New NAT/Firewall Bypass Attack Lets Hackers Access Any TCP/UDP Service

NAT Slipstreaming to Bypass Firewall

A new research has demonstrated a technique that allows an attacker to bypass firewall protection and remotely access any TCP/UDP service on a victim machine.

Called NAT Slipstreaming, the method involves sending the target a link to a malicious site (or a legitimate site loaded with malicious ads) that, when visited, ultimately triggers the gateway to open any TCP/UDP port on the victim, thereby circumventing browser-based port restrictions.

The findings were revealed by privacy and security researcher Samy Kamkar over the weekend.

“NAT Slipstreaming exploits the user’s browser in conjunction with the Application Level Gateway (ALG) connection tracking mechanism built into NATs, routers, and firewalls by chaining internal IP extraction via timing attack or WebRTC, automated remote MTU and IP fragmentation discovery, TCP packet size massaging, TURN authentication misuse, precise packet boundary control, and protocol confusion through browser abuse,” Kamkar said in an analysis.

The technique was carried out using a NetGear Nighthawk R7000 router running Linux kernel version 2.6.36.4.

Determining Packet Boundaries

Network address translation (NAT) is the process where a network device, such as a firewall, remaps an IP address space into another by modifying network address information in the IP header of packets while they are in transit.

The main advantage is that it limits the number of public IP addresses used in an organization’s internal network and improves security by letting a single public IP address to be shared among multiple systems.

NAT Slipstreaming works by taking advantage of TCP and IP packet segmentation to remotely adjust the packet boundaries and using it to create a TCP/UDP packet starting with a SIP method such as REGISTER or INVITE.

firewall bypass

SIP (short for Session Initiation Protocol) is a communications protocol used for initiating, maintaining, and terminating real-time multimedia sessions for voice, video, and messaging applications.

In other words, a mix of packet segmentation and smuggling SIP requests in HTTP can be used to trick the NAT ALG into opening arbitrary ports for inbound connections to the client.

To achieve this, a large HTTP POST request is sent with an ID and a hidden web form that points to an attack server running a packet sniffer, which is used to capture the MTU size, data packet size, TCP and IP header sizes, among others, and subsequently transmitting the size data back to the victim client over a separate POST message.

What’s more, it also abuses an authentication function in TURN (Traversal Using Relays around NAT) — a protocol that’s used in conjunction with NATs to relay media from any peer to another client in the network — to carry out a packet overflow and cause IP packets to fragment.

The idea, in a nutshell, is to overflow a TCP or UDP packet by padding (with “^” characters) and force it to split into two so that the SIP data packet is at the very start of the second packet boundary.

Connect to TCP/UDP via Packet Alteration

In the next stage, the victim’s internal IP address is extracted using WebRTC ICE on modern browsers such as Chrome or Firefox or by executing a timing attack on common gateways (192.168.*.1, 10.0.0.1, and local networks).

“Once the client gets the packet sizes and internal IP address, it constructs a specially crafted web form that pads the POST data up until we believe the packet will become fragmented, at which point our SIP REGISTER containing internal IP address is appended,” Kamkar noted. “The form is submitted via Javascript with no consent from the victim.”

Just as the packets reach the attack server and it’s determined that the SIP packet isn’t rewritten with the public IP address, an automatic message is sent back to the client, asking it to adjust its packet size to a new boundary based on the data previously gleaned from the sniffer.

Armed with the right packet boundary, the NAT is deceived into thinking, “this is a legitimate SIP registration and from a SIP client on the victim’s machine,” eventually causing the NAT to open up the port in the original packet sent by the victim.

“The router will now forward any port the attacker chooses back to the internal victim, all from simply browsing to a website,” Kamkar said.

The whole proof-of-concept code for NAT Slipstreaming can be found here.

Leave a Reply

Your email address will not be published. Required fields are marked *