NAT Slipstreaming: Visiting Malicious Site Can Expose Local Network Services to Remote Attacks

The newly discovered method of attack can bypass Network Address Translation (NAT) and firewalls and allow an attacker to remotely access TCP/UDP services on the victim’s internal network, says security investigator Samy Kamkar.

Known as NAT slipstreaming, an attack can be launched when the victim visits a specific website using the Application Level Gateway (ALG), a connection tracking mechanism found in firewalls, NAT and routers.

According to the investigator, the attack chain includes internal IP extraction by temporary or WebRTC attack, automatic remote detection of MTU and IP fragmentation, TCP packet format table, abuse of TURN authentication, accurate control of packet boundaries and protocol confusion by browser misuse.

By taking advantage of the fact that the destination port is opened by NAT or a firewall, an attack can bypass the browser’s existing port limitations. All major modern browsers are vulnerable to attacks using a new version of the NAT-pinning method introduced by Camcar ten years ago.

The attack is based on ALG support in NAT/firewall, mandatory capabilities for multiport protocols such as FTP, IRC DCC, SIP and H323 (VoIP) and others.

NAT allows multiple computers with a single public IP address to connect to the Internet by creating a local network where each system has a local IP address. When a computer tries to connect to the Internet, the outgoing packets are rewritten to use the public IP address, which causes the responses to be sent back to NAT.

NAT also distinguishes between connections that internal hosts try to make to the same addresss/ports by rewriting the source ports. With an ALG, the NAT can follow the protocols for multiple ports and ensure that the correct data is provided to the requesting machine.

A security investigator has discovered that it is possible to bypass a victim’s NAT and connect directly to any port on the victim’s machine, exposing previously protected/hidden services.

According to Camcard, such an attack starts with the victim visiting a malicious website or receiving malicious advertisements, and continues by extracting the victim’s internal IP address (via WebRTC over HTTPS or a web trap for TCP time synchronization) and sending it to the server.

Large TCP/UDP tags are then sent to exceed the size of the packet to ensure that the packet is segmented, and a SIP packet containing the internal IP is generated, tracking SGA connections. The SIP package ends with its own TCP package, without the corresponding HTTP header, and opens the TCP/UDP ports defined in the package.

At this stage, the ALG port is sent to certain attack ports because it is considered misleading whether it is the port opened by the victim machine. Now the attacker can bypass the victim’s NAT and connect directly to any port on the victim’s machine, exposing previously protected/hidden services, he explains.

As soon as the customer receives the package size and the internal IP address, he creates a special web form that stores the POST data until we think the package is fragmented, after which our SIP register with the internal IP address is added. The form is submitted via Javascript without the consent of the victim, explains Kamkar.

An attacker could examine the rewritten packets on the server and automatically tell the client that the SIP packet was not what you expected if it didn’t have a public IP address. Once the packet reaches the limit, NAT cheats by claiming that the SIP records are legitimate and come from a SIP client on the victim’s machine.

The server’s SIP response is hidden in the HTTP response to ensure that it does not invoke browser protection by cheating NAT to open a port in the original packet sent by the victim, and by cheating the router to forward the ports defined by the attacker to the internal victim.

Everything from simple navigation to the website. The attack is over. Now an attacker can connect to any TCP/UDP service running on the victim, the investigator concludes.

That’s what it looks like: Firewall status report : Automation key to avoid costly configuration errors

That’s what it looks like: Government-sponsored cyberspies use advanced technology to bypass the server firewall.

That’s what it looks like: Hackers using RDP are increasingly using network tunneling to bypass security.

Ionat Argir is the international correspondent for Security Week.

Previous chronicles of Ionat Argir:


Related Tags:

nat slipstreaming pfsense,nat slipstreaming ubiquiti,sip alg,alg,nat slipstreaming fortigate,nat slipstreaming cve,nat slipstreaming patch,nat slipstreaming github,cve-2020-28041,nat slipstreaming mitigation