Vulnerability Development mailing list archives
Re: HTML email and external embedded links.
From: "Wim Mees" <Wim.Mees () rma ac be>
Date: Fri, 18 Oct 2002 21:16:13 +0200
Even a basic NAT box does more than simply replacing the private internal source IP address by the shared public IP address. It also replaces the source TCP port number by a new number, chosen by the NAT box, in order to allow the NAT box to distinguish different outgoing connections from different internal IP's which happen to use the same source TCP port. Once the NAT session is initiated from the inside, you can from the outside only send packets to this new TCP port number, which will then be forwarded to the original TCP port number on the original internal IP. In other words, to the html rendering engine of the mail client the user is using. You cannot access any other ports on the internal machine. WiM ----- Original Message ----- From: "Ian Lyte" <ilyte () alias666 freeserve co uk> To: <vuln-dev () securityfocus com> Sent: Friday, October 18, 2002 3:58 PM Subject: HTML email and external embedded links.
b0iler recently said ...Personally, I signed up to this list to get vulnerability devolopment disscussion.So with this in mind I have decided to post early and get the lists feedback. I've been meaning to post this for some time but haven't done enough research yet. I'm sure that I'm missing something incredibly obvious here but I'm equally sure that there is room for development in this vulnerability. As I understand it, network address translation works like this (very simply): Box A inside the network requests information from host B on the internet. The internal IP of BOX A passes through the router and put in a NAT table. This then goes out to Host B with the IP address of the router. When a response from Host B is routed back to Box A it has the routers IP address. It arrives at the router, the router looks up in the table and
say
'hey, box A requested information from port xx on Host B, this packet is from Host B port xx -> route to Box A'. Stop me if I'm being stupid yet. I realise that if you have packet content monitoring or a more complicated NAT table this all falls to pieces but I think that quite a few corporations don't have that! If I send you an HTML email, with an embedded picture, and that picture is stored on www.malware.com/malimage.jpg. When you open the email you will automatically make a connection to that server. Assuming that I am monitoring this server 24 x 7 and see you access that image I know that
for
a period of time I can send requests to your Box as long as I ensure that the connection appears to originate from port 80 on Host B. I could be
wrong
but simpler NAT set-ups just map the requests from Box A and not even the originating port. If you know a box A behind the NAT is running (say) an unsecured SQL
server
could not one assume that the firewall in place would be configured to
allow
traffic on port 1433. How about NETBIOS - whilst these are usually blocked at a firewall level just simple NAT may let it pass? I can even imagine simple firewalls only blocking incoming 135 when _no_ outgoing attempt has been made to contact the source IP. I really don't know - I'm not an expert in this field - that's your jobs!! But I do believe that there must be some way of exploiting the fact that
by
sending an html email, with an external embedded link, you can create a connection to the Box that opens that email whilst remaining very inconspicuous. I'm just not sure why it isn't being exploited yet. Maybe you'll tell me ;) Cheers Ian
Current thread:
- RE: CROSS SITE-SCRIPTING Protection with PHP, (continued)
- RE: CROSS SITE-SCRIPTING Protection with PHP Rob Shein (Oct 12)
- RE: CROSS SITE-SCRIPTING Protection with PHP Chris Field (Oct 12)
- Re: CROSS SITE-SCRIPTING Protection with PHP RoMaNSoFt (Oct 12)
- RE: CROSS SITE-SCRIPTING Protection with PHP Rohan Amin (Oct 12)
- Re: CROSS SITE-SCRIPTING Protection with PHP Astalavista.NET Baby! (Oct 14)
- RE: CROSS SITE-SCRIPTING Protection with PHP Rob Shein (Oct 12)
- Re: CROSS SITE-SCRIPTING Protection with PHP M. Zeeshan Mustafa (Oct 11)
- RE: CROSS SITE-SCRIPTING Protection with PHP b0iler _ (Oct 15)
- Re: CROSS SITE-SCRIPTING Protection with PHP Dan Kaminsky (Oct 15)
- Re: CROSS SITE-SCRIPTING Protection with PHP Sverre H. Huseby (Oct 16)
- HTML email and external embedded links. Ian Lyte (Oct 18)
- Re: HTML email and external embedded links. Wim Mees (Oct 23)