Submission + - NAT Slipstreaming: Visiting Malicious Site Exposes Access To Local Network (samy.pl)
Security Researcher Samy Kamkar's multi-stage "NAT Slipstreaming" attack exploits web browsers such as Chrome to load malicious code that is able to discover internal IP addresses via the Web Real Time Communications (WebRTC) protocol on victim machines. For browsers that don't reveal IP addresses via WebRTC like Apple's Safari, or ones that don't support the protocol such as Microsoft Internet Explorer 11, a web-based transmission control protocol timing attack can be performed to map the internal network of the victim.
The attack makes use of a commonly "feature", enabled by default on most routers called NAT ALG (Application Level Gateway), where the gateway implements "just enough" of a protocol, such as SIP, to open arbitrary ports and forward them back to an internal machine.
Kamkar's attack spoofs a SIP packet that has an internal LAN IP address to trigger ALG connection tracking, allowing the attacker to open any TCP or UDP port on victim systems remotely.
"[An] attacker can now bypass victim NAT and connect directly back to any port on [the] victim's machine, exposing previously protected/hidden services," Kamkar wrote.
Visiting a malicious website in a modern browser is all that is needed to expose an internal machine.