NAT mode, open ports on virtual router 10.0.2.2 - 513, 514

[egravet]

The main quesiton is: Does anybody else see the same ports described below when scanning from the guest OS on their VM's? Is there documentation on ports 513 and 514 which are open on the virtual router located at 10.0.2.2 when using NAT based networking? Is it possible to exploit these ports? In response to posts below, there are no TCP services running on the host.

The NAT virtual router configuration is independent of host and guest operating systems and seems to be coded based on qemu. I have seen these ports in VirtualBox 2.2.2, but am not currently running that version. When using Host Interface Networking or Bridged networking the virtual router is not accessible.

VirtualBox Version: lenny (stable) (misc): x86 virtualization solution - binaries 1.6.6-dfsg-3: i386
Host: Debian Lenny 5.0 i386
Guest: OS Type Linux 2.6, probably will work with any system (livecd) with with nmap, telnet, netstat or similar tools.
Guest Network: Adapter 0 PCnet-FAST III (NAT)
Guest Additions: No

Within the guest, as the root/admin (#) or regular user (%), run the commands:

Code: Select all

# netstat -nr 

View the output, the gateway (virtual router) should be at address 10.0.2.2, then scan the virtual router for open ports. [truncated output]

Code: Select all

# nmap 10.0.2.2 
Interesting ports on 10.0.2.2
Not shown: xxxx closed ports
PORT STATE SERVICE
513/tcp open login
514/tcp open shell

Next you can telnet into port 513 or 514. Type ctrl-] when the telnet connection is established.

Code: Select all

% telnet 10.0.2.2 513
Trying 10.0.2.2...
Connected to 10.0.2.2.
Escape character is '^]'
telnet>  

Trying to telnet to "10.0.2.2 515", or other closed ports results in a "connection refused" message. Telnet is an ancient protocol and I can't get it to do anything interesting, except print help information with '?'. Telnet might behave this way with any open port: anyone an expert in login and shell ports and telnet? In summary it is still possible to send packets into these undocumented ports on the virtual router via a tcp connection because there are connections listed as ESTABLISHED when issuing the command:

Code: Select all

# netstat -n

Usually any open port can become a vulnerability. Anyone have further information of how to exploit these ports, or are they sufficiently protected? In closing, thanks for running the forums, and for the VirtualBox product.

[Sasquatch]

You do realize that connecting to 10.0.2.2 is your Host, and not some virtual thing, right? Ports open for 10.0.2.2 is the same as the ports open on your Host's localhost address (127.0.0.1).
What is it you want to do? What are you asking exactly? If you want to hack some system, we won't help you, it's illegal.

[egravet]

It is quite surprising to nmap the 10.0.2.2 address from inside the guest and find two open ports, especially if running nmap on the host system outside the guest finds no such open ports (127.0.0.1 on host has no open ports). It would be nice for someone to verify if this is the case on their systems.
I assure you, I am not trying to do anything illegal. I'm just trying to do "penetration testing", part of what anybody should do when trying to create a secure system. I just don't want the guest being able to crash the virtualbox software or host system by behaving badly.

[Sasquatch]

I just don't want the guest being able to crash the virtualbox software or host system by behaving badly.

That's something that's hard to build. Any misbehaving program can bring down the Host causing a crash.
You have to wait for a response from the devs on this.

[Torg]

I installed a guest version of Ubuntu 8.04.2 with the same results. It reports the host at 10.0.2.2 as having ports 513 and 514 open. Yet the host does not. This seems to be somewhere in the virtual router of vbox.