Exploiting Sequence Number Leakage: TCP Hijacking in NAT-Enabled Wi-Fi Networks
arxiv(2024)
摘要
In this paper, we uncover a new side-channel vulnerability in the widely used
NAT port preservation strategy and an insufficient reverse path validation
strategy of Wi-Fi routers, which allows an off-path attacker to infer if there
is one victim client in the same network communicating with another host on the
Internet using TCP. After detecting the presence of TCP connections between the
victim client and the server, the attacker can evict the original NAT mapping
and reconstruct a new mapping at the router by sending fake TCP packets due to
the routers' vulnerability of disabling TCP window tracking strategy, which has
been faithfully implemented in most of the routers for years. In this way, the
attacker can intercept TCP packets from the server and obtain the current
sequence and acknowledgment numbers, which in turn allows the attacker to
forcibly close the connection, poison the traffic in plain text, or reroute the
server's incoming packets to the attacker. We test 67 widely used routers from
30 vendors and discover that 52 of them are affected by this attack. Also, we
conduct an extensive measurement study on 93 real-world Wi-Fi networks. The
experimental results show that 75 of these evaluated Wi-Fi networks (81
fully vulnerable to our attack. Our case study shows that it takes about 17.5,
19.4, and 54.5 seconds on average to terminate an SSH connection, download
private files from FTP servers, and inject fake HTTP response packets with
success rates of 87.4
vulnerability and suggest mitigation strategies to all affected vendors and
have received positive feedback, including acknowledgments, CVEs, rewards, and
adoption of our suggestions.
更多查看译文
AI 理解论文
溯源树
样例
生成溯源树,研究论文发展脉络
Chat Paper
正在生成论文摘要