NAT Pinning false positive?

[barbaz]

When trying to stream an online radio station, it failed because the stream was being blocked by the NAT Pinning rule. Here are the messages from the Error Console:

Code: Select all

[ABE] <^https?://[^/]+:[0-35-7]> Deny on {GET http://206.190.136.141:3726/Live <<<  - 12}
USER rule:
Site ^https?://[^/]+:[0-35-7]
Deny

[ABE] <^https?://[^/]+:[0-35-7]> Deny on {GET http://206.190.136.141:3726/Live/;stream.nsv <<<  - 12}
USER rule:
Site ^https?://[^/]+:[0-35-7]
Deny

Is this a false positive, or will my computer (or worse, router) get pwned if I make an exception?
(How safe is it to "just try it" in a (non-isolated) Linux VM?)

EDIT Turns out there are actually a lot of radio streams (all on different ports) that the NAT Pinning Rule is blocking, but I just hadn't realized until now why they weren't working...

[Thrawn]

Yeah, non-standard services are likely to use non-standard ports. If you use a lot of them, you might need to disable the NAT pinning rule.

It may be worth checking whether your router is vulnerable to the original problem.

[barbaz]

Wow, topic reply notifications are slow. (<-- Fixed, thanks)

It's a really old router and the sysadmin said it's probably vulnerable to this exploit. So three questions regarding consequences of not using the NAT Pinning rule:
1) Is VLC media player (on Ubuntu 12.04) a potential vector for this attack?
2) If an attack website succeeds and I leave the site or quit the browser, will the router then close the port?
3) Is it a bad idea to trust streams that I could previously get but switched providers and/or ports?

[Thrawn]

1) Is VLC media player (on Ubuntu 12.04) a potential vector for this attack?

Does it listen on a network port? If so, then someone could try to attack it.

2) If an attack website succeeds and I leave the site or quit the browser, will the router then close the port?

"Succeeds" in doing what, exactly? Making a single NAT connection? Locating and connecting to a running service on your machine? Compromising that service to install malware?

3) Is it a bad idea to trust streams that I could previously get but switched providers and/or ports?

I'm not sure what dangers there may or may not be from the streams themselves, sorry.

Sounds like it might be safest to just write exceptions...you can ask if you need help with that, but I'm guessing you'll be fine .

[barbaz]

1) Is VLC media player (on Ubuntu 12.04) a potential vector for this attack?

Does it listen on a network port? If so, then someone could try to attack it.

I don't think it would have any reason to do that. I meant, can it submit forms as described on the PoC page? If not, NoScript without the rule should be sufficient protection on script-forbidden stream pages (I can write a temporary exception to download a ram file, then stream that in VLC).

2) If an attack website succeeds and I leave the site or quit the browser, will the router then close the port?

"Succeeds" in doing what, exactly? Making a single NAT connection? Locating and connecting to a running service on your machine? Compromising that service to install malware?

I meant open a port on the router. I've disabled the services I could find on this computer that listen for incoming connections. And since my Mac acts as a router for my VMs, could the port also open on my Mac, potentially resulting in an attack compromising my Mac, or will the traffic just hit the OS X firewall or forward to the VM (where it would be blocked)?

3) Is it a bad idea to trust streams that I could previously get but switched providers and/or ports?

I'm not sure what dangers there may or may not be from the streams themselves, sorry.

That most of them are being played through Flash, and I'm stuck on major version 11.2 on all my machines? Otherwise I know less than you do on that front.

[Thrawn]

1) Is VLC media player (on Ubuntu 12.04) a potential vector for this attack?
...I meant, can it submit forms as described on the PoC page? If not, NoScript without the rule should be sufficient protection on script-forbidden stream pages (I can write a temporary exception to download a ram file, then stream that in VLC).

I'm not sure exactly what it can do, but generally native code can do pretty much whatever it wants.

However, I wouldn't think that radio streams normally execute active content. I think the author of the stream would have to find a way to compromise VLC (like a buffer overflow) to make it attempt this.

I've disabled the services I could find on this computer that listen for incoming connections.

Then you're probably OK. What services, if any, are still listening?

Remember, all this does is allow the attacker to begin an assault on something that would normally be unreachable behind your router. It doesn't automatically compromise your machine. So, if nothing is listening, then they can successfully begin an assault on a brick wall.

And since my Mac acts as a router for my VMs, could the port also open on my Mac, potentially resulting in an attack compromising my Mac, or will the traffic just hit the OS X firewall or forward to the VM (where it would be blocked)?

I'm pretty sure it would forward to the VM. I'm not a network specialist, though.

That most of them are being played through Flash, and I'm stuck on major version 11.2 on all my machines? Otherwise I know less than you do on that front.

I guess this is back to the core NoScript question of "Which sites should I trust?"

[barbaz]

Thanks Thrawn for helping me understand this.

I wouldn't think that radio streams normally execute active content. I think the author of the stream would have to find a way to compromise VLC (like a buffer overflow) to make it attempt this.

Correct, and I doubt they're even expecting VLC in my case because I use RealMedia streams whenever possible. So I'll assume I'm safe there. Awesome.

What services, if any, are still listening?

According to nmap: on TCP, none; on UDP, just zeroconf (which isn't vulnerable to this issue anyway, right?).

I still have two concerns though:
- If I access an attack website, could the opened port in the router allow an attacker access to other machines behind the router, or do they only get to see this one?
- Other than powering off the router, is there a way to close the router's opened port on my side?

[Thrawn]

Thanks Thrawn for helping me understand this.

You're welcome . It wouldn't hurt to get a second opinion, though; routers aren't my specialty.

- If I access an attack website, could the opened port in the router allow an attacker access to other machines behind the router, or do they only get to see this one?

I think it applies only to the machine you're using. Remember, the router is doing this deliberately because it *thinks* that you're trying to initiate an IRC connection.

- Other than powering off the router, is there a way to close the router's opened port on my side?

I'm not sure; it would depend on the router.

[barbaz]

It wouldn't hurt to get a second opinion, though; routers aren't my specialty.

Unless someone like GµårÐïåñ or Giorgio responds saying you're wrong, I trust you on this. Sounds like we should be fine as long as I'm careful about writing exceptions and I use VLC media player to play streams on oddball ports when possible. Thanks again.