FTP-NAT - Results

How much of a threat is this?

Well - it basically means, that anyone who can lure you into visiting his website (even by framed or inlined ads, but not by IMG-ads) can bypass the protection your NAT device is supposed to give.

I thus think of the problem to be about as dangerous as the WMF-Exploit from December 2005.
Exploiting it requires user interaction (visiting a website - there is no way for fully automatic compromise like with Blaster) but the user has no indication for any suspicious activity.

What can I do?

• Close down these ports, if you don't need them.
  www.ntsvcfg.de and www.dingens.org contain tools and advice on how to do this for windows.
  If you are running Unix you probably know how to do that.
• Deactivate the active-FTP-NAT-helper, if your device supports this option.
• Employ the packet filtering rules of your device to deny access to ports that carry internal services.
  Note, that the test server will connect from Port 20, as an FTP-server would. However, a rogue server might not do so. So don't filter on that.
• Employ a local packet filter on your machine to deny access to these ports.
• Disable Java and all other plugins that might be running untrusted code and might be able to open a network connection to an external server, even if it is only to the server the plugin came from. Any such subsystem is potentially dangerous. I assume at least Flash should be vulnerable too. Maybe someone would like to write an equivalent flash?

  Which devices are vulnerable?

  I've made up a list of devices as reported by users of this test.