Coffeehouse Thread

12 posts

Software using localhost as a proxy - security concerns?

Back to Forum: Coffeehouse
  • GoddersUK

    I recently installed an update to a piece of software that puts all browsing through a proxy running on 127.0.0.1 (port 8777) (there IS good reason for this and it's more effective than how the previous version of the software worked). Since I'm not an expert in such matters I'm slightly concerned that this could also be open and internet facing - opening my computer to security threats from anyone who knows/guesses my IP address. Is this case?

    Will keeping it blocked on Windows Firewall eliminate any potential risk (so far as I can tell it still functions as intended when blocked)?

  • DaveWill2

    56 minutes ago, GoddersUK wrote

    *snip*

    I'm slightly concerned that this could also be open and internet facing

    *snip*

    By "this" do you mean 127.0.0.1 (port 8777) or the proxy's internet facing side?

    The loopback range 127.0.0.0/8 is supposed to be dropped if any of those packets should get on the network.  Those packets are not supposed to be on the network.

    The proxy's internet facing side ... if the proxy were keeping listening ports open you could check it out by doing a netstat -ano and seeing what ports are listening, cull out the known ones, and investigate the unknown ones.

  • cheong

    Listeners bindling to loopback listen only to loopback and no other places. The people outside can't connect to it even if your firewall is off.

    Recent Achievement unlocked: Code Avenger Tier 4/6: You see dead program. A lot!
    Last modified
  • AndyC

    @GoddersUK: If it's only ever listening on the loopback address, it's not even an issue to begin with. The network stack will ignore packets claiming to be destined for 127.0.0.1 that come from a remote machine long before any application sees them.

    If it's listening on all addresses but you use WF to block communication from outside, without it breaking, then again you're safe (although the software probably shouldn't have done that in the first place) and I'd carry on using it in that config.

  • evildictait​or

    It depends how they opened the socket.

    For example, in C# you can get either behaviour:

    // This form is loopback only and not visible from outside of your machine:

    listener = new TcpListener(new IPEndPoint(IPAddress.Loopback, port));

    // this form exposes the port:

    listener = new TcpListener(new IPEndPoint(IPAddress.Any, port));

    Assuming you're running Windows Firewall, you'll get a prompt with the latter to ask you if you want to add an exception to punch a hole through the firewall. If your program gave you a Windows Firewall prompt, then you might want to make a feature request to the product team to allow you disable it.

    If you didn't see a prompt, you're probably safe.

  • GoddersUK

    Thanks for the info guys. This is what I'm seeing:

    Generic Forum Image

    I have no idea what the software is actually listening too (ie. if it's listening for all attempted connections or only those arising from this computer.

    @evildictaitor: I did get a Windows Firewall prompt. So this implies it's listening for incoming connections? (There's no reason that I can see for it to need incoming external connections and it appears to function perfectly when incoming connections are blocked on Windows Firewall).

    I need to post on their support forums for an unrelated issue so I'll raise this with them then too.

  • GoddersUK

    , DaveWill2 wrote

    *snip*

    By "this" do you mean 127.0.0.1 (port 8777) or the proxy's internet facing side?

    I mean I'm concerned the proxy that the software has installed on my machine could be accessible from other machines.

  • Sven Groot

    Run "netstat -a". If there's something listening on port 8777 on anything other than the loopback address, then you could have a problem. Of course, if you use a firewall, it still shouldn't be an issue.

  • evildictait​or

    And bear in mind that normally you won't be directly connected to the Internet - your router will normally have a firewall too (that's why you can't normally run an Internet-accessible webserver from your laptop)

  • GoddersUK

    @Sven Groot: I see nothing (although it is already blocked by my firewall) so I won't worry too much

    @evildictaitor: ATM I'm connected to a large university hall of residence network so it's always a good idea to be suspicious. You can't trust who or what you're connecting to - a while back they had a problem with malware on connected computers pretending to be the DHCP server and infecting unpatched machines. Similarly when I connect to the main university network (since I'm not normally in halls).


    Anyway I think I'm safe atm. Thanks guys!

     

  • evildictait​or

    You can't trust who or what you're connecting to - a while back they had a problem with malware on connected computers pretending to be the DHCP server and infecting unpatched machines.

    If you're on a university campus you'll have a big external firewall because the university will be sitting behind a big NAT, so you're probably good.

    If you're in the csci department at your university, you might want to check (via Wireshark) that all of the machines are link-local isolated. Unfortunately there are design bugs in the TCP/IP stack that mean that computers who are situated next to you can do nasty things to your machine (e.g. ARP poisoning and DHCP poisoning (which can lead to DNS poisoning as well as network boot), as well as sending your network card network-on/network-off packets if they're enabled).

    The canonical solution for this is to have all of the machines on the network living in their own subnet, preventing different machines on the network to DHCP or ARPing each other. If you do that, you only have to trust the routers aren't compromised, you don't have to care about the machines that are connected.

  • AndyC

    , evildictait​or wrote

    *snip*

    If you're on a university campus you'll have a big external firewall because the university will be sitting behind a big NAT, so you're probably good.

    A lot of University networks won't actually be behind a NAT at all, because they were the ones who got the initial set of Class B networks, so often they're actually handing out publically addressable IP ranges internally (they really should and probably are firewalled these days, however).

    That said, it's probably unlikely in most cases that there is much in the way of internal segregation between student residences, so it's definitely worth making sure your machine is treating the university network more like a public network than a private one.

Comments closed

Comments have been closed since this content was published more than 30 days ago, but if you'd like to continue the conversation, please create a new thread in our Forums, or Contact Us and let us know.