Port Shadow Attack Lets You Hijack VPN, Wi-Fi Connections

18 Jul 2024 8:57 am GMT+0000 Date Time

A New Attack Technique “Port Shadow” Discovered by Researchers
A group of researchers from Canadian and American universities developed the attack technique known as Port Shadow, which allows for manipulation with the address of the broadcast on the side of the VPN server. This manipulation can lead to sending responses to requests from one user to another user connected via the same VPN server. The method has the potential to be used for interception, redirection of encrypted traffic, port scanning, and deanonymization of VPN users. For instance, the method can redirect DNS queries to the host of the attacking user through the VPN server. To carry out this attack, the attacker needs to be able to connect to the same VPN server as the victim, which is feasible when using typical VPN operators or public VPN services that cater to a broad audience. The vulnerability impacts VPN servers that utilize address broadcasting (NAT) to provide customer access to external resources, despite both receiving traffic from customers and sending requests to external sites using the same IP address. The attack works by sending specially crafted requests that allow the attacker, connected to the same VPN server, to manipulate the address broadcasting table. This manipulation can result in packets addressed to one user being redirected to another user. By exploiting fake Syn and ACK packets and manipulating connections from the client to the VPN server and an external server, the attacker can create a conflict in the NAT tables and redirect responses meant for someone else back to the attacker’s address.
Click here to see an image related to the attack technique

A New Attack Technique “Port Shadow” Discovered by Researchers

A group of researchers from Canadian and American universities developed the attack technique known as Port Shadow, which allows for manipulation with the address of the broadcast on the side of the VPN server. This manipulation can lead to sending responses to requests from one user to another user connected via the same VPN server. The method has the potential to be used for interception, redirection of encrypted traffic, port scanning, and deanonymization of VPN users. For instance, the method can redirect DNS queries to the host of the attacking user through the VPN server.

To carry out this attack, the attacker needs to be able to connect to the same VPN server as the victim, which is feasible when using typical VPN operators or public VPN services that cater to a broad audience. The vulnerability impacts VPN servers that utilize address broadcasting (NAT) to provide customer access to external resources, despite both receiving traffic from customers and sending requests to external sites using the same IP address.

The attack works by sending specially crafted requests that allow the attacker, connected to the same VPN server, to manipulate the address broadcasting table. This manipulation can result in packets addressed to one user being redirected to another user. By exploiting fake Syn and ACK packets and manipulating connections from the client to the VPN server and an external server, the attacker can create a conflict in the NAT tables and redirect responses meant for someone else back to the attacker’s address.

Click here to see an image related to the attack technique

/Reports, release notes, official announcements.