Published a new version of the attack NAT slipstreaming , allowing to establish a network connection from the attacker’s server to any UDP or TCP port on the system of the user who opened the web page prepared by the attacker in the browser. The attack allows the attacker to send any data to any user port, regardless of the use of the victim’s internal address range (192.168.xx, 10.xxx) on the victim’s system, access to the network from which is directly closed and is possible only through an address translator.
How it works. The new version of the NAT slipstreaming attack (CVE-2021-23961, CVE-2020-16043) is identical to the original method, the differences are reduced to the use of other protocols that are processed by the ALG (Application Level Gateways) connection tracking mechanism to organize forwarding through an address translator or firewall. In the first variant of the attack, to deceive ALG, manipulation of the SIP protocol was used, which uses several network ports (one for data and the other for control). The second option allows for similar manipulations with the VoIP protocol H.323, which uses TCP port 1720.
In addition, the second version offers a technique for bypassing the blacklisting of ports that are not allowed for use with the TURN (Traversal Using Relays around NAT), which is used in WebRTC to communicate between two hosts behind different NATs. TURN connections in WebRTC can be established by browsers not only for UDP, but also over TCP, and addressed to any network TCP port. This feature allows you to apply the NAT slipstreaming attack not only to H.323, but also to any other combined protocols, such as FTP and IRC, which are included in the list of ports that are not allowed to access via HTTP, but are not included in the list of prohibited ports for TURN. The method also allows you to bypass the protection added to browsers against the first NAT slipstreaming attack, which is based on denying HTTP requests to port 5060 (SIP).
This issue has been fixed in recent releases of Firefox 85, Chrome 87.0.4280.141, Edge 87.0.664.75, and Safari 14.0.3. In addition to the network ports associated with the H.323 protocol, browsers are also blocked from sending HTTP, HTTPS and FTP requests to TCP ports 69, 137, 161 and 6566.
In the Linux kernel, the ALG conntrack module functionality in netfilter has been disabled by default since release 4.14, i.e. By default, address translators based on fresh Linux kernels are not affected by this issue.