I read a little deeper just now. I was wondering how he avoided having
the browser toss errors or ask permission to run the javascript, or what
not. Apparently the javascript figures out the MTU and maximum segment
size, then sends an HTTP post with data large enough to be fragmented.
The data portion is crafted so that the second fragment starts with
something that looks like a SIP REGISTER. The Netgear is parsing the
beginnings of packets and watching for things that look like SIP
messages, and apparently this process is simple enough to mistake this
artificial SIP REGISTER in the beginning of a packet fragment for the
real thing.
Since the attacker controls the web server, he can respond back from
port 5060 as if he really received a SIP REGISTER. In the SIP REGISTER
if he has "Contact: <sip:samy@192.168.0.109:1234;transport=TCP>" then he
responds back using dst port 1234 and now that port is open to the victim.
The Javascript never doesn't open a real connection, it does an HTTP
POST which it's normally allowed to do. The ALG is tricked by an
imaginary connection attempt in the second packet fragment. It's not
explicitly stated to be a Linux vulnerability, but he informed his
attack strategy with knowledge of how Linux Netfilter behaves.....which
implies other devices with Linux OS's could exhibit the same issue as
the Netgear R7000.
It's slicker than greased owl shit.....but it's worth reiterating that
you also need something to exploit on the target device.
On 11/2/2020 9:36 AM, Ken Hohhof wrote:
I believe in the SIP world the advice is always turn off the SIP ALG. But on
customer managed routers, the customer is never going to change it from the
default, they don't even update the firmware.
-----Original Message-----
From: AF <af-boun...@af.afmug.com> On Behalf Of Adam Moffett
Sent: Monday, November 2, 2020 8:22 AM
To: af@af.afmug.com
Subject: Re: [AFMUG] NAT Slipstreaming - or how to attack any internal host
behind NAT
It seems to exploit behavior of the application layer gateway. That allows
stuff like RTP and FTP which use dynamic ports to operate through NAT. The
script tricks the gateway into forwarding an arbitrary port number to the
target device. Presumably you then attack a vulnerable service on the target
device, or DOS him, or what have you.
He's specifically doing this with a Netgear R7000. It's not clear to me
whether it was a Netgear bug, or a bug in the kernel, or with ALG's in general.
On 11/1/2020 10:47 AM, Ken Hohhof wrote:
I didn't have time to read all the comments (or the brain cells to
digest them), but there's a discussion here:
https://news.ycombinator.com/item?id=24955891
-----Original Message-----
From: AF <af-boun...@af.afmug.com> On Behalf Of fiber...@mail.com
Sent: Sunday, November 1, 2020 9:23 AM
To: af@af.afmug.com
Subject: Re: [AFMUG] NAT Slipstreaming - or how to attack any internal
host behind NAT
The URL points to the security researcher's writeup on the attack and
the page contains a link to proof of concept source code on github.
Sent: Sunday, November 01, 2020
From: "Robert" <i...@avantwireless.com>
To: af@af.afmug.com
Subject: Re: [AFMUG] NAT Slipstreaming - or how to attack any
internal
host behind NAT
Was that site a source of the "evil javascript"?
On 11/1/20 5:39 AM, fiber...@mail.com wrote:
Synopsis: NAT Slipstreaming allows an attacker to remotely access
any
TCP/UDP service bound to a victim machine, bypassing the victim's
NAT/firewall (arbitrary firewall pinhole control), just by the victim
visiting a website.
https://samy.pl/slipstream/
--
AF mailing list
AF@af.afmug.com
http://af.afmug.com/mailman/listinfo/af_af.afmug.com
--
AF mailing list
AF@af.afmug.com
http://af.afmug.com/mailman/listinfo/af_af.afmug.com
--
AF mailing list
AF@af.afmug.com
http://af.afmug.com/mailman/listinfo/af_af.afmug.com
