Feeds

Hacker pierces hardware firewalls with web page

No interaction required

Remote control for virtualized desktops

On Tuesday, hacker Samy Kamkar demonstrated a way to identify a browser's geographical location by exploiting weaknesses in many WiFi routers. Now, he's back with a simple method to penetrate hardware firewalls using little more than some javascript embedded in a webpage.

By luring victims to a malicious link, the attacker can access virtually any service on their machine, even when it's behind certain routers that automatically block it to the outside world. The method has been tested on a Belkin N1 Vision Wireless router, and Kamkar says he suspects other devices are also vulnerable.

"What this means is I can penetrate their firewall/router and connect to the port that I specified, even though the firewall should never forward that port," Kamkar told El Reg. "This defeats that security by visiting a simple web page. No authentication, XSS, user input, etc. is required."

Kamkar's proof-of-concept page forces the visitor to submit a hidden form on port 6667, the standard port for internet relay chat. Using a hidden value, the form surreptitiously coerces the victim to establish a DCC, or direct client-to-client, connection. Vulnerable routers will then automatically forward DCC traffic to the victim's internal system, and using what's known as NAT traversal an attacker can access any port that's open on the local system.

For the hack to work, the visitor must have an application such as file transfer protocol or session initiation protocol running on his machine. The hack doesn't guarantee an attacker will be able to compromise that service, but it does give the attacker the ability to probe it in the hope of finding a weak password or a vulnerability that will expose data or system resources.

"Most people have this false sense of security that 'well, I'm behind my router, nobody can connect to my ports,'" said Kamkar, the hacker behind the notorious Samy Worm that in 2005 took MySpace out of commission by adding more than 1 million friends to the author's account. "If you're going to keep a service open to the world, you'll probably have more upkeep" to make sure it's secure.

The problem is a hard one to solve, since NAT, short for network address translation, is included in many routers to give users a seamless experience when accessing a host of internet-based services and applications. The use of a software-based firewall on the client will help, but Kamkar warned that even then some ports may be accessible.

While Kamkar's proof-of-concept requires users to press a submit button, he said it's trivial to use javascript so no interaction is required after the page is visited.

Kamkar said he based his attack on IRC because many versions of Linux used to run routers support the protocol by default. He's based similar attacks on file transfer protocol and had success with both the Belkin and Airport Extreme routers and believes other services such SIP may work on those routers as well as other devices.

Your reporter was unable to get the IRC attack to work on a Netopia 3347-02, so mileage obviously varies. We're interested in hearing from Reg readers about what other routers are vulnerable. To test whether the attack can pierce your firewall, visit this page and specify the port of a service that's already running on your system. ®

Remote control for virtualized desktops

More from The Register

next story
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
How to determine if cloud backup is right for your servers
Two key factors, technical feasibility and TCO economics, that backup and IT operations managers should consider when assessing cloud backup.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
The Heartbleed Bug: how to protect your business with Symantec
What happens when the next Heartbleed (or worse) comes along, and what can you do to weather another chapter in an all-too-familiar string of debilitating attacks?