New NAT/Firewall Bypass Attack Lets Hackers Access Any TCP/UDP Service

A new study has uncovered a technique that allows an attacker to bypass firewall protection and remotely access any TCP/UDP service on the victim’s machine.

This method is called NAT slipstreaming. This involves sending a destination link to a malicious website (or a legitimate website downloaded via a malicious ad) which, when visited, eventually triggers a gateway to open a victim’s TCP/UDP port, bypassing browser-defined port restrictions.

The results were announced this weekend by Sami Kamkar, a researcher in the field of data protection and security.

According to Kamkar’s analysis, NAT uses the user’s browser in combination with the Application Layer Gateway (ALG) connection tracking mechanism built into NAT, routers and firewalls, via an internal IP extraction chain through temporary attack or WebRTC, automatic remote MTU detection and IP fragmentation, TCP packet size massage, false TURN authentication, accurate control of packet boundaries and protocol confusion due to browser misuse.

The technology is implemented on the NetGear Nighthawk R7000 router with Linux kernel version 2.6.36.4.

Package boundary definition

Network Address Translation (NAT) is the process by which a network device such as a firewall redirects an IP address space to another IP address space by changing the network address information in the IP header of a packet during transmission.

The main benefit is that it reduces the number of public IP addresses used on the organisation’s internal network and increases security by allowing a single public IP address to be used with multiple systems.

NAT slipstreaming works by using TCP and IP packet segmentation to remotely configure packet boundaries and use it to create TCP/UDP packets from SIP methods such as REGISTER or INVITE.

SIP (Session Initiation Protocol) is a communication protocol for initiating, maintaining and terminating real-time multimedia sessions for voice, video and e-mail applications.

In other words, a mix of packet segmentation and SIP research smuggling in HTTP can be used to open NAT ALG random ports for the client’s incoming connections.

To do this, a large HTTP POST request is sent with an ID and a hidden web form pointing to the attacking server where the sniffer packets are executed, which are used to capture MTU size, packet size, TCP size, IP header, and more, and then return the size data to the victim client via a separate POST message.

It also abuses the authentication feature of TURN (Traversal Using Relays around NAT), a protocol used in conjunction with NAT to transfer media from any peer client to any other client on the network to perform packet overflow and IP packet fragmentation.

The idea is, in short, to flood a TCP or UDP packet by filling it (with ^characters) and halving it so that the SIP data packet is at the beginning of the second boundary of the packet.

Connection to TCP/UDP by packet replacement

The next step is to extract the victim’s internal IP address using WebRTC ICE in modern browsers such as Chrome or Firefox or by temporarily attacking common gateways (192.168.*.1, 10.0.0.1 and LANs).

As soon as the customer receives the package size and internal IP address, he creates a special web form that stores the POST data until we think the package is fragmented. At this point, our SIP register is added, which contains the internal IP address, according to Camcar. The form is submitted via Javascript without the consent of the victim.

As soon as the packets reach the attacking server and it is determined that the SIP packet is not overwritten by the public IP address, a message is automatically returned to the client asking it to adjust the packet size to a new limit based on the data previously received from the sniffer.

Armed with the proper packet limit, NAT is fooled into believing that it is a legal SIP record and SIP client on the victim’s machine, eventually forcing NAT to open a port in the original packet sent by the victim.

The router now sends every port selected by the attacker to the internal victim, from simple browsing to the website, Camcar said.

The complete code to validate the NAT slipstreaming concept can be found here.

 

Related Tags:

nat slipstreaming pfsense,nat slipstreaming palo alto,nat slipstreaming ubiquiti,application level gateway,nat slipstream,nat slipstreaming protection,nat slipstreaming fortigate,nat slipstreaming mitigation,nat slipstreaming openwrt