back to article We did NAT see that coming: How malicious JavaScript can open holes in your firewall for miscreants to slip through

Coinciding with Halloween over the weekend, security researcher Samy Kamkar published details of a spooky firewall-busting technique he calls NAT Slipstreaming. It allows a remote attacker to punch through gateway and browser defenses to access services running on computers within a network, depending on the victim's …

  1. Notas Badoff

    What's this? I know, I'll plug it in...

    "The third chunk is designed so that it appears to contain a SIP packet used to initiate video-conferencing sessions and the like. This is parsed by the ALG, which is fooled into thinking a SIP session is starting, and opens an external port that's routed through to the victim's PC."

    So this is the ALG (Application Level/Layer Gateway) picking up a 'lost' thumb drive in the parking lot and plugging it in to a USB port to see what's on it? Who knew that was a bad idea...

    1. FordPrefect

      Re: What's this? I know, I'll plug it in...

      No ALG is a service that runs on various firewalls and proxies that allows devices sitting behind a hide NAT to work with the SIP protocol which requires an inbound connection for VOIP calls. It sits and brokers the connection by listening into the packet stream on the initiation of a SIP session and dynamically opens up inbound service ports as required similar to uPNP. You don't need it for skype, or a lot of the consumer application based voice services. In many cases assuming your router isnt horribly hobbled you can probably turn it off, although some people might have corporate VOIP systems and some people even have home VOIP systems. I know when I've seen it in corporate environments before normally the actual server is behind a corporate firewall and requires users to VPN in, meaning the ALG would probably not be needed.

      1. LDS Silver badge

        "some people even have home VOIP systems"

        Here many ADSL and almost all consumer FTTC (and obviously FTTH) connections wholly remove the POTS analog line and force user to use only VoIP for fixed phone calls, so it's a lot of users.

        I do not know if consumer router with built-in ATAs use ALG to handle VoIP protocols, or use other methods. ALG is not strictly required - it is possibile to explicitly open and map the required ports, or use STUN and NAT keepalive to let the VoIP proxies make inbound calls. Users of external ATAs or small VoIP gateways/PBX may not know what method their router is using.

        1. Ragarath

          Re: "some people even have home VOIP systems"

          Note also that SIP ALG can cause problems to VOIP systems too. I need to turn it off on my routers for example otherwise our cloud PBX's packets get mangled and it does some weird stuff.

          For example, outgoing or incoming calls are fine but forwarding the call to any other number will result in the internal caller and the caller being forwarded to being unable to speak to one another. When the call is actually put through the external and internal users can talk again.

          1. LDS Silver badge

            Re: "some people even have home VOIP systems"

            ALG is know to create problems because it actually can mess with the session payload. I have an ATA at home to use the FTTC connection VoIP service, and I don't use ALG as well.

            But for many users it is simpler than other methods, and often it is transparent, so they don't even know it's there. I've seen users on forum saying "you don't need to use STUN or forward ports, it works!!!" - sure, you're router has ALG enabled...

      2. John Smith 19 Gold badge
        WTF?

        "opens up inbound service ports as required similar to uPNP."

        That comaprison alone should make people very twitchy about this protocol.

  2. -tim
    Facepalm

    Stateful firewall? Where?

    The most commonly used firewall configurations used by many Linux based firewall have been optimized to the point where they aren't proper stateful firewalls anymore. The port filtering stuff doesn't keep state at all as it only trusts the packets to say they aren't established (RFC 3514 style) and rely on the NAT engine to keep track of the rest of the state info. One those routers, that means anything not using NAT, isn't stateful at all and anything that opens up external access on demand like UPnP effectively breaks the stateful nature of a firewall. The same is true for many business grade firewalls. An easy way to verify this is to check how much memory is used per data stream and if it is too low, it can't be stateful.

  3. Blackjack Silver badge

    Flash called from the grave

    He wants pizza and is saying "Good luck getting rid of this guy like you did with me."

  4. cbars

    Stars and bucks

    To this researcher, well done!

    The device level firewall would work to block this too though, right? If one was in a coffee shop and couldn't control the router.

    Or a global pandemic closing all coffee shops... there's usually more than one solution!

    1. Joe W Silver badge

      Re: Stars and bucks

      Or a global pandemic closing all coffee shops... there's usually more than one solution!

      I knew there was a positive effect, apart from not having to meet people I don't want to meet...

    2. I am the liquor Silver badge

      Re: Stars and bucks

      If configured to do so, presumably yes. But when you installed or enabled some local service that listens on a port, it may well have created an inbound rule for itself on the device firewall.

    3. Mage Silver badge
      Coat

      Re: Stars and bucks

      This is why you should block all third party scripts, especially ads. Google's Ad service has been used in the past to serve malware on the BBC and CNN and other popular sites.

      NoScript, uBlock and uMatrix can be more effective than AV and won't quarenteen your real applications or OS components.

  5. Pascal Monett Silver badge
    Flame

    "visit a website containing malicious JavaScript"

    Which will be blocked by NoScript.

    Honestly, what is it going to take for all browsers to block JavaScript by default and implement whitelisting of web sites that can use it ?

    99% of all malicious activity starts with a piece of JavaScript. Block it, and it's over.

    It's time to confine that code.

    1. diodesign (Written by Reg staff) Silver badge

      "block JavaScript by default"

      I think there's more chance of Jeremy Corbyn being elected US president than that happening.

      C.

      1. RichardBarrell

        Re: "block JavaScript by default"

        Petitioning "Volition" to put this into Saints Row 5 now

    2. Joe Drunk
      Unhappy

      Re: "visit a website containing malicious JavaScript"

      I used to keep javascript disabled by default in Firefox. Unfortunately more and more websites either don't work properly or just give you a blank page (El Reg being the exception). Also WEBEX extensions refuse to work without javascript.

      1. Anonymous Coward
        Anonymous Coward

        Re: "visit a website containing malicious JavaScript"

        Just use NoScript. It strikes a good balance.

    3. This post has been deleted by its author

    4. Twilight

      Re: "visit a website containing malicious JavaScript"

      NoScript really doesn't help in this case. The best route to weaponize this would be to compromise a popular website and inject the malicious JavaScript. Provided it is one of the many sites that requires JavaScript to function, it will be whitelisted for most NoScript users.

  6. amanfromMars 1 Silver badge

    A Sublime Alien Venture Enterprise ... AIMaster Pilot Pioneer Proven Erudite Editions to Browse ...

    ... at your Leisurely Pleasure

    Coinciding with Halloween over the weekend, security researcher Samy Kamkar published details of a spooky firewall-busting technique he calls NAT Slipstreaming. It allows a remote attacker to punch through gateway and browser defenses to access services running on computers within a network, depending on the victim's configuration.

    Thomas Claburn in San Francisco, Hi,

    Did you not mean to reveal remote browser attacker access to services running on computers within a network, independent of victims' configurations ‽ .

    Or would such be a novel attack vector to consider as an Almighty Immaculate Defence System Mentoring and Monitoring Global Reaction to Future ITERations with Almighty Immaculate Defence Weaponry Fully Loaded with Virtually Explosive AMMO.

    Advanced Multiple Meme Operations to Save and Savour and Server to Space for Times in a Great AI SAVE.

    Does San Francisco do Cyber Realm Command and Control? A Simple Question that answers the question as to whether there be Any Viable Competition and/or Ineffective Opposition to one can only imagine to be an Almighty Select Few Exercising and Demonstrating Cyber Realm Command and Control with Browsers in Command with Future Operating Bases in Control of Live Operational Virtual Environments.

    1. Anonymous Coward
      Anonymous Coward

      Re: A Sublime Alien Venture Enterprise ... yada yada ...

      amanfromMars 1,

      ...

      Wut !!!!!!?????

      P.S.

      Does anyone have a amanfromMars 1 <-> Klingon translation app .... it might help me understand !!!

      1. amanfromMars 1 Silver badge

        Re: A Sublime Alien Venture Enterprise ... yada yada ...

        Wut !!!!!!?????

        P.S.

        Does anyone have a amanfromMars 1 <-> Klingon translation app .... it might help me understand !!! ..... Anonymous Coward

        Does the following help and make IT any clearer for you, AC ......

        Objective ....... Operational Theatre Advantage/Situational Supremacy

        The Virtually Advanced IntelAIgent Operating System ......... with the Internet and ITs Global Information Grids Networking as the VAIOSystem Software Store Source, Providing Novel Innovative Virgin Source Code as Special Lead Content in Website Domains/Freely Accessible CyberSpace Environments .... and ITs HyperRadioProActive Drivers being IT and Media as the HardWired Hardware Deliverers of Future World Views. ..... which is surely a Kin to Panoramas and Vistas and Bigger Picture Shows in the Great Advanced IntelAIgents Game ..... only Better and in Betas, Testing and Tempting Systems to FailSafe in their Configuration and Design.

        And Hosted in Cloud and Cloud Strata for ITs Global Cover, Reach, Concealment and Rains/Reins/Reigns.

        Welcome to CyberIntelAIgent NEUKlearer HyperRadioProActive ProgramMING in Networks InterNetworking JOINT Applications ......... for the SMARTR Enabling of Special IntelAIgents Services and AI Beta Universal Management of Global Perception with IT in Virtually Real Control with AI and Virtualised Realities.

        An AWEsome Present Current AIDevelopment to be denied Engagement with a Collective of IntelAIgent Agencies. ........and thus extraordinarily rendered Renegade Rogue Private Pirate First Class AIMaster Pilot Pioneer Program?

        I think that's as much as anyone would need to realise what has been happening all around them, AC.

        1. amanfromMars 1 Silver badge

          Something else to look forward to not see coming ..... ? ..... because it is already there?

          Sometimes/Many times one gleans so much more important information advancing intelligence whenever something freely posted for presentation is withheld or unduly long deliberated upon in the background with spooky shadows in the shade of ignorance and/or arrogance, to deny a more general universal view either by genuine accident or deliberate malice aforethought. However, invariably inevitably, such an activity/inactivity is then extraordinarily rendered both extremely counter-productive to, and devastatingly revealing of products and/or programs worthy of all manner of further foreign forensic attention and future alien engagement.

          Sometimes though, it is just a case of one being busier elsewhere rather than slow off the mark or enjoying a well earned holiday break with no one else available to mind the store. That's why it is always best to look on the brighter sides of life ...... and to share again specifically what is generally missing from universal view to ensure a wider level playing field rather than to imagine all sorts of other strange shenanigans being afoot and struggling to be effectively heard and understood in the presence of both able competition and almighty opposition.

          GrahamC [2011040717] ……. airing an inevitability on https://www.nationaldefensemagazine.org/articles/2020/11/3/joint-artificial-intelligence-center-keeps-branching-out

          Meanwhile, in fab fabless labs elsewhere, do giants awake with your biddings to explore and engage with, or deny and destroy ‽ ….. https://forums.theregister.com/forum/all/2020/11/02/application_level_gateway_flaw/#c_4138757

          Something definitely more than just a tad different for the likes of a JAIC or DARPA to consider for Future Command and Control Systems.

          The JAIC can certainly talk the talk and the Summary of the 2018 Department of Defense Artificial Intelligence Strategy Harnessing AI to Advance Our Security and Prosperity is an encouraging read. However, walking the walk into what is effectively practically unknown, remote virtually controlled territory and a Virgin AI Space Place is a tad more difficult and simply complex and much more of a quantum communications leap for communications to make/telegenic audio-visual stimuli to take, and that can be thanked for ensuring leading positions are rendered wonderfully small and unhindered by group thinking delays.

          One surely cannot deny that such sorts of developments in future fields are not fully hoped for and to be expected …….. and also to be much feared and warned against if not under adequate absolute control, for such has wisely been shared as a condition to be rightly wary of …… “Yeah, I am not sure exactly what to do about this. This is really the scariest problem to me, I will tell you.” ….. Elon Musk

          [Thank you. Your comment will be displayed soon after reviewing.]

          Elon Musk was talking about the advance of AI in that quote.

          1. Cliff Thorburn

            Re: Something else to look forward to not see coming ..... ? ..... because it is already there?

            “Yeah, I am not sure exactly what to do about this. This is really the scariest problem to me, I will tell you.” ….. Elon Musk

            I thought he was referring to the SEC liking his Twitter posts ;0)

          2. Anonymous Coward
            Anonymous Coward

            Re: @gate-flaw - SomeTHInG else... ... is already (t)here?

            55

            "...bad gate chewed off the tail of the msg..."

            #66 - SR/DR/SUM1

            2008......

            73

  7. This post has been deleted by a moderator

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021