New NAT/Firewall Bypass Attack Lets Hackers Access Any TCP/UDP Service (2nd November 2020)

Description

A recent investigation has highlighted a technique which allows an attacker to bypass firewall protection and remotely access any TCP/UDP service on a victim’s machine.  

Summary

This technique used is referred to as NAT Slipstreaming, it entails sending the focus on a URL to a malicious website (legitimate internet site loaded with destructive ads) that, when accessed triggers the gateway to open any TCP/UDP port on the victim, thereby circumventing browser-based port restrictions. This new technique was revealed by privacy and security researcher Samy Kamkar. 

How does the vulnerability work? 

“NAT Slipstreaming exploits the user’s browser in conjunction with the Application Level Gateway (ALG) connection tracking mechanism designed into NATs, routers, and firewalls by chaining internal IP extraction by using timing attack or WebRTC, automated remote Maximum transmission unit (MTU) and IP fragmentation misuse, specified packet boundary handle, and protocol confusion by browser abuse,” stated by Kamkar in his reported investigation. 

The method was carried out using a NetGEAR Nighthawk R7000 router jogging Linux kernel variation 2.6.36.4. 

Identifying packet Boundaries 

Network address translation (NAT) is the process where a network unit, such as a firewall, remaps an IP address space into another by modifying network address information in the IP header of packets although they are in transit. 

The primary advantage is that it limits the number of public IP addresses used in an organization’s internal network and improves security by allowing a single IP address to be shared among multiple systems. 

NAT Slipstreaming functions by taking advantage of TCP and IP packet segmentation to remotely adjust the packet boundaries and using it to create a TCP/UDP packet starting with a SIP method such as REGISTER or INVITE. 

SIP, which stands for shorter for session initiation protocol, is a communications protocol which is used for initiating, maintaining, and terminating actual time multimedia classes for voice, video clip, and messaging purposes. 

In other words, a combination of packet segmentation and SIP request traffic can be used in HTTP to trick the NAT Application Level Gateway (ALG) into arbitrarily opening ports for incoming connections.  

This can be accomplished by submitting a large HTTP POST request with an ID and a hidden web form pointing to an attack server running a packet sniffer. This is used to capture MTU size, data packet size, TCP and IP header sizes, and more. It then transmits the size data to a victim client via a separate POST message. 

It also abuses an authentication feature in TURN (Traversal using Relays around NAT), a protocol used in conjunction with NAT to relay media from any peer to another client on the network, to perform and overflow of packets and fragment the IP packets. 

It basically consists of overflowing a TCP or UDP packet and forcing it to split in two so that SIP data packet is at the beginning of the limit of the second packet. 

More information can be found at https://thehackernews.com/2020/11/new-natfirewall-bypass-attack-lets.html

Remediation: 

This attack can be mitigated by raising awareness of social engineering attacks. Tailored social engineering training along with phishing campaigns can be effective mitigation since it addresses the root cause of a successful phishing attack. 

The Guyana National CIRT recommends that users and administrators review the remediation strategies and apply them where necessary.

References