I believe in the SIP world the advice is always turn off the SIP ALG. But on customer managed routers, the customer is never going to change it from the default, they don't even update the firmware.
-----Original Message----- From: AF <af-boun...@af.afmug.com> On Behalf Of Adam Moffett Sent: Monday, November 2, 2020 8:22 AM To: af@af.afmug.com Subject: Re: [AFMUG] NAT Slipstreaming - or how to attack any internal host behind NAT It seems to exploit behavior of the application layer gateway. That allows stuff like RTP and FTP which use dynamic ports to operate through NAT. The script tricks the gateway into forwarding an arbitrary port number to the target device. Presumably you then attack a vulnerable service on the target device, or DOS him, or what have you. He's specifically doing this with a Netgear R7000. It's not clear to me whether it was a Netgear bug, or a bug in the kernel, or with ALG's in general. On 11/1/2020 10:47 AM, Ken Hohhof wrote: > I didn't have time to read all the comments (or the brain cells to > digest them), but there's a discussion here: > https://news.ycombinator.com/item?id=24955891 > > > -----Original Message----- > From: AF <af-boun...@af.afmug.com> On Behalf Of fiber...@mail.com > Sent: Sunday, November 1, 2020 9:23 AM > To: af@af.afmug.com > Subject: Re: [AFMUG] NAT Slipstreaming - or how to attack any internal > host behind NAT > > The URL points to the security researcher's writeup on the attack and > the page contains a link to proof of concept source code on github. > >> Sent: Sunday, November 01, 2020 >> From: "Robert" <i...@avantwireless.com> >> To: af@af.afmug.com >> Subject: Re: [AFMUG] NAT Slipstreaming - or how to attack any >> internal > host behind NAT >> Was that site a source of the "evil javascript"? >> >> On 11/1/20 5:39 AM, fiber...@mail.com wrote: >>> Synopsis: NAT Slipstreaming allows an attacker to remotely access >>> any > TCP/UDP service bound to a victim machine, bypassing the victim's > NAT/firewall (arbitrary firewall pinhole control), just by the victim > visiting a website. >>> https://samy.pl/slipstream/ >>> >>> >> >> -- >> AF mailing list >> AF@af.afmug.com >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >> -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
