Port-based protection gets pwned
A neat and clever hack has undermined long held assumptions about the network security protections offered by properly configured routers and firewalls.
The technique, dubbed ‘NAT Slipstreaming’, allows an attacker to remotely access any TCP/UDP service bound to a victim machine, bypassing a victim’s network address translation (NAT) or firewall security controls in the process – providing a victim is first tricked into visiting a site under the would-be hacker’s control.
Network address translation remaps an IP address space for traffic passing through a networking device. The technique proved very useful in conserving address space and thereby forestalling IPv4 address exhaustion, but it also has some security benefits that NAT Slipstreaming runs all over.
Caught in the Slipstream
The NAT Slipstream attack – a new packet injection technique that works across all major modern browsers – takes advantage of arbitrary control of the data portion of some TCP and UDP packets without reference to HTTP or other headers, Kamkar explains in a detailed technical blog post:
NAT Slipstreaming exploits the user's browser in conjunction with the Application Level Gateway (ALG) connection tracking mechanism built into NATs, routers, and firewalls by chaining internal IP extraction via timing attack or WebRTC, automated remote MTU and IP fragmentation discovery, TCP packet size massaging, TURN authentication misuse, precise packet boundary control, and protocol confusion through browser abuse.
As it’s the NAT or firewall that opens the destination port, this bypasses any browser-based port restrictions.
Put more simply, NAT Slipstreaming exploits a flaw in how some routers implement ALG that allows NAT to be bypassed.
Kamkar told The Daily Swig that fixing the security shortcomings laid bare by his research may be a challenge.
“Routers can disable ALG but this makes them less convenient (VoIP phones stop working). The SIP ALG can be improved, but SIP was just one example, [and] other ALGs expose this,” Kamkar said during an exchange on Twitter.
“Browsers can block port 5060, but I don't think that's the end of it. This area is a bit of whack-a-mole,” he added.
Even the “vulnerabilities” at play are tricky to define and perhaps better described as “security shortcomings”.
Kamkar explained: “Everything is working to spec; it's simply the combination of various protocols and features that can have complex interactions when chained together.”