Firewall Wizards mailing list archives
Re: Hacker pierces hardware firewalls with web page.
From: Jeff Jarmoc <jeff () jarmoc com>
Date: Tue, 12 Jan 2010 11:38:00 -0600
If it's what I think it is, it's much simpler than UPnP trickery. While I can't be sure from the limited information in the article, what they describe is very much like what's outlined on Samy Kamkar's site; http://samy.pl/natpin Also relevant is Dan Kaminsky's work he presented at CanSecWest 2009. http://www.scribd.com/doc/13501365/Staring-Into-The-Abyss -- Jeff Jarmoc From: Farrukh Haroon <farrukhharoon () gmail com> Date: Tue, 12 Jan 2010 10:56:16 +0300 Perhaps they are exploiting UPnP in some obscure way to achieve this? Regards Farrukh On Tue, Jan 12, 2010 at 5:51 AM, <david () lang hm> wrote: I've seen several other posts where people make use of browser exploits to trick the browser into submitting a form to the router/firewall, and if the router has the default password, the attacker can then configure the firewall any way they want. This sounds a little different. This sounds like it is exploiting standard protocols. With FTP the client connect to the server, then at the start of a file transfer the client tells the server what port to connect to on the client. A 'helpful' firewall will watch for this message and reconfigure itself to allow traffic to that port. IIRC for FTP this data connection is one-way (with acks flowing the other way), but with SIP the port is used for data in both directions. This sounds like the attacker is managing to use javascript to make a connection out that the firewall thinks is a protocol like this, and then by specifying the port they want to attack, tricking the firewall into opening that port up so that it can be attacked from the server the javascript connected to. David Lang On Fri, 8 Jan 2010, R. DuFresne wrote: -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 In reading this, I get the impression this is not a fault in the firewalls themselves, but more an issue with the configuration of firewalls having been 'tested' by this hacker. Am I wrong in reading this news in that fashion?:: January 6, The Register - (International) Hacker pierces hardware firewalls with web page. On January 5, a hacker demonstrated a way to identify a browser's geographical location by exploiting weaknesses in many WiFi routers. Now, the same hacker is back with a simple method to penetrate hardware firewalls using little more than some javascript embedded in a webpage. By luring victims to a malicious link, the attacker can access virtually any service on their machine, even when it's behind certain routers that automatically block it to the outside world. The method has been tested on a Belkin N1 Vision Wireless router, and the hacker says he suspects other devices are also vulnerable. "What this means is I can penetrate their firewall/router and connect to the port that I specified, even though the firewall should never forward that port," the hacker told the Register. "This defeats that security by visiting a simple web page. No authentication, XSS, user input, etc. is required." The hacker's proof-ofconcept page forces the visitor to submit a hidden form on port 6667, the standard port for internet relay chat. Using a hidden value, the form surreptitiously coerces the victim to establish a DCC, or direct client-to-client, connection. Vulnerable routers will then automatically forward DCC traffic to the victim's internal system, and using what's known as NAT traversal an attacker can access any port that's open on the local system. For the hack to work, the visitor must have an application such as file transfer protocol or session initiation protocol running on his machine. The hack does not guarantee an attacker will be able to compromise that service, but it does give the attacker the ability to probe it in the hope of finding a weak password or a vulnerability that will expose data or system resources. Source: http://www.theregister.co.uk/2010/01/06/web_based_firewall_attack/ Thanks, Ron DuFresne - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ admin & senior security consultant: sysinfo.com http://sysinfo.com Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629 These things happened. They were glorious and they changed the world..., and then we fucked up the endgame. --Charlie Wilson -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) iD8DBQFLR3qist+vzJSwZikRAotcAJ9fHEWAOm2N5xFKww7/wA9O+YYdeACfZUEZ uZciRDQsRu1kZZQUZctPwmY= =KCsu -----END PGP SIGNATURE----- _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () listserv icsalabs com https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Hacker pierces hardware firewalls with web page. R. DuFresne (Jan 08)
- Re: Hacker pierces hardware firewalls with web page. david (Jan 11)
- Re: Hacker pierces hardware firewalls with web page. Farrukh Haroon (Jan 12)
- Re: Hacker pierces hardware firewalls with web page. ArkanoiD (Jan 12)
- Re: Hacker pierces hardware firewalls with web page. david (Jan 12)
- Re: Hacker pierces hardware firewalls with web page. Farrukh Haroon (Jan 12)
- <Possible follow-ups>
- Re: Hacker pierces hardware firewalls with web page. Jeff Jarmoc (Jan 12)
- Re: Hacker pierces hardware firewalls with web page. david (Jan 11)