Samy Kamkar: NAT Slipstreaming: Lets Hackers Access Any TCP/UDP Service
Received a news about NAT Slipstreaming.
Related to SIP ALG.
Needed to check our firewalls (Fortinet).
From FortiOS: GUI:
It was both Firewalls not enable VoIP.
System --> Feature Visibility
Run show system setting .
Did not have:
set default-voip-alg-mode proxy-based / kernel-helper-based
https://samy.pl/slipstream/
https://github.com/samyk/slipstream
https://github.com/samyk/slipstream
NAT Slipstreaming exploits the user's browser in conjunction with the Application Level Gateway (ALG) connection tracking mechanism built into NATs, routers, and firewalls by chaining internal IP extraction via timing attack or WebRTC, automated remote MTU and IP fragmentation discovery, TCP packet size massaging, TURN authentication misuse, precise packet boundary control, and protocol confusion through browser abuse. As it's the NAT or firewall that opens the destination port, this bypasses any browser-based port restrictions.
This attack takes advantage of arbitrary control of the data portion of some TCP and UDP packets without including HTTP or other headers; the attack performs this new packet injection technique across all major modern (and older) browsers, and is a modernized version to my original NAT Pinning technique from 2010 (presented at DEFCON 18 + Black Hat 2010). Additionally, new techniques for local IP address discovery are included.
This attack requires the NAT/firewall to support ALG (Application Level Gateways), which are mandatory for protocols that can use multiple ports (control channel + data channel) such as SIP and H323 (VoIP protocols), FTP, IRC DCC, etc.
This attack takes advantage of arbitrary control of the data portion of some TCP and UDP packets without including HTTP or other headers; the attack performs this new packet injection technique across all major modern (and older) browsers, and is a modernized version to my original NAT Pinning technique from 2010 (presented at DEFCON 18 + Black Hat 2010). Additionally, new techniques for local IP address discovery are included.
This attack requires the NAT/firewall to support ALG (Application Level Gateways), which are mandatory for protocols that can use multiple ports (control channel + data channel) such as SIP and H323 (VoIP protocols), FTP, IRC DCC, etc.
Rediscovering Limitations of Stateful Firewalls: "NAT Slipstreaming" ? Implications, Detections and Mitigations
https://isc.sans.edu/forums/diary/Rediscovering+Limitations+of+Stateful+Firewalls+NAT+Slipstreaming+Implications+Detections+and+Mitigations/26766/
https://isc.sans.edu/forums/diary/Rediscovering+Limitations+of+Stateful+Firewalls+NAT+Slipstreaming+Implications+Detections+and+Mitigations/26766/
... verify if SIP ALG is supported and enabled. If there is no practical or business use for SIP ALG, it should be disabled.
References
New NAT/Firewall Bypass Attack Lets Hackers Access Any TCP/UDP Service
https://thehackernews.com/2020/11/new-natfirewall-bypass-attack-lets.html
Technical Tip: Disabling VoIP Inspection
https://kb.fortinet.com/kb/documentLink.do?externalID=FD36405
(Browsers) Add port 5060, 5061 to blocked port list - fixes #1108 #1109
https://github.com/whatwg/fetch/pull/1109
Fortinet: The SIP ALG
https://docs.fortinet.com/document/fortigate/6.0.0/Handbook/48607/the-sip-alg
Technical Tip: Disabling VoIP Inspection
https://kb.fortinet.com/kb/documentLink.do?externalID=FD36405
https://thehackernews.com/2020/11/new-natfirewall-bypass-attack-lets.html
Technical Tip: Disabling VoIP Inspection
https://kb.fortinet.com/kb/documentLink.do?externalID=FD36405
(Browsers) Add port 5060, 5061 to blocked port list - fixes #1108 #1109
https://github.com/whatwg/fetch/pull/1109
Fortinet: The SIP ALG
https://docs.fortinet.com/document/fortigate/6.0.0/Handbook/48607/the-sip-alg
Technical Tip: Disabling VoIP Inspection
https://kb.fortinet.com/kb/documentLink.do?externalID=FD36405
Update