Firewall Wizards mailing list archives
Re: Hacker pierces hardware firewalls with web page.
From: david () lang hm
Date: Tue, 12 Jan 2010 12:14:39 -0800 (PST)
I don't see any need for them to do anything like this. It seems far simpler to me.
As an example:To support FTP packet filter based firewalls watch the data stream of any connections going to port 21 for the string where the client tells the server what IP and port to connect back to, the firewall then re-writes the packet to an IP and port on the firewall, and sets up a NAT rule on the firewall so that traffic from the server to that IP and port on the firewall gets directed to the IP and port the client specified.
If javascript issues a HTTP request to port 21 on the bad guy's server and in the request sends the string that the firewall is looking for, the firewall will helpfully setup a NAT and allow that server to connect to a port on the client as specified by the string that the javascript code specified.
There is no need to exploit UPnP or anything other than the fact that the firewall is watching for a specific string (without understanding and enforcing the full protocol) and then opening up a incoming port.
SIP has similar features, but instead of running on a standard low port that coudl be blocked by the browser, it is running on a high port that is much more risky for the browser to block access to.
David Lang On Tue, 12 Jan 2010, Farrukh Haroon wrote:
Perhaps they are exploiting UPnP in some obscure way to achieve this? Regards Farrukh On Tue, Jan 12, 2010 at 5:51 AM, <david () lang hm> wrote:I've seen several other posts where people make use of browser exploits to trick the browser into submitting a form to the router/firewall, and if the router has the default password, the attacker can then configure the firewall any way they want. This sounds a little different. This sounds like it is exploiting standard protocols. With FTP the client connect to the server, then at the start of a file transfer the client tells the server what port to connect to on the client. A 'helpful' firewall will watch for this message and reconfigure itself to allow traffic to that port. IIRC for FTP this data connection is one-way (with acks flowing the other way), but with SIP the port is used for data in both directions. This sounds like the attacker is managing to use javascript to make a connection out that the firewall thinks is a protocol like this, and then by specifying the port they want to attack, tricking the firewall into opening that port up so that it can be attacked from the server the javascript connected to. David Lang On Fri, 8 Jan 2010, R. DuFresne wrote: -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA1 In reading this, I get the impression this is not a fault in the firewalls themselves, but more an issue with the configuration of firewalls having been 'tested' by this hacker. Am I wrong in reading this news in that fashion?:: January 6, The Register - (International) Hacker pierces hardware firewalls with web page. On January 5, a hacker demonstrated a way to identify a browser's geographical location by exploiting weaknesses in many WiFi routers. Now, the same hacker is back with a simple method to penetrate hardware firewalls using little more than some javascript embedded in a webpage. By luring victims to a malicious link, the attacker can access virtually any service on their machine, even when it's behind certain routers that automatically block it to the outside world. The method has been tested on a Belkin N1 Vision Wireless router, and the hacker says he suspects other devices are also vulnerable. "What this means is I can penetrate their firewall/router and connect to the port that I specified, even though the firewall should never forward that port," the hacker told the Register. "This defeats that security by visiting a simple web page. No authentication, XSS, user input, etc. is required." The hacker's proof-ofconcept page forces the visitor to submit a hidden form on port 6667, the standard port for internet relay chat. Using a hidden value, the form surreptitiously coerces the victim to establish a DCC, or direct client-to-client, connection. Vulnerable routers will then automatically forward DCC traffic to the victim's internal system, and using what's known as NAT traversal an attacker can access any port that's open on the local system. For the hack to work, the visitor must have an application such as file transfer protocol or session initiation protocol running on his machine. The hack does not guarantee an attacker will be able to compromise that service, but it does give the attacker the ability to probe it in the hope of finding a weak password or a vulnerability that will expose data or system resources. Source: http://www.theregister.co.uk/2010/01/06/web_based_firewall_attack/ Thanks, Ron DuFresne - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 These things happened. They were glorious and they changed the world..., and then we fucked up the endgame. --Charlie Wilson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFLR3qist+vzJSwZikRAotcAJ9fHEWAOm2N5xFKww7/wA9O+YYdeACfZUEZ uZciRDQsRu1kZZQUZctPwmY= =KCsu -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Hacker pierces hardware firewalls with web page. R. DuFresne (Jan 08)
- Re: Hacker pierces hardware firewalls with web page. david (Jan 11)
- Re: Hacker pierces hardware firewalls with web page. Farrukh Haroon (Jan 12)
- Re: Hacker pierces hardware firewalls with web page. ArkanoiD (Jan 12)
- Re: Hacker pierces hardware firewalls with web page. david (Jan 12)
- Re: Hacker pierces hardware firewalls with web page. Farrukh Haroon (Jan 12)
- <Possible follow-ups>
- Re: Hacker pierces hardware firewalls with web page. Jeff Jarmoc (Jan 12)
- Re: Hacker pierces hardware firewalls with web page. david (Jan 11)