We echo a new security research that has found a new technique that allows an attacker to bypass the firewall and remotely access any TCP / UDP service on the victim’s computer. A problem that, as we can see, can seriously compromise security. We are going to explain what this attack consists of.
A new attack allows to avoid the firewall
This is a NAT / firewall bypass attack that can allow an attacker to access any TCP / UDP service. This threat is known as NAT Slipstreaming . It is a method that involves sending the target, the victim, a link to a malicious site (or a legitimate site loaded with malicious ads) which, when visited, triggers the gateway to open any TCP / UDP port on the victim. . This manages to avoid port-based restrictions in the browser.
This new method has been revealed by security researcher Samy Kamkar . NAT Slipstreaming reportedly exploits the user’s browser in conjunction with the Application Level Gateway (ALG) connection tracking mechanism, which is built into NAT, routers, and firewalls by chaining internal IP extraction through the WebRTC or time attack. , automated remote MTU and IP fragmentation discovery, TCP packet size, misuse of TURN authentication, precise control of packet limits, and protocol confusion for exploiting the browser.
As we know, NAT is the process in which a network device, such as a firewall, reassigns one IP address space to another by modifying the network address information in the IP header of packets while they are in transit.
We can say that the main advantage is that it limits the number of public IP addresses used in the internal network of an organization and improves security by allowing a single public IP address to be shared between multiple systems.
NAT Slipstreaming leverages TCP and IP packet segmentation
What NAT Slipstreaming does is take advantage of TCP and IP packet segmentation to remotely adjust packet boundaries and using it to create a TCP / UDP packet starting with a SIP method (which is short for Session Initiation Protocol) like REGISTER or INVITE. SIP is a communications protocol used to initiate, maintain, and end multimedia sessions in real time for voice, video, and messaging applications.
In other words, a combination of packet segmentation and SIP request traffic can be used in HTTP to trick the NAT ALG into arbitrarily opening ports for incoming connections.
This can be accomplished by submitting a large HTTP POST request with an ID and a hidden web form pointing to an attack server running a packet sniffer. This is used to capture MTU size, data packet size, TCP and IP header sizes, and more. It then transmits the size data to the victim client via a separate POST message.
Beyond this, it also abuses an authentication feature in TURN (Traversal Using Relays around NAT), a protocol used in conjunction with NAT to relay media from any peer to another client on the network, to perform an overflow of packets and fragment the IP packets.
It basically consists of overflowing a TCP or UDP packet and forcing it to split in two so that the SIP data packet is at the beginning of the limit of the second packet.
Subsequently, the internal IP address of the victim is extracted using WebRTC ICE in modern browsers like Chrome or Firefox, or by running a time attack on common gateways.
According to the security researcher behind this report, once the client gets the packet sizes and internal IP address, they build a specially crafted web form that fills in the POST data until the packet is fragmented, at which point the SIP REGISTER containing the internal IP address is added.