‘NAT Slipstreaming’ Allows Attackers to Remotely Bypass Firewall

Get a free Techzine subscription!

Attackers can remotely access any TCP/UDP service bound to a victim machine just by the victim visiting a website.

Research over the weekend has demonstrated a new NAT-based hacking technique. This technique allows an attacker to bypass firewall protection and remotely access any TCP/UDP service on a victim machine.

Called NAT Slipstreaming, the method sends the target a link to a malicious site or a legitimate site loaded with malicious ads. The site then triggers the gateway to open any TCP/UDP port on the victim, thereby circumventing browser-based port restrictions.

The findings were revealed by privacy and security researcher Samy Kamkar.

Using browser abuse to bypass a firewall

As the name suggests, NAT Slipstreaming abuses Network Address Translation (NAT). This is what routers and firewalls use to thread connections between systems on a local network and the outside world.

NAT remaps an IP address space into another by modifying network address information in the IP header of packets while they are in transit.

Remote attackers can use slipstreaming to reach TCP/UDP services on a victim’s PC. These services would normally not be accessible to outsiders. Kamkar provides technical details and code demonstrating how it operates.

“NAT Slipstreaming exploits the user’s browser in conjunction with the Application Level Gateway (ALG) connection tracking mechanism built into NATs, routers, and firewalls,” explains Kamkar.

JavaScript is the culprit

For the attack to work, the victim needs to visit a website containing malicious JavaScript. He also has to be behind a vulnerable Application Level/Layer Gateway. The ALG acts as an intermediary by intercepting incoming and outgoing packets. Browsers block JavaScript code from accessing services on certain ports, a limitation this slipstreaming overcomes.

Using this attack technique, the attacker “tricks” the NAT into believing that it is seeing a legitimate SIP registration. Eventually, it causes the NAT to open up the port in the original packet sent by the victim.

“The router will now forward any port the attacker chooses back to the internal victim, all from simply browsing to a website,” Kamkar said.