwide. For categories, 32.31% PFWs have been classified into website categories that serve access to critical data or infrastructure, such as, web consoles for industrial control systems, IoT controllers, code repositories, and office automation systems. Here is the detailed statistics about the distribution of PFWs across their categories.

Category Oray Ngrok Both
Industrial Control System (ICS) 1.87% 1.25% 1.83%
IoT Controller and Devices (IoT) 0.98% 3.47% 1.11%
Network Devices 3.54% 2.38% 3.48%
Remote Desktop 1.24% 0.02% 1.18%
Office Automation (OA) 15.04% 5.42% 14.56%
Data Store 2.35% 4.69% 2.46%
Code Repository 0.62% 4.00% 0.79%
Network-Attached Storage (NAS) 0.93% 1.15% 0.94%
Webserver Default Page 5.83% 8.38% 5.96%
Blank Page 68.37% 13.70% 65.61%
Others 15.07% 64.85% 17.57%

We also manually studied cases of these categories, with a focus on identifying their subcategories and understanding their access control mechanisms. Overall, we found that 18.57% of PFWs didn't enforce any access control for external visitors, which could lead to severe security risks.

Threat Intelligence Analysis

In order to provide a comprehensive analysis of the extent to which port forwarding services have been abused in various malicious activities, we leverage VirusTotal to analyze the threat intelligence of PFW domains and server IPs.

In a result, we can conclude with high confidence that port forwarding services are being abused to a concerning extent and in various malicious activities, particularly, tunneling communications for RAT programs, malware distribution, and phishing & fraud. Here are some details.

Threat stats of PFW domains as learned from VirusTotal
PFS Queried Analyzed Ratio of Malicious PFW Domains
≥ 1 ≥ 5 ≥ 10
Ngrok 1.84M 30K 2.31% 1.23% 0.45%
Oray 1.51M 25K 1.14% 0.12% 0.04%
Both 3.34M 55K 1.78% 0.73% 0.26%
Threat stats of PFW server IPs as learned from VirusTotal
PFS Queried Analyzed Ratio of Malicious PFW IPs
≥ 1 ≥ 5 ≥ 10
Ngrok 189 142 76.06% 69.01% 55.63%
Oray 28K 28K 2.88% 0.51% 0.02%
Both 28K 28K 3.25% 0.86% 0.30%

Vulnerabilities

We have identified a set of protocol vulnerabilities in Oray's PFS implementation, which incur non-negligible security risks to both PFWs and the local networks on which PFWs are hosted. The identified security vulnerabilities have been responsibly disclosed to Oray with acknowledgments received.

Against the data plane communication   The tunnel between the Oray data server and the Oray agent utilizes a customized application protocol over TCP, by adopting the HTTP protocol with a message authentication code (MAC). However, the MAC can be easily calculated without the need of knowing any secrets, as it only checks the length of the payload. This allows any intermediate hop between the Oray agent and the Oray server to perform a man-in-the-middle attack.

Against the control plane communication   When port forwarding rules are initially pulled from the control server, HTTPS is adopted. However, we have found that the Oray agent fails to perform proper server certificate verification, and an MITM attacker can successfully intercept this HTTPS connection and modify all the port forwarding rules that are passed from the control server to the agent. This allows an attacker to use the PFS agent program as a stepping stone to expose internal infrastructure co-located with a PFW.

BibTeX

@article{wang2024port,
      title={Port Forwarding Services Are Forwarding Security Risks}, 
      author={Haoyuan Wang and Yue Xue and Xuan Feng and Chao Zhou and Xianghang Mi},
      year={2024},
      eprint={2403.16060},
      archivePrefix={arXiv},
      primaryClass={cs.CR}
}