Jump to content
Security Installer Community

NAT "Slipstream" exploit

Recommended Posts

It's not necessarily just a browser issue, as I understand it javascript via a browser is just an easier way to execute it.

In summary it finds the internal IP of the browsing computer via WebRTC. If WebRTC is not available a TCP timing attack is performed to detect valid subnets trying to establish the machines internal IP.
Used in conjunction with "an abuse of the TURN authentication mechanism causing IP packets to overflow" a valid SIP registration connection is requested.
The SIP connection request tricks ALG in the router to open a requested port for the attacker to exploit further. The router will now forward any port requested by the attacker who now has access via the compromised PC.

A simple solution would be to disable Javascript on your browser but so much of the web uses scripts this wouldn't be viable for most.
Disabling WebRTC from within your browser would be one way to limit your private IP being broadcast to the internet but this exploit employs other methods to try and establish this information.
Disabling ALG on your router (normally under NAT) for example should stop it completely, however you may have issues with routing SIP connections or other services that require ALG like RTSP.

It may also be possible that ALG implementation in affected routers be patched somehow, the proof of concept was on a Netgear R7000 not sure if testing has been done on every brand, something to keep an eye on.


According to the developer:-


Ideally ALGs become disabled by default and browsers restrict ALG-specific ports for all outbound socket features they support other than necessary (for example, allow SIP via WebRTC, but not HTTP, HTTPS, FTP, STUN, TURN, TURNS, etc)


Link to post
Share on other sites

Agreed but it looks like initial exploit is from a bad website or ad within a legit site. That then runs the code (based on browser and as the developer is on apple safari was tested hard) I see how the scan of local IP works based on the seeing what responds time wise. I assume this attack is primerly looking for ways into the host machine, do you think it could be used to attack anything on the local subnet? 

  • Like 1

securitywarehouse https://www.securitywarehouse.co.uk

Trade Members please contact us for your TSI vetted trade discount.

Link to post
Share on other sites

That's the most worrying thing yes it can be an external source, it could in theory be a legit site that has loaded a bad advert via a third party.

Safaris WebRTC support is limited so this is where the "scanning" of the local network was required, I read it that the timing attack would be done on any browser if WebRTC didn't give out the IP. The exploit needs to know the browsing computers private IP to start the attack and make it look like a SIP request to trigger ALG. This timing attack method takes time so I would expect to see a delay in website/pages loading.

If successful it would provide access to anything on that subnet behind the firewall, beyond that it would depend on what's on the subset that can be accessed from that PC.


I see what you mean, if things could be done in the browsers this would roll out to people pretty quickly. Disabling settings in the router or any patching/upgrading firmware is very unlikely to be done by the average person and take while to get released.

I would say for now disabling ALG if you don't need it would be sensible tho.





Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Recently Browsing   0 members

    No registered users viewing this page.

  • Create New...

Important Information

By using this site, you agree to our Terms of Use.