Feeds

Hacker pierces hardware firewalls with web page

No interaction required

Providing a secure and efficient Helpdesk

On Tuesday, hacker Samy Kamkar demonstrated a way to identify a browser's geographical location by exploiting weaknesses in many WiFi routers. Now, he's back with a simple method to penetrate hardware firewalls using little more than some javascript embedded in a webpage.

By luring victims to a malicious link, the attacker can access virtually any service on their machine, even when it's behind certain routers that automatically block it to the outside world. The method has been tested on a Belkin N1 Vision Wireless router, and Kamkar says he suspects other devices are also vulnerable.

"What this means is I can penetrate their firewall/router and connect to the port that I specified, even though the firewall should never forward that port," Kamkar told El Reg. "This defeats that security by visiting a simple web page. No authentication, XSS, user input, etc. is required."

Kamkar's proof-of-concept page forces the visitor to submit a hidden form on port 6667, the standard port for internet relay chat. Using a hidden value, the form surreptitiously coerces the victim to establish a DCC, or direct client-to-client, connection. Vulnerable routers will then automatically forward DCC traffic to the victim's internal system, and using what's known as NAT traversal an attacker can access any port that's open on the local system.

For the hack to work, the visitor must have an application such as file transfer protocol or session initiation protocol running on his machine. The hack doesn't guarantee an attacker will be able to compromise that service, but it does give the attacker the ability to probe it in the hope of finding a weak password or a vulnerability that will expose data or system resources.

"Most people have this false sense of security that 'well, I'm behind my router, nobody can connect to my ports,'" said Kamkar, the hacker behind the notorious Samy Worm that in 2005 took MySpace out of commission by adding more than 1 million friends to the author's account. "If you're going to keep a service open to the world, you'll probably have more upkeep" to make sure it's secure.

The problem is a hard one to solve, since NAT, short for network address translation, is included in many routers to give users a seamless experience when accessing a host of internet-based services and applications. The use of a software-based firewall on the client will help, but Kamkar warned that even then some ports may be accessible.

While Kamkar's proof-of-concept requires users to press a submit button, he said it's trivial to use javascript so no interaction is required after the page is visited.

Kamkar said he based his attack on IRC because many versions of Linux used to run routers support the protocol by default. He's based similar attacks on file transfer protocol and had success with both the Belkin and Airport Extreme routers and believes other services such SIP may work on those routers as well as other devices.

Your reporter was unable to get the IRC attack to work on a Netopia 3347-02, so mileage obviously varies. We're interested in hearing from Reg readers about what other routers are vulnerable. To test whether the attack can pierce your firewall, visit this page and specify the port of a service that's already running on your system. ®

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Shellshock: 'Larger scale attack' on its way, warn securo-bods
Not just web servers under threat - though TENS of THOUSANDS have been hit
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.