The Register® — Biting the hand that feeds IT

Feeds

Hacker pierces hardware firewalls with web page

On Tuesday, hacker Samy Kamkar demonstrated a way to identify a browser's geographical location by exploiting weaknesses in many WiFi routers. Now, he's back with a simple method to penetrate hardware firewalls using little more than some javascript embedded in a webpage. By luring victims to a malicious link, the attacker can …

This topic is closed for new posts.
Lord Lien
Paris Hilton

The magic words....

"By luring victims to a malicious link".............

Paris because even she knows malicious links can get you in to a whole lot of trouble.

Mongo
Reply Icon

True - all you have to do is look for the word "malicious"

It's really amazing how many people forget this simple precaution and so needlessly fall victim to malicious links!

BristolBachelor
Troll
Reply Icon

malicious?

Lord Lien

I bow to your superior knowledge. How do you know when a link is malicious before you visit it and get the pox?

Is it because you don't visit any links? Is it because you visit only websites that are impossible in the lifetime of the universe to be compromised?

I too am paranoid, but also know how ANY website can harbour mischeif. ANY website can be compromised (even if not the server, then their DNS can be made to point elsewhere). The excuse that something ONLY works if you click a malicious link just means that someone has to place the link where you will click it... and you do click links somewhere.

sorry nurse, I'll take the pills now

Anonymous Coward
Coat
Reply Icon

Oh the porcinity!

Damn those evil sausages!

TeeCee
Reply Icon

Very true.

Even if the site itself and its DNS have not been compromised, the old "embed my moody exploit in an advert and tout it through the ad servers" ploy should do the trick quite nicely. Especially as he reckons that it can be made to work without anyone having to click anything.

The number of shonky ads circulating is probably the best reason for adblock these days.

Neal 5

peasant

hardware firewall?. Router?, gateway?

this is pretty basic and simple, ftp ports aren't blocked by default, being as they are a pretty much essential part of being able to use the internet for downloading materiale from servers/sites etc.

At this point, i begin to question, are we actually mistaking what we can actually do with the 'net, as designed, for something that's hacking, ie altering what is supposed to happen for something that isn't.

I'm pretty much sure, Dan, that you would be highly annoyed if your port 25 didn't work, that being your SMTP port, shared with your ISP, enabling you to get/send your email, now if that was affected in any way, would you describe that as a hack?, an ISP block attempt? or maybe it's a BUG/FLAW?

This would be news, if it was something that happenened naturally, unfortunately, it's an artificially engineered situation, and as such, has no shock or awe value, the novelty of hacking to create fear has been dissipated by it's sheer abundance.

Here was me hoping that 2010 might be different from the last 4/5 years, seems that journalists don't seem to get bored with it, even if readers do.

Rob Beard
Linux
Reply Icon

Port 25

Meh!

I stopped using port 25 for SMTP years ago, heck I've not been using plain text e-mail for years too. Okay I know there is always the chance that SSH encrypted mail could be comprimised and the security is only as good as it's weakest link.

I dare say that this problem isn't because the routers run Linux, for starters, Linux is just the kernel. Could maybe be down to the default settings of how the router handles ports (can't remember name of the package, it's too early in the morning and I haven't had my McDonalds breakfast yet!)

Rob

Cameron Colley
Reply Icon

Sure it's that simple?

"ftp ports aren't blocked by default, being as they are a pretty much essential part of being able to use the internet for downloading materiale from servers/sites etc."

Ok, then try connecting to any port on my machine and see what happens...

The firewall will allow _outgoing_ connections to the ports but not incoming -- unless, of course, I have an FTP server running and the port forwarded. In that case, without this exploit, you'd still nto be able to connect to to any other port.

Brian Miller

Difficult to test

This is a little difficult to test, as I would need to have a second, independent. Internet connection test that a port is, in fact, open from the outside.

Anonymous Coward
Pint
Reply Icon

not a problem

A quick google for "open ports tester" or similar will find lots of web-based thingies that you can use to test.

Hope that helps, mine's a strong coffee with a large shot of something medicinal, in this weather.

Conor Turton
FAIL

FAIL

Tested it on a Belkin. Belkins are utter shite so it comes as no surprise that it caved in so easily.

Jamie Jones

It works on BT Voyager 2110

Before:

20:45 (2) "jamie" jamie@catflap% te 78.150.115.214 555

Trying 78.150.115.214...

^C

After:

20:45 (3) "jamie" jamie@catflap% te 78.150.115.214 555

Trying 78.150.115.214...

telnet: connect to address 78.150.115.214: Connection refused

telnet: Unable to connect to remote host

Though I normally run with "forward all ports to 10.20.30.45" by default anyway, so I'm not bothered.

Could be bad for the windows users though!

20:49 (4) "jamie" jamie@catflap% te 78.150.115.214 22

Trying 78.150.115.214...

Won't send login name and/or authentication information.

Connected to 78.150.115.214.

Escape character is '^]'.

SSH-2.0-OpenSSH_5.2p1 FreeBSD-openssh-portable-5.2.p1_2,1

Martin 71
Happy

Nothing on a BT Voyager 240

As ye title. I did have to tell noscript to temporarily allow javascript and zonealarm that it was ok for the server program to open a port, so this hack if anything probably tells people not to rely on one line of defence and don't make assumptions.

greg oestreicher
Thumb Down

nothing new ?

Looks a lot like an attack already described in phrack #63, unless something new escaped me. This works fine against netfilter firewalls when admins are abusing the copy-n-paste from tutorials.

Shane 8
Thumb Up

FF to the rescue once again....

NoScript we love you <3

Steve Roper
Boffin
Reply Icon

PEBKAC

I also use and love NoScript. But as a web developer I can tell you it's trivial to develop a website entirely in Javascript that displays a simple "This site requires Javascript enabled" message to a NoScript user. If that user has been given the impression that the site contains something he or she wants, they'll automatically reach for that NoScript Options button and select "Allow shitsite.com" without a second thought.

Granted, you might be savvy enough to think "Why does simply showing me some info require Javascript?" but depending on how badly you want that info, even you might be prepared to at least "Temporarily allow..." just one time to see what it is. Furthermore, this attack involves form submission. It's far from unusual for forms pages to require Javascript for dynamic option updating and on-enter form validation, and even a tech-savvy user thinking he's signing up for some useful service would be taken in.

NoScript is only as good as the person using it, and with its use becoming more prevalent, the blackhats will become ever more creative in finding ways of meat-hacking people into selecting that much-desired "Allow shitsite.com" option.

Anonymous Coward
Dead Vulture

LAME

How come nobody ever thought of this MAJOR NAT vulnerability before?? Oh yeah, because, um, NATS ARE NOT FIREWALLS! Let's remember that Teredo and ISATAP is already giving world-addressable IPv6 addresses to our NAT'd machines.

Charles Manning

Hardware firewall?

Even though it isn't running on a "computer" it is still software. that is getting foiled.

There ain't no such thing as a hardware firewall, except for one of those things that stops real burning fire from spreading from one area to another.

Sir Runcible Spoon
Reply Icon

Sir

In network security parlance, a hardware firewall is usually a term used to describe a firewall that is tied to a particular piece of hardware, such as a PIX.

Checkpoint on the other hand can be run on a variety of platforms so can be considered a software firewall, but then people usually use this term to refer to client based firewalls so go figure :)

Tom Maddox
Stop
Reply Icon

Newflash!

People sometimes use phrases which are not strictly semantically correct and yet remain common parlance. Ric Romero has more at 11.

Anonymous Coward
Boffin

Application-level gateway

It doesn’t work on my D-Link DGL-4300, but its application-level gateway (ALG) doesn’t even support IRC. I tried the suggested alteration for FTP, but couldn’t get it to work. That’s probably not too surprising. As Greg Oestreicher has pointed out, the attacks use some of the same concepts as those in Soungjoo Han’s piece in phrack #63. Han concludes that only a careless firewall would fall for the FTP-echo attack, even if it were packet-aligned.

At least my router makes up in security what it lacks in functionality. Its ALG has caused me more problems than it has solved. The options are all on by default and I needed to turn off both SIP and RTSP, after quite some head scratching. This is why NAT traversal using UPnP is a slightly better fudge.

Christian Berger

So simply put

He sent an HTTP-Request which the NAPT interprets as IRC. That should be possible to be patched.

The best solution, obviously, would be to move to IPv6 where you don't have any false security concerning incomming connections.

Tim Bates

Morons

NAT != firewall

Firewall != security (especially for badly configured values of firewall)

The above is something I have tried to smack into people who should know better many times over the years. Even my government employer takes this stupid approach of assuming a blocking internet traffic on most ports makes it safe. People seem to forget that once something is breached, the outer perimeter doesn't stop anything.

Bugs R Us
Paris Hilton

IE8 will protect you

The test page errors in IE8 :)

Tested on my trusty Netgear DG834, no penetration.

noroimusha
Alien

linksys wag160N

It does not work on my router ( Linksys by cisco wag160N ) linksys router are safe! :D

Jon 66
Reply Icon

same here

somehow i feel cheated :(

Anonymous Coward
Happy

Block your unused ports in BOTH directions

Title says it all really. You should configure your firewall so that it will only allow traffic on ports that you know you need. Especially in Windows-land, many people seem to view a firewall as a one-way system that stops the bad stuff OUTSIDE getting INSIDE. It also works the other way. Most people at home only need ports 80,443, 25, 53 and a couple of others (POP/IMAP?) open. All other ports should be closed off so that if your machine does try and send anything out, it won't actually get very far.

In short, do not assume your internat network can do no wrong. Of course, this isn't a magic bullet but it would go a long way to restricting this kind of stuff, along with stopping the spread of zillions of other virus' and worms.

Al fazed
WTF?

Tell me do

I have limited my 3Com firewall with NAT to only allow HTTP connections on port 80 and HTTPS on 443.

So how come my kids still manage to use instant messaging apps like those that come with MSN, Facebook, Web Messenger, etc on their windose machines ?

Is all this [IRC/ICMP traffic ?] being run over port 80 at the router ?

File and Printer Sharing is disabled in Services on each machine, as is FTP and TELNET. Can they be truned on sureptitiously by such an exploit ?

Is my router still vulnerable to the exploit ?

ALF

Anonymous Coward
Happy
Reply Icon

Something's not right

Only allowing ANY connections to 80 and 443? If so then you almost certainly would not be able to browse the internet. You need to allow UDP (any sometimes TCP) port 53 also for DNS. As this would not seem to be the case then this suggests you've not locked your router down as much as you think you have.

If you've got some clever rule that only allows 80 and 443 for HTTP protocol (ie your router is performing packet inspection) then unless IRC etc is also running on HTTP then the packet inspection rule will not block it. I've never used it, but I'm pretty sure Facebook chat and similar DOES work over HTTP port 80 (it's just a web page and a bit of javascript running on the browser).

ICMP is a protocol and not a service, and most ICMP stuff can be blocked without causing problems (you might need to allow 'time' - I think some SMTP servers can have issues if this is blocked, but I may have got this wrong - I don't have the necessary info at hand). Generally, you need to set your TCP, UDP and ICMP firewall rules seperately.

Anonymous Coward
Anonymous Coward
Reply Icon

All sounds fine

Most routers work as the DNS server for the network anyway, and nobody said anything about blocking the *router's* access to port 53. Facebook chat and webmessenger are both web apps that run entirely over 80/443. MSN itself can be proxied over port 80, and possibly just sets itself up to do this if necessary.

Can't see any benefit in blocking outgoing ports whatsoever myself - if I was going to write something malicious I'd already have written it to use port 80 so I could run it through corporate firewalls

Anonymous Coward
FAIL
Reply Icon

Oh

"Can't see any benefit in blocking outgoing ports whatsoever myself"

You don't see any need to prevent internal network data from leaking out onto the internet? An interesting point of view.

Leaving aside the very obvious security considerations for now, it is this thinking that has resulted in the small but significant amount of noise on the internet at large, consisting of stuff like Windows broadcast requests searching for other machines (which it will never find), and other stray broadcast message. All of these messages should never leak out; they should be contained on the local network. And before you say "it doesn't matter", well, yes it does! It wastes bandwidth and causes load on other internet-based kit that has to deal with this stuff.

And contrary to what you say, many expoits rely on ports other than 80 being open.

Steven Knox
Boffin
Reply Icon

Not so.

"Only allowing ANY connections to 80 and 443? If so then you almost certainly would not be able to browse the internet. You need to allow UDP (any sometimes TCP) port 53 also for DNS."

For most home NAT-based routers, you do NOT need to allow UDP/TCP 53 for DNS to pass through, because they contain their own DNS server, which will make the external requests.

Easy to check: run ipconfig /all or whatever command your OS uses to enumerate DNS servers. If the only DNS server listed is the ip address of your router, then it is running a server, and UDP/TCP 53 does not need to be opened.

Jason Bloomberg
Badgers

Simple message ...

No end of locks on a door will stop people coming in through open windows ( pun wasn't intended ! ).

People need reminding that things are often not as secure as they think they are. I'm often smugly told by certain fanbois that their network is more secure than mine because its firewall is stateful and won't let traffic in which wasn't initiated outbound. When asked how this prevents rogue applications and malware on their system from establishing such an outbound connection the naive answer is this simply will never happen ;-)

I have a software firewall running on my PC which lets me control which applications are making connection or being connected to but I know that doesn't protect me from anything which piggybacks onto something I have to have allow such as browsers to port 80.

The only secure PC I have is the one in a cupboard which isn't powered up.

Sir Runcible Spoon
Thumb Up
Reply Icon

Sir

"People need reminding"

They certainly do.

I was working in the City a few years back and a server chap boasted how he had an uber-secure linux system at home that was uncrackable. So myself and the Security bod decided to take up his little challenge.

We were helped by the fact he decided to leave his laptop unlocked that lunch-time it has to be said.

When he got back from lunch we told him we'd put a little hello file from both of us in his root directory, whereupon he immediately vpn'd to his home device to check. The key-logger we had installed was busy sending us info which my commpratriot was using to perform the deed whilst I chatted to the numpty.

Needless to say he was a bit miffed when he found a little text file in his root directory (he didn't even check the timestamp (which was about 3 seconds before-hand)).

We didn't let him know how we'd done it for three glorious days, and he didn't have much hair to start with. When we finally put him out of his misery he claimed we had cheated !

Ah, heady days :D

Anonymous Coward
Thumb Up
Reply Icon

How's that cheating?

I'd call it a nice bit of social engineering. Nicely played on Linux gimp ego and vanity to get his info. No point whining about cheating; security's there because people cheat, after all!

Sir Runcible Spoon
Reply Icon

Sir

Which is precisely why we twat-dangled him for three days :)

Doug Glass
Go

DI-704P

Doesn't work on my ancient and obsolete D-Link DI-704P. I Guess reading the instructions and understanding how it works was worth the effort huh?

Anonymous Coward
Anonymous Coward

Malicia Slinks

I'm sure I've shagged her?

Anonymous Coward
WTF?

Why the 'fox logo?

Are you trying to insinuate that this is in some way a FF/Mozilla bug? Why not an IE logo, or are the MS lawyers too dangerous? At the moment a glance at the headline gives the impression that FF is the source of this vulnerability and that is manifestly not the case; please change it.

Anonymous Coward
Go

Not working on my Draytek Vigor 2600

Belkin 0 - Draytek 1

You gets what you pays for.

Anonymous Coward
Stop
Reply Icon

Unfortunatly Not...

The exploit works on my Draytek 2950.

Steven Knox
Happy

Irony

"By luring victims to a malicious link..."

and then later:

"...visit this link..."

Reminds me of downloading MS updates through IE, and the prompt that says "Only install this software if you trust the publisher, Microsoft"... That one always gave me pause...

Nexox Enigma

Neat idea...

I rather like this little attack, which would fail on my linux router because I haven't installed the IRC connection tracker, ftp would do though.

What the article failed to mention is that all 3 protocols (IRC, FTP, SIP) use 2 or more connections, where the second connection ports are negotiated in the first connection. NAT lets the first connection go because it's outbound, and very few people drop outbound connections by default.

The feature getting abused here is the one routers use to look at traffic in the original connection to find information about the second connection, so the router can create NAT table entries for it. What this shows is that if you can control one end of the management connection for any of those 3 services, you can probably open arbitrary ports through the NAT to whatever host you've got the connection with on the inside. Opening ports to other hosts would be unlikely with this particular attack, but of course once you've compromised one host within the LAN, the rest are free for the taking.

What this all comes back to is: Host based firewall aren't just for paranoid nutjobs any more! Defense in depth is your friend, don't rely on any one form of protection for anything you consider to be valueable.

But people will never learn that.

Steven 33
FAIL

OLD

Eh, sorry... but I would like to point out that this is not exactly a new thing... See Phack Volume 0x0c, Issue 0x41, Phile #0x05 of 0x0f which was released on April 12th 2008, it was already covered...

Anonymous Coward
Boffin

How about Double-NATing?

From the description, it sounds like putting a second router behind the first (i.e. drag that old wireless router & n-port switch out of the closet, turn its wireless off, and put it out in front of your present reouter) might block this exploit.

This topic is closed for new posts.