A little bit of discussion going on Mikrotik forum. One guy says exploit didn't work with Mikrotik SIP ALG enabled, but I wouldn't take that to the bank, he doesn't give any details of what he tried. https://forum.mikrotik.com/viewtopic.php?f=2&t=168372
-----Original Message----- From: AF <af-boun...@af.afmug.com> On Behalf Of Adam Moffett Sent: Monday, November 2, 2020 9:15 AM To: af@af.afmug.com Subject: Re: [AFMUG] NAT Slipstreaming - or how to attack any internal host behind NAT I read a little deeper just now. I was wondering how he avoided having the browser toss errors or ask permission to run the javascript, or what not. Apparently the javascript figures out the MTU and maximum segment size, then sends an HTTP post with data large enough to be fragmented. The data portion is crafted so that the second fragment starts with something that looks like a SIP REGISTER. The Netgear is parsing the beginnings of packets and watching for things that look like SIP messages, and apparently this process is simple enough to mistake this artificial SIP REGISTER in the beginning of a packet fragment for the real thing. Since the attacker controls the web server, he can respond back from port 5060 as if he really received a SIP REGISTER. In the SIP REGISTER if he has "Contact: <sip:samy@192.168.0.109:1234;transport=TCP>" then he responds back using dst port 1234 and now that port is open to the victim. The Javascript never doesn't open a real connection, it does an HTTP POST which it's normally allowed to do. The ALG is tricked by an imaginary connection attempt in the second packet fragment. It's not explicitly stated to be a Linux vulnerability, but he informed his attack strategy with knowledge of how Linux Netfilter behaves.....which implies other devices with Linux OS's could exhibit the same issue as the Netgear R7000. It's slicker than greased owl shit.....but it's worth reiterating that you also need something to exploit on the target device. On 11/2/2020 9:36 AM, Ken Hohhof wrote: > I believe in the SIP world the advice is always turn off the SIP ALG. But on > customer managed routers, the customer is never going to change it from the > default, they don't even update the firmware. > > > -----Original Message----- > From: AF <af-boun...@af.afmug.com> On Behalf Of Adam Moffett > Sent: Monday, November 2, 2020 8:22 AM > To: af@af.afmug.com > Subject: Re: [AFMUG] NAT Slipstreaming - or how to attack any internal host > behind NAT > > It seems to exploit behavior of the application layer gateway. That allows > stuff like RTP and FTP which use dynamic ports to operate through NAT. The > script tricks the gateway into forwarding an arbitrary port number to the > target device. Presumably you then attack a vulnerable service on the target > device, or DOS him, or what have you. > > He's specifically doing this with a Netgear R7000. It's not clear to me > whether it was a Netgear bug, or a bug in the kernel, or with ALG's in > general. > > > On 11/1/2020 10:47 AM, Ken Hohhof wrote: >> I didn't have time to read all the comments (or the brain cells to >> digest them), but there's a discussion here: >> https://news.ycombinator.com/item?id=24955891 >> >> >> -----Original Message----- >> From: AF <af-boun...@af.afmug.com> On Behalf Of fiber...@mail.com >> Sent: Sunday, November 1, 2020 9:23 AM >> To: af@af.afmug.com >> Subject: Re: [AFMUG] NAT Slipstreaming - or how to attack any internal >> host behind NAT >> >> The URL points to the security researcher's writeup on the attack and >> the page contains a link to proof of concept source code on github. >> >>> Sent: Sunday, November 01, 2020 >>> From: "Robert" <i...@avantwireless.com> >>> To: af@af.afmug.com >>> Subject: Re: [AFMUG] NAT Slipstreaming - or how to attack any >>> internal >> host behind NAT >>> Was that site a source of the "evil javascript"? >>> >>> On 11/1/20 5:39 AM, fiber...@mail.com wrote: >>>> Synopsis: NAT Slipstreaming allows an attacker to remotely access >>>> any >> TCP/UDP service bound to a victim machine, bypassing the victim's >> NAT/firewall (arbitrary firewall pinhole control), just by the victim >> visiting a website. >>>> https://samy.pl/slipstream/ >>>> >>>> >>> -- >>> AF mailing list >>> AF@af.afmug.com >>> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >>> > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > > -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
