A swift kick in the NATs

[WereCatf]

Summary

 

While many of the vulnerabilities that get reported (and typically horribly over-dramatized!) aren't all that meaningful in practice, let alone for regular consumers, a researcher called Samy Kamkar came up with JavaScript - code that exposes a pretty serious issue that can put a ton of folks into trouble. The attack described by Kamkar uses JavaScript to fool a vulnerable router's ALG-implementation to open ports it's not supposed to open, giving the attacker free access to any network-services running on the system.

 

Quotes

Quote

Coinciding with Halloween over the weekend, security researcher Samy Kamkar published details of a spooky firewall-busting technique he calls NAT Slipstreaming. It allows a remote attacker to punch through gateway and browser defenses to access services running on computers within a network, depending on the victim's configuration.

 

As the name suggests, NAT Slipstreaming abuses Network Address Translation (NAT), used by routers and firewalls to thread connections between systems on a local network and the outside world. This slipstreaming can be exploited by remote miscreants to reach TCP/UDP services on a victim's PC that normally would not be accessible to outsiders.

 

My thoughts

While this news may go over the head of most people here, the implications are quite massive: many (most?) consumer- and SOHO-grade routers ship with ALG enabled and the vast majority of consume-grade routers either never receive security-updates or the consumers never apply those updates, which means many of these routers will be running vulnerable ALG that never gets fixed or disabled. Since exploiting it only requires a user to visit a website with a bit of JavaScript, with no other action required on the user's part, and there's zero indication of your system getting compromised....yeah, that's a very bad combo.

 

None of PFsense, OPNsense or OpenWRT have ALG (ie. siproxd or similar) even installed by default.

 

Sources

https://www.theregister.com/2020/11/02/application_level_gateway_flaw/

[Master Disaster]

Sounds pretty bad but for the majority of users it wouldn't be an issue since the Windows Firewall would still be running on their system.

[WereCatf]

3 minutes ago, Master Disaster said:

Sounds pretty bad but for the majority of users it wouldn't be an issue since the Windows Firewall would still be running on their system.

Take a look at your firewall; you'll most likely see a ton of stuff there with permissions allowed for local network. Well, since the traffic is coming from the router, that is in the local network...

[Master Disaster]

3 minutes ago, WereCatf said:

Take a look at your firewall; you'll most likely see a ton of stuff there with permissions allowed for local network. Well, since the traffic is coming from the router, that is in the local network...

I'm aware what a local network is. The Windows firewall only allows Windows stuff in by default, for anything third party the user is prompted to add an exception when the app is first run.

[WereCatf]

1 minute ago, Master Disaster said:

I'm aware what a local network is. The Windows firewall only allows Windows stuff in by default, for anything third party the user is prompted to add an exception when the app is first run.

Then what's your point here? People have tons of stuff they have clicked "OK" for, when Windows asks to add the exception. Then there's stuff like Samba-shares and all that. This exploit allows for access to all of those.

[leadeater]

2 minutes ago, WereCatf said:

Then what's your point here? People have tons of stuff they have clicked "OK" for, when Windows asks to add the exception. Then there's stuff like Samba-shares and all that. This exploit allows for access to all of those.

tbh I'd be more worried about this being used to expose SMB and RPC to the internet which would be locally open typically.

[WereCatf]

1 minute ago, leadeater said:

tbh I'd be more worried about this being used to expose SMB and RPC to the internet which would be locally open typically.

More worried than what?

[Prodigy_Smit]

If this exploit allows access to local samba shares and local SSH it would be devastating. Alot of companies including Linus Media Group have most if not all of their important data on local servers.

[WereCatf]

Just now, Smit Devrukhkar said:

If this exploit allows access to local samba shares and local SSH it would be devastating. Alot of companies including Linus Media Group have most if not all of their important data on local servers.

I wouldn't be that worried about SSH, since no one in their right mind runs an SSH-server that doesn't require authentication. Obviously, there are things like bad passwords and such, but eh, the attackers would probably rather spend their time on easy-and-fast pickings, like Samba. Telnet, on the other hand...there are some very poorly designed consumer-software that even in this day and age open a Telnet-port on the PC to allow for easy management. I can't remember any names off the top of my head, since I don't use those apps myself, but one was some sort of home-budgeting thing or whatever.

[Master Disaster]

48 minutes ago, WereCatf said:

Then what's your point here? People have tons of stuff they have clicked "OK" for, when Windows asks to add the exception. Then there's stuff like Samba-shares and all that. This exploit allows for access to all of those.

Fair point. I forgot how idiotic some people are at clicking warnings without understanding them.

 

45 minutes ago, leadeater said:

tbh I'd be more worried about this being used to expose SMB and RPC to the internet which would be locally open typically.

Also fair. These things are allowed by default and an attacker getting access to a domain controller or file server would be pretty devastating.

 

It does seem like this is more of a concern for servers rather than home users though. An average user isn't going to be running many network services that would be dangerous if exposed to the wider internet.

[WereCatf]

1 minute ago, Master Disaster said:

It does seem like this is more of a concern for servers rather than home users though.

Home-users tend to save passwords and stuff into text-files, so accessing their shares might give access to those. There may be private photos that can be used to blackmail them with, demanding payments in Bitcoin or whatever. The attacker can infect all the executable-files found on those shares, thereby getting even deeper access to anyone using those executables. They may plant Excel-documents or whatnot with malicious paylods there.

 

So on and so forth. There's a ton of stuff one can do.

[leadeater]

14 minutes ago, Master Disaster said:

Also fair. These things are allowed by default and an attacker getting access to a domain controller or file server would be pretty devastating.

Except this exposes those services to the internet which nobody does unless they are mental.

 

14 minutes ago, Master Disaster said:

It does seem like this is more of a concern for servers rather than home users though

Most computers have SMB and RPC services enabled, go to a site with this javascript on it and you're at the same risk as anyone else, and you'd better hope you've patched for the SMB vulnerabilities that have come out in the last 5-10 years.

[leadeater]

13 minutes ago, WereCatf said:

So on and so forth. There's a ton of stuff one can do.

Like open a remote Command Prompt or PowerShell session with privileged escalation and do anything they please. I've been through some basic Red Team training, some things are scary easy if you have an entry vector. That's why this matters so much because it allows attackers to open vectors that otherwise would never exist without actually being on your network.

[leadeater]

1 hour ago, WereCatf said:

More worried than what?

Dunno, I missed your second sentence there 

 

Don't mind me, just repeating what you said 

[WereCatf]

Just now, leadeater said:

I've been through some basic Red Team training, some things are scary easy if you have an entry vector.

I've never been to anything like that nor have I ever been interested in hacking-techniques or such and even I can still come up with dozens of things to do. Someone who has been doing things like that for years...yeah, I don't like that thought!

[Master Disaster]

3 minutes ago, leadeater said:

Except this exposes those services to the internet which nobody does unless they are mental.

Agreed and that was what I meant. The Windows Firewall allows them by default for local connections so this attack will expose them to the internet.

 

5 minutes ago, leadeater said:

Most computers have SMB and RPC services enabled, go to a site with this javascript on it and you're at the same risk as anyone else, and you'd better hope you've patched for the SMB vulnerabilities that have come out in the last 5-10 years.

The risk level is the same however the potential for damage is much greater on a server over a home computer. As @WereCatfsaid, at home its going to be personal documents and pictures etc which while not exactly ideal (especially for the owner) is no where near as bad as what could be taken from a corporate level server.

[Mark Kaine]

So what about I just disable this ALG thing in my router? (I don't have a "router" but a modem-router") 

 

What do I need it for anyways? 

 

And can I alternatively just disallow this local network stuff in windows firewall? I never liked that this is on by default tbh.... But I wasn't sure it's needed. 

 

Note I have no "local network" only router + pc are a network which, technically isn't local because it's like directly connected to the www

[WereCatf]

6 minutes ago, Mark Kaine said:

So what about I just disable this ALG thing in my router? (I don't have a "router" but a modem-router")

It's still a router, even if it also includes a modem. And yes, just disable ALG.

6 minutes ago, Mark Kaine said:

What do I need it for anyways?

It's mostly used for SIP. If you don't know what that is, you're not using it.

7 minutes ago, Mark Kaine said:

Note I have no "local network" only router + pc are a network which, technically isn't local because it's like directly connected to the www

If your PC's IP-address begins with 192, then it's not directly connected to the Internet.

[Mark Kaine]

1 minute ago, WereCatf said:

It's still a router, even if it also includes a modem. And yes, just disable ALG.

Ok, hopefully it has it (the option to turn it off) 

 

2 minutes ago, WereCatf said:

It's mostly used for SIP. If you don't know what that is, you're not using it

Yeah it's for VoIP I think, which is in my contract, but I'm not using it ever. 

 

3 minutes ago, WereCatf said:

your PC's IP-address begins with 192, then it's not directly connected to the Interne

Oh yeah of course it does, I just meant there's nothing else connected to the router that still makes it vulnerable I guess. 

 

So in theory I could also just not allow local network in windows firewall, in case my router doesn't have the ALG option? Or would that be a bad idea? 

[WereCatf]

16 minutes ago, Mark Kaine said:

So in theory I could also just not allow local network in windows firewall, in case my router doesn't have the ALG option? Or would that be a bad idea? 

It'd be easier to just change the network-type to public instead, then check what you've allowed to be accessible on public networks in your firewall-settings.

[Fasterthannothing]

This is why I've been using pfSense for years now. Whenever I see some massive vulnerability I look at see if I need to change a setting in my router or apply a usually already created patch and move on with my life. I don't have to worry about stupid security vulnerable settings being enabled out of the box or need to wait months, years or possibly forever to get a patch.

[Kisai]

6 hours ago, WereCatf said:

 

None of PFsense, OPNsense or OpenWRT have ALG (ie. siproxd or similar) even installed by default.

 

It's far more likely that 100% of consumer routers sold at retail and all ISP routers have ALG enabled because they're marketed as being capable of doing everything, and in the case of ISP's, often routed as supporting voice and video calls/streams. All of them also run web services on them, which makes them exploitable via that avenue. Remember when there was a rush to disable UPnP on routers? It's still around https://www.helpnetsecurity.com/2020/06/09/cve-2020-12695/

 

OpenWRT, about 25% of the devices that can run it, can't run a recent version. Enterprise routers don't run Linux, and you're up a creek without a paddle if you haven't purchased a support contract.

 

https://www.voip-info.org/routers-sip-alg/

Quote

List of routers with SIP ALG enabled

 

 

In all honesty, it's time we stopped relying on NAT hacks anyway. IPv6 is out, and has been out long enough that IPv6 should be the default gateway. NAT came into popular use around 1998 in Windows 98 when "Internet Sharing" because a standard feature of Windows, prior to that, you had to setup all sorts of proxy nonsense. Broadband routers all implemented NAT from the beginning. So here we are 20+ years later and the cracks in the implementations are showing up more frequently.

 

 

 

[WereCatf]

5 minutes ago, Kisai said:

In all honesty, it's time we stopped relying on NAT hacks anyway. IPv6 is out, and has been out long enough that IPv6 should be the default gateway.

Not going to happen any time soon, if ever. My ISP, for example, still hasn't bothered to roll out IPv6 and they have given zero indication that they're going to, either. The official word is literally "we'll look into it." Then there's stuff like e.g. Google flat-out refusing to support DHCPv6 on Android, which makes IPv6 unusable for many enterprises, educational facilities and so on.

[jagdtigger]

8 hours ago, Kisai said:

IPv6 is out

CGN equipment too, guess which one ISPs going to choose.....

[StDragon]

On 11/3/2020 at 3:00 AM, leadeater said:

Except this exposes those services to the internet which nobody does unless they are mental.

At the risk of your ISP frowning at you, running a sandboxed honeypot can be interesting