firewall-wizards@listserv.icsalabs.com
To subscribe or unsubscribe via the World Wide Web, visit
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
or, via email, send a message with subject or body 'help' to
firewall-wizards-request@listserv.icsalabs.com
You can reach the person managing the list at
firewall-wizards-owner@listserv.icsalabs.com
When replying, please edit your Subject line so it is more specific
than "Re: Contents of firewall-wizards digest..."
Today's Topics:
1. Re: Hacker pierces hardware firewalls with web page. (ArkanoiD)
2. Re: Hacker pierces hardware firewalls with web page. (Jeff Jarmoc)
3. Re: Hacker pierces hardware firewalls with web page.
(david@lang.hm)
----------------------------------------------------------------------
Message: 1
Date: Tue, 12 Jan 2010 20:08:50 +0300
From: ArkanoiD <ark@eltex.net>
Subject: Re: [fw-wiz] Hacker pierces hardware firewalls with web page.
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <20100112170850.GA5736@eltex.net>
Content-Type: text/plain; charset=koi8-r
More likely iptables irc conntrack module which is pretty dumb ;-)
On Tue, Jan 12, 2010 at 10:56:16AM +0300, Farrukh Haroon wrote:
>
> Perhaps they are exploiting UPnP in some obscure way to achieve this?
> Regards
> Farrukh
> On Tue, Jan 12, 2010 at 5:51 AM, <[1]david@lang.hm> wrote:
>
> I've seen several other posts where people make use of browser
> exploits to trick the browser into submitting a form to the
> router/firewall, and if the router has the default password, the
> attacker can then configure the firewall any way they want.
> This sounds a little different. This sounds like it is exploiting
> standard protocols.
> With FTP the client connect to the server, then at the start of a
> file transfer the client tells the server what port to connect to
> on the client. A 'helpful' firewall will watch for this message and
> reconfigure itself to allow traffic to that port. IIRC for FTP this
> data connection is one-way (with acks flowing the other way), but
> with SIP the port is used for data in both directions.
> This sounds like the attacker is managing to use javascript to make
> a connection out that the firewall thinks is a protocol like this,
> and then by specifying the port they want to attack, tricking the
> firewall into opening that port up so that it can be attacked from
> the server the javascript connected to.
> David Lang
>
> On Fri, 8 Jan 2010, R. DuFresne wrote:
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> In reading this, I get the impression this is not a fault in the
> firewalls themselves, but more an issue with the configuration of
> firewalls having been 'tested' by this hacker. Am I wrong in
> reading this news in that fashion?::
> January 6, The Register - (International) Hacker pierces hardware
> firewalls with web page. On January 5, a hacker demonstrated a way
> to identify a browser's geographical location by exploiting
> weaknesses in many WiFi
> routers. Now, the same hacker is back with a simple method to
> penetrate hardware firewalls using little more than some javascript
> embedded in a webpage. By luring victims to a malicious link, the
> attacker can access
> virtually any service on their machine, even when it's behind
> certain routers that automatically block it to the outside world.
> The method has been tested on a Belkin N1 Vision Wireless router,
> and the hacker says he
> suspects other devices are also vulnerable. "What this means is I
> can penetrate their firewall/router and connect to the port that I
> specified, even though the firewall should never forward that
> port," the hacker told the Register. "This defeats that security by
> visiting a simple web page. No authentication, XSS, user input,
> etc. is required." The hacker's proof-ofconcept page forces the
> visitor to submit a hidden form on port 6667, the standard port for
> internet relay chat. Using a hidden value, the form surreptitiously
> coerces the victim to establish a DCC, or direct client-to-client,
> connection. Vulnerable routers will then automatically forward DCC
> traffic to the victim's internal system, and using what's known as
> NAT traversal an attacker can access any port that's open on the
> local system. For the hack to work, the visitor must have an
> application such as file transfer protocol or session initiation
> protocol running on his machine. The hack does not guarantee an
> attacker will be able to compromise that service, but it does give
> the attacker the ability to probe it in the hope of finding a weak
> password or a vulnerability that will expose data or system
> resources. Source:
> [2]http://www.theregister.co.uk/2010/01/06/web_based_firewall_attac
> k/
> Thanks,
> Ron DuFresne
> - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
> admin & senior security consultant: [3]sysinfo.com
> [4]http://sysinfo.com
> Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0
> 6629
> These things happened. They were glorious and they changed the
> world...,
> and then we fucked up the endgame. --Charlie Wilson
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.5 (GNU/Linux)
> iD8DBQFLR3qist+vzJSwZikRAotcAJ9fHEWAOm2N5xFKww7/wA9O+YYdeACfZUEZ
> uZciRDQsRu1kZZQUZctPwmY=
> =KCsu
> -----END PGP SIGNATURE-----
> _______________________________________________
> firewall-wizards mailing list
> [5]firewall-wizards@listserv.icsalabs.com
> [6]https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
> _______________________________________________
> firewall-wizards mailing list
> [7]firewall-wizards@listserv.icsalabs.com
> [8]https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>
> email protected and scanned by AdvascanTM - keeping email useful -
> www.advascan.com
>
> References
>
> 1. mailto:david@lang.hm
> 2. http://www.theregister.co.uk/2010/01/06/web_based_firewall_attack/
> 3. http://sysinfo.com/
> 4. http://sysinfo.com/
> 5. mailto:firewall-wizards@listserv.icsalabs.com
> 6. https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> 7. mailto:firewall-wizards@listserv.icsalabs.com
> 8. https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
> _______________________________________________
> firewall-wizards mailing list
> firewall-wizards@listserv.icsalabs.com
> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
------------------------------
Message: 2
Date: Tue, 12 Jan 2010 11:38:00 -0600
From: Jeff Jarmoc <jeff@jarmoc.com>
Subject: Re: [fw-wiz] Hacker pierces hardware firewalls with web page.
To: farrukhharoon@gmail.com, firewall-wizards@listserv.icsalabs.com
Message-ID:
<831b40be1001120938y5fc23b4dxe88247d47146195@mail.gmail.com>
Content-Type: text/plain; charset=ISO-8859-1
If it's what I think it is, it's much simpler than UPnP trickery.
While I can't be sure from the limited information in the article,
what they describe is very much like what's outlined on Samy Kamkar's
site; http://samy.pl/natpin
Also relevant is Dan Kaminsky's work he presented at CanSecWest 2009.
http://www.scribd.com/doc/13501365/Staring-Into-The-Abyss
-- Jeff Jarmoc
From: Farrukh Haroon <farrukhharoon () gmail com>
Date: Tue, 12 Jan 2010 10:56:16 +0300
Perhaps they are exploiting UPnP in some obscure way to achieve this?
Regards
Farrukh
On Tue, Jan 12, 2010 at 5:51 AM, <david () lang hm> wrote:
I've seen several other posts where people make use of browser exploits to
trick the browser into submitting a form to the router/firewall, and if the
router has the default password, the attacker can then configure the
firewall any way they want.
This sounds a little different. This sounds like it is exploiting standard
protocols.
With FTP the client connect to the server, then at the start of a file
transfer the client tells the server what port to connect to on the client.
A 'helpful' firewall will watch for this message and reconfigure itself to
allow traffic to that port. IIRC for FTP this data connection is one-way
(with acks flowing the other way), but with SIP the port is used for data in
both directions.
This sounds like the attacker is managing to use javascript to make a
connection out that the firewall thinks is a protocol like this, and then by
specifying the port they want to attack, tricking the firewall into opening
that port up so that it can be attacked from the server the javascript
connected to.
David Lang
On Fri, 8 Jan 2010, R. DuFresne wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
In reading this, I get the impression this is not a fault in
the firewalls
themselves, but more an issue with the configuration of firewalls having
been 'tested' by this hacker. Am I wrong in reading this news in that
fashion?::
January 6, The Register - (International) Hacker pierces hardware
firewalls with web page. On January 5, a hacker demonstrated a way to
identify a browser's geographical location by exploiting
weaknesses in many
WiFi
routers. Now, the same hacker is back with a simple method to penetrate
hardware firewalls using little more than some javascript embedded in a
webpage. By luring victims to a malicious link, the attacker can access
virtually any service on their machine, even when it's behind certain
routers that automatically block it to the outside world. The method has
been tested on a Belkin N1 Vision Wireless router, and the
hacker says he
suspects other devices are also vulnerable. "What this means is I can
penetrate their firewall/router and connect to the port that I
specified,
even though the firewall should never forward that port," the
hacker told
the Register. "This defeats that security by visiting a simple
web page. No
authentication, XSS, user input, etc. is required." The hacker's
proof-ofconcept page forces the visitor to submit a hidden form on port
6667, the standard port for internet relay chat. Using a
hidden value, the
form surreptitiously coerces the victim to establish a DCC, or direct
client-to-client, connection. Vulnerable routers will then
automatically
forward DCC traffic to the victim's internal system, and using
what's known
as NAT traversal an attacker can access any port that's open
on the local
system. For the hack to work, the visitor must have an
application such as
file transfer protocol or session initiation protocol running on his
machine. The hack does not guarantee an attacker will be able
to compromise
that service, but it does give the attacker the ability to
probe it in the
hope of finding a weak password or a vulnerability that will
expose data or
system resources. Source:
http://www.theregister.co.uk/2010/01/06/web_based_firewall_attack/
Thanks,
Ron DuFresne
- -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
admin & senior security consultant: sysinfo.com
http://sysinfo.com
Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
These things happened. They were glorious and they changed the world...,
and then we fucked up the endgame. --Charlie Wilson
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
iD8DBQFLR3qist+vzJSwZikRAotcAJ9fHEWAOm2N5xFKww7/wA9O+YYdeACfZUEZ
uZciRDQsRu1kZZQUZctPwmY=
=KCsu
-----END PGP SIGNATURE-----
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
_______________________________________________
firewall-wizards mailing list
firewall-wizards () listserv icsalabs com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
------------------------------
Message: 3
Date: Tue, 12 Jan 2010 12:14:39 -0800 (PST)
From: david@lang.hm
Subject: Re: [fw-wiz] Hacker pierces hardware firewalls with web page.
To: Firewall Wizards Security Mailing List
<firewall-wizards@listserv.cybertrust.com>
Message-ID: <alpine.DEB.2.00.1001121057040.24130@asgard.lang.hm>
Content-Type: TEXT/Plain; format=flowed; charset=US-ASCII
I don't see any need for them to do anything like this. It seems far
simpler to me.
As an example:
To support FTP packet filter based firewalls watch the data stream of any
connections going to port 21 for the string where the client tells the
server what IP and port to connect back to, the firewall then re-writes
the packet to an IP and port on the firewall, and sets up a NAT rule on
the firewall so that traffic from the server to that IP and port on the
firewall gets directed to the IP and port the client specified.
If javascript issues a HTTP request to port 21 on the bad guy's server and
in the request sends the string that the firewall is looking for, the
firewall will helpfully setup a NAT and allow that server to connect to a
port on the client as specified by the string that the javascript code
specified.
There is no need to exploit UPnP or anything other than the fact that the
firewall is watching for a specific string (without understanding and
enforcing the full protocol) and then opening up a incoming port.
SIP has similar features, but instead of running on a standard low port
that coudl be blocked by the browser, it is running on a high port that is
much more risky for the browser to block access to.
David Lang
On Tue, 12 Jan 2010, Farrukh Haroon wrote:
> Perhaps they are exploiting UPnP in some obscure way to achieve this?
>
> Regards
>
> Farrukh
>
> On Tue, Jan 12, 2010 at 5:51 AM, <david@lang.hm> wrote:
>
>> I've seen several other posts where people make use of browser exploits to
>> trick the browser into submitting a form to the router/firewall, and if the
>> router has the default password, the attacker can then configure the
>> firewall any way they want.
>>
>> This sounds a little different. This sounds like it is exploiting standard
>> protocols.
>>
>> With FTP the client connect to the server, then at the start of a file
>> transfer the client tells the server what port to connect to on the client.
>> A 'helpful' firewall will watch for this message and reconfigure itself to
>> allow traffic to that port. IIRC for FTP this data connection is one-way
>> (with acks flowing the other way), but with SIP the port is used for data in
>> both directions.
>>
>> This sounds like the attacker is managing to use javascript to make a
>> connection out that the firewall thinks is a protocol like this, and then by
>> specifying the port they want to attack, tricking the firewall into opening
>> that port up so that it can be attacked from the server the javascript
>> connected to.
>>
>> David Lang
>>
>>
>>
>>
>> On Fri, 8 Jan 2010, R. DuFresne wrote:
>>
>> -----BEGIN PGP SIGNED MESSAGE-----
>>> Hash: SHA1
>>>
>>>
>>>
>>> In reading this, I get the impression this is not a fault in the firewalls
>>> themselves, but more an issue with the configuration of firewalls having
>>> been 'tested' by this hacker. Am I wrong in reading this news in that
>>> fashion?::
>>>
>>>
>>> January 6, The Register - (International) Hacker pierces hardware
>>> firewalls with web page. On January 5, a hacker demonstrated a way to
>>> identify a browser's geographical location by exploiting weaknesses in many
>>> WiFi
>>> routers. Now, the same hacker is back with a simple method to penetrate
>>> hardware firewalls using little more than some javascript embedded in a
>>> webpage. By luring victims to a malicious link, the attacker can access
>>> virtually any service on their machine, even when it's behind certain
>>> routers that automatically block it to the outside world. The method has
>>> been tested on a Belkin N1 Vision Wireless router, and the hacker says he
>>> suspects other devices are also vulnerable. "What this means is I can
>>> penetrate their firewall/router and connect to the port that I specified,
>>> even though the firewall should never forward that port," the hacker told
>>> the Register. "This defeats that security by visiting a simple web page. No
>>> authentication, XSS, user input, etc. is required." The hacker's
>>> proof-ofconcept page forces the visitor to submit a hidden form on port
>>> 6667, the standard port for internet relay chat. Using a hidden value, the
>>> form surreptitiously coerces the victim to establish a DCC, or direct
>>> client-to-client, connection. Vulnerable routers will then automatically
>>> forward DCC traffic to the victim's internal system, and using what's known
>>> as NAT traversal an attacker can access any port that's open on the local
>>> system. For the hack to work, the visitor must have an application such as
>>> file transfer protocol or session initiation protocol running on his
>>> machine. The hack does not guarantee an attacker will be able to compromise
>>> that service, but it does give the attacker the ability to probe it in the
>>> hope of finding a weak password or a vulnerability that will expose data or
>>> system resources. Source:
>>> http://www.theregister.co.uk/2010/01/06/web_based_firewall_attack/
>>>
>>>
>>>
>>>
>>> Thanks,
>>>
>>>
>>> Ron DuFresne
>>> - -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
>>> admin & senior security consultant: sysinfo.com
>>> http://sysinfo.com
>>> Key fingerprint = 9401 4B13 B918 164C 647A E838 B2DF AFCC 94B0 6629
>>>
>>> These things happened. They were glorious and they changed the world...,
>>> and then we fucked up the endgame. --Charlie Wilson
>>> -----BEGIN PGP SIGNATURE-----
>>> Version: GnuPG v1.4.5 (GNU/Linux)
>>>
>>> iD8DBQFLR3qist+vzJSwZikRAotcAJ9fHEWAOm2N5xFKww7/wA9O+YYdeACfZUEZ
>>> uZciRDQsRu1kZZQUZctPwmY=
>>> =KCsu
>>> -----END PGP SIGNATURE-----
>>> _______________________________________________
>>> firewall-wizards mailing list
>>> firewall-wizards@listserv.icsalabs.com
>>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>>>
>>> _______________________________________________
>> firewall-wizards mailing list
>> firewall-wizards@listserv.icsalabs.com
>> https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
>>
>
------------------------------
_______________________________________________
firewall-wizards mailing list
firewall-wizards@listserv.icsalabs.com
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards
End of firewall-wizards Digest, Vol 45, Issue 5
***********************************************
No comments:
Post a Comment