Author Topic: Hacker pierces hardware firewalls with web page  (Read 4740 times)

0 Members and 1 Guest are viewing this topic.

Hermite15

  • Guest
Hacker pierces hardware firewalls with web page
« on: January 07, 2010, 03:41:24 PM »
http://www.theregister.co.uk/2010/01/06/web_based_firewall_attack/

Quote
On Tuesday, hacker Samy Kamkar demonstrated a way to identify a browser's geographical location by exploiting weaknesses in many WiFi routers. Now, he's back with a simple method to penetrate hardware firewalls using little more than some javascript embedded in a webpage.

By luring victims to a malicious link, the attacker can access virtually any service on their machine, even when it's behind certain routers that automatically block it to the outside world. The method has been tested on a Belkin N1 Vision Wireless router, and Kamkar says he suspects other devices are also vulnerable.

"What this means is I can penetrate their firewall/router and connect to the port that I specified, even though the firewall should never forward that port," Kamkar told El Reg. "This defeats that security by visiting a simple web page. No authentication, XSS, user input, etc. is required."

Kamkar's proof-of-concept page forces the visitor to submit a hidden form on port 6667, the standard port for internet relay chat. Using a hidden value, the form surreptitiously coerces the victim to establish a DCC, or direct client-to-client, connection. Vulnerable routers will then automatically forward DCC traffic to the victim's internal system, and using what's known as NAT traversal an attacker can access any port that's open on the local system.

For the hack to work, the visitor must have an application such as file transfer protocol or session initiation protocol running on his machine. The hack doesn't guarantee an attacker will be able to compromise that service, but it does give the attacker the ability to probe it in the hope of finding a weak password or a vulnerability that will expose data or system resources.

Offline Shiw Liang

  • Avast Evangelist
  • Super Poster
  • ***
  • Posts: 1432
Re: Hacker pierces hardware firewalls with web page
« Reply #1 on: January 07, 2010, 04:03:30 PM »
Quote
On Tuesday, hacker Samy Kamkar demonstrated a way to identify a browser's geographical location by exploiting weaknesses in many WiFi routers. Now, he's back with a simple method to penetrate hardware firewalls using little more than some javascript embedded in a webpage.

By luring victims to a malicious link, the attacker can access virtually any service on their machine, even when it's behind certain routers that automatically block it to the outside world. The method has been tested on a Belkin N1 Vision Wireless router, and Kamkar says he suspects other devices are also vulnerable.

"What this means is I can penetrate their firewall/router and connect to the port that I specified, even though the firewall should never forward that port," Kamkar told El Reg. "This defeats that security by visiting a simple web page. No authentication, XSS, user input, etc. is required."

Kamkar's proof-of-concept page forces the visitor to submit a hidden form on port 6667, the standard port for internet relay chat. Using a hidden value, the form surreptitiously coerces the victim to establish a DCC, or direct client-to-client, connection. Vulnerable routers will then automatically forward DCC traffic to the victim's internal system, and using what's known as NAT traversal an attacker can access any port that's open on the local system.

For the hack to work, the visitor must have an application such as file transfer protocol or session initiation protocol running on his machine. The hack doesn't guarantee an attacker will be able to compromise that service, but it does give the attacker the ability to probe it in the hope of finding a weak password or a vulnerability that will expose data or system resources.
[/quote]
This hacker is quite a genius :)
But still it is scary that my computer got hacked :(

YoKenny

  • Guest
Re: Hacker pierces hardware firewalls with web page
« Reply #2 on: January 07, 2010, 04:12:49 PM »
Nothing exciting happened for me.   :)

Hermite15

  • Guest
Re: Hacker pierces hardware firewalls with web page
« Reply #3 on: January 07, 2010, 05:57:46 PM »
what do you guys think of this:
from hxxp://samy.pl/ (web site from the guy who demonstrated the hack)
see screenshot...

routers can be tested here:
hxxp://samy.pl/natpin/

so, concerning the screen shot and access to my local IP, it means the router was bypassed...and NoScript acted accordingly...

edit: added a pic after a reload of the page.

ps: no need to add I temporarily allowed javascript for that site to see the behavior
« Last Edit: January 07, 2010, 06:14:55 PM by Logos »

Hermite15

  • Guest
Re: Hacker pierces hardware firewalls with web page
« Reply #4 on: January 07, 2010, 06:04:18 PM »
after a reload, NS is not triggered anymore...  ???
edit: ns message appears again...well, when I disable the ns protection (access to local), I see no inbound connection, nor do I see anything blocked in CIS. I wouldn't mind a specialist to tell me what the site is attempting to do exactly and how...
« Last Edit: January 07, 2010, 06:10:44 PM by Logos »

Offline polonus

  • Avast Überevangelist
  • Probably Bot
  • *****
  • Posts: 33891
  • malware fighter
Re: Hacker pierces hardware firewalls with web page
« Reply #5 on: January 07, 2010, 09:11:25 PM »
Hi Logos,

Well actually I was reading your posts.
Just for the unaware browser user a la default ....Geo Location via Google..
For added security and location-exclusion by sites:
Using Geo-Location by default in Firefox...
Am I being tracked as I browse the web?

No. Firefox only requests a location when a website makes a request, and only shares your location when the user has approved the request. Firefox does not track or remember your location as you browse.
How do I undo a permission granted to a site?

If you've given Firefox permission to always give your location to a site and later change your mind, you can easily revoke that permission. Here's how:

    * Navigate to the site to which you've given permission
    * Go to the Tools menu, then select Page Info
    * Select the Permissions tab
    * Change the setting for Share Location

How do I clear the “random client identification number”?

    * Go to the Tools menu, then select Clear Recent History
    * Click the Details arrow
    * Ensure that Cookies is selected
    * Click on Clear Now

How do I turn off Location-Aware Browsing permanently?

Location-Aware Browsing is always opt-in in Firefox. No location information is ever sent without your permission. If you wish to disable the feature completely, please follow this set of steps:

    * In the URL bar, type about:config
    * Type geo.enabled
    * Double click on the geo.enabled preference
    * Location-Aware Browsing is now disabled

Well they all say the advanced web technology that came to our browsers is compliant to their privacy regulations, but who are they - who is observing the rules and who is not...
And the tricks that samy has up his sleeve - NS and RP see to that security wise, if RequestPolicy is on and does not allow requests from samy's page(s) I get a big blank....

MacAfee's site advisor flags Samy's pages red- WOT has not heard about it apparently...and gives it the all green..

polonus

P.S.  Privacy-friendlier search-engines: Scroogle, IxQuick and startpage.com


Cybersecurity is more of an attitude than anything else. Avast Evangelists.

Use NoScript, a limited user account and a virtual machine and be safe(r)!

Hermite15

  • Guest
Re: Hacker pierces hardware firewalls with web page
« Reply #6 on: January 07, 2010, 10:16:35 PM »
Hi again  ;)

Quote
And the tricks that samy has up his sleeve - NS and RP see to that security wise, if RequestPolicy is on and does not allow requests from samy's page(s) I get a big blank....

As said I was concerned with this guy attempting to hack routers from his site, and access the systems behind. And I did allow javascript purposely, otherwise I got that blank you had too, with NS only, but I wanted to see how it operates, and still, NS had another tool to block it, regarding access to the local network. I got to say NoScript amazes me more and more everyday.

 ps: I tried Request Policy, sounds good but I had the feeling it was sort of duplicating NoScript actions. Same for Ghostery. They're both good but NS seems to do such a good job already, if you got the two others loaded you're bound to allow things three times...As to FF settings, I knew all that for a while  ;)

edit: oh btw I got geolocation set to "ask", the default, and I've never been prompted to answer a request of that kind...

 thanks for the feedback Polonus  ;)
« Last Edit: January 07, 2010, 10:21:15 PM by Logos »