Knock, knock. Who's there? NAT. Nat who? A NAT URL-borne killer

2021-01-27 20:26

Ben Seri and Gregory Vishnepolsky, threat researchers at Armis, have found a way to expand upon the NAT Slipstream attack disclosed last year by Samy Kamkar, CSO of Openpath Security.

The original NAT Slipstream potentially allowed a miscreant to access any TCP/UDP service tied to a victim's machine by bypassing the victim's NAT and firewall defenses.

NAT Slipstream v2 takes the technique further by allowing a hacker to penetrate a vulnerable NAT/firewall and reach any internal IP on the network, rather than just the IP address of the victim's device.

Version one of the attack involves using malicious JavaScript code that sends traffic to the victim's machine using a protocol that traverses NAT and obtains the IP address of the victim's computer.

It relies on H.323, a VoIP protocol similar to SIP, and WebRTC TURN. "The new variant to the NAT Slipstreaming attack is comprised of two primitives, the first explores the H.323 ALG, and the second expands the attack surface of the various NAT ALGs reachable from a browser, by abusing the WebRTC TURN server API via JavaScript," explain Seri and Vishnepolsky in a blog post.

"Legacy requirements such as ALGs, are still a dominant theme in the design of NATs, today, and are the primary reason bypassing attacks are found again and again," they conclude.

News URL

https://go.theregister.com/feed/www.theregister.com/2021/01/27/nat_slipstream_bypass/

#URL