Hacking a hardware firewall with a web form - GoFuckYourself.com

borked · 01-07-2010, 01:55 AM

Some whiz has found a way to open up NAT on hardware firewalls through some nifty javascript in a web form.

Quote:

By luring victims to a malicious link, the attacker can access virtually any service on their machine, even when it's behind certain routers that automatically block it to the outside world. The method has been tested on a Belkin N1 Vision Wireless router, and Kamkar says he suspects other devices are also vulnerable.

"What this means is I can penetrate their firewall/router and connect to the port that I specified, even though the firewall should never forward that port," Kamkar told El Reg. "This defeats that security by visiting a simple web page. No authentication, XSS, user input, etc. is required."

Kamkar's proof-of-concept page forces the visitor to submit a hidden form on port 6667, the standard port for internet relay chat. Using a hidden value, the form surreptitiously coerces the victim to establish a DCC, or direct client-to-client, connection. Vulnerable routers will then automatically forward DCC traffic to the victim's internal system, and using what's known as NAT traversal an attacker can access any port that's open on the local system.

For the hack to work, the visitor must have an application such as file transfer protocol or session initiation protocol running on his machine. The hack doesn't guarantee an attacker will be able to compromise that service, but it does give the attacker the ability to probe it in the hope of finding a weak password or a vulnerability that will expose data or system resources.

...

While Kamkar's proof-of-concept requires users to press a submit button, he said it's trivial to use javascript so no interaction is required after the page is visited.

Kamkar said he based his attack on IRC because many versions of Linux used to run routers support the protocol by default. He's based similar attacks on file transfer protocol and had success with both the Belkin and Airport Extreme routers and believes other services such SIP may work on those routers as well as other devices.

Proof of concept page - remember you have to specify a port (21 for ftp or 22 for ssh) for a service that is on your computer behind a firewall and then check from a remote location to see if you can ssh/ftp in.

Not all firewalls are vulnerable - I checked with my ADSL modem/router and all remains closed

Angry Jew Cat - Banned for Life · 01-07-2010, 02:07 AM

If you want your computer to remain secure, do not ever connect it to the internet. I'm leaning closer and closer to buying a box strictly for reliable standalone use and storage.

borked · 01-07-2010, 02:20 AM

and how do your transfer content onto that box? with the virus-laden USB key or HDD?

Angry Jew Cat - Banned for Life · 01-07-2010, 02:39 AM

Quote:

Originally Posted by borked

and how do your transfer content onto that box? with the virus-laden USB key or HDD?

Nothing comes in from anywhere. Only out on CD. Hell, fresh writable CDs are cheaper than floppy disks were!

Dappz · 01-07-2010, 02:42 AM

ummmmmmmm well you need to keep your server always save

01-07-2010, 02:20 AM	#3
borked Totally Borked Industry Role: Join Date: Feb 2005 Posts: 6,284	and how do your transfer content onto that box? with the virus-laden USB key or HDD? __________________ For coding work - hit me up on andy // borkedcoder // com (consider figuring out the email as test #1) All models are wrong, but some are useful. George E.P. Box. p202

01-07-2010, 02:42 AM	#5
Dappz Confirmed User Join Date: Dec 2009 Posts: 997	ummmmmmmm well you need to keep your server always save __________________ Hentai Artist * Draw My Anime * HentaiLovers * hentaiG4H * ICQ : 657458

01-07-2010, 02:07 AM	#2
Angry Jew Cat - Banned for Life (felis madjewicus) Industry Role: Join Date: Jul 2006 Location: In Mom & Dad's Basement Posts: 20,368	If you want your computer to remain secure, do not ever connect it to the internet. I'm leaning closer and closer to buying a box strictly for reliable standalone use and storage.