Re: Hacker pierces hardware firewalls with web page.

[ArkanoiD <ark () eltex net>]

More likely iptables irc conntrack module which is pretty dumb ;-)

On Tue, Jan 12, 2010 at 10:56:16AM +0300, Farrukh Haroon wrote:
>    Perhaps they are exploiting UPnP in some obscure way to achieve this?
>    Regards
>    Farrukh
>    On Tue, Jan 12, 2010 at 5:51 AM, <[1]david () lang hm> wrote:
>
>      I've seen several other posts where people make use of browser
>      exploits to trick the browser into submitting a form to the
>      router/firewall, and if the router has the default password, the
>      attacker can then configure the firewall any way they want.
>      This sounds a little different. This sounds like it is exploiting
>      standard protocols.
>      With FTP the client connect to the server, then at the start of a
>      file transfer the client tells the server what port to connect to
>      on the client. A 'helpful' firewall will watch for this message and
>      reconfigure itself to allow traffic to that port. IIRC for FTP this
>      data connection is one-way (with acks flowing the other way), but
>      with SIP the port is used for data in both directions.
>      This sounds like the attacker is managing to use javascript to make
>      a connection out that the firewall thinks is a protocol like this,
>      and then by specifying the port they want to attack, tricking the
>      firewall into opening that port up so that it can be attacked from
>      the server the javascript connected to.
>      David Lang
>
>    On Fri, 8 Jan 2010, R. DuFresne wrote:
>
>      -----BEGIN PGP SIGNED MESSAGE-----
>      Hash: SHA1
>      In reading this, I get the impression this is not a fault in the
>      firewalls themselves, but more an issue with the configuration of
>      firewalls having been 'tested' by this hacker.  Am I wrong in
>      reading this news in that fashion?::
>      January 6, The Register - (International) Hacker pierces hardware
>      firewalls with web page. On January 5, a hacker demonstrated a way
>      to identify a browser's geographical location by exploiting
>      weaknesses in many WiFi
>      routers. Now, the same hacker is back with a simple method to
>      penetrate hardware firewalls using little more than some javascript
>      embedded in a webpage. By luring victims to a malicious link, the
>      attacker can access
>      virtually any service on their machine, even when it's behind
>      certain routers that automatically block it to the outside world.
>      The method has been tested on a Belkin N1 Vision Wireless router,
>      and the hacker says he
>      suspects other devices are also vulnerable. "What this means is I
>      can penetrate their firewall/router and connect to the port that I
>      specified, even though the firewall should never forward that
>      port," the hacker told the Register. "This defeats that security by
>      visiting a simple web page. No authentication, XSS, user input,
>      etc. is required." The hacker's proof-ofconcept page forces the
>      visitor to submit a hidden form on port 6667, the standard port for
>      internet relay chat. Using a hidden value, the form surreptitiously
>      coerces the victim to establish a DCC, or direct client-to-client,
>      connection. Vulnerable  routers will then automatically forward DCC
>      traffic to the victim's internal system, and using what's known as
>      NAT traversal an attacker can  access any port that's open on the
>      local system. For the hack to work, the visitor must have an
>      application such as file transfer protocol or session initiation
>      protocol running on his machine. The hack does not guarantee an
>      attacker will be able to compromise that service, but it does give
>      the  attacker the ability to probe it in the hope of finding a weak
>      password or a vulnerability that will expose data or system
>      resources. Source:
>      [2]http://www.theregister.co.uk/2010/01/06/web_based_firewall_attac
>      k/
>      Thanks,
>      Ron DuFresne
>      - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>            admin & senior security consultant:  [3]sysinfo.com
>                            [4]http://sysinfo.com
>      Key fingerprint = 9401 4B13 B918 164C 647A  E838 B2DF AFCC 94B0
>      6629
>      These things happened. They were glorious and they changed the
>      world...,
>      and then we fucked up the endgame.    --Charlie Wilson
>      -----BEGIN PGP SIGNATURE-----
>      Version: GnuPG v1.4.5 (GNU/Linux)
>      iD8DBQFLR3qist+vzJSwZikRAotcAJ9fHEWAOm2N5xFKww7/wA9O+YYdeACfZUEZ
>      uZciRDQsRu1kZZQUZctPwmY=
>      =KCsu
>      -----END PGP SIGNATURE-----
>      _______________________________________________
>      firewall-wizards mailing list
>      [5]firewall-wizards () listserv icsalabs com
>      [6]https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>    _______________________________________________
>    firewall-wizards mailing list
>    [7]firewall-wizards () listserv icsalabs com
>    [8]https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
>    email protected and scanned by AdvascanTM - keeping email useful -
>    www.advascan.com
>
> References
>
>    1. mailto:david () lang hm
>    2. http://www.theregister.co.uk/2010/01/06/web_based_firewall_attack/
>    3. http://sysinfo.com/
>    4. http://sysinfo.com/
>    5. mailto:firewall-wizards () listserv icsalabs com
>    6. https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>    7. mailto:firewall-wizards () listserv icsalabs com
>    8. https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards () listserv icsalabs com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards