This is very cool, but it seems like it requires an egregious router bug. Why would a router consider a packet to be a legitimate SIP REGISTER when it occurs as part of a TCP connection which has already carried an HTTP header?
Is the story here that ALG is a crude hack, which works by naively looking at each packet, without trying to parse the whole stream, and so is vulnerable to this kind of confusion? If so, there are presumably endless varieties of ways to fool it.
Use guesswork parsing, get egregious bugs. The most popular and probably the most useful guesswork parser is the 'file' utility. When it was used as part of a printing pipeline it caused the hilarious "OpenOffice doesn't print on Tuesdays" bug.
I'm not sure how much has changed in the last 10 years, but when I did lots of VoIP work then, the consensus in many places was "every ALG is broken, start by disabling ALG". SIP is complicated in unexpected places and even with the best intentions ALGs broke packets by rewriting wrong parts or making header formats invalid.
But specifically regarding your question, sip looks like http. Same structure / similar response codes. They probably didn't want to write a very strict sip-detector and ended up checking "looks like a verb+destination+ headers? Good enough". Or maybe it's to support http proxies where a http CONNECT session can turn into sip-tcp? (Never seen that in practice, but I guess it's possible)
Or maybe it's just that the alg processing is per-packet, not per-session? Who knows. Just login to your router and turn off ALG. Your SIP phone most likely already knows how to deal with NAT using stun/turn.
It's not smuggling a SIP session request via HTTP headers - even if it didn't look anything like HTTP it would be vulnerable to this attack, because the controlled fragment is arbitrary binary data from their POST body. The problem is the router's firmware doing detection on each packet without checking that the fragment offset is 0 first.
I didn't say it relies on http headers. Just made a guess on what alg may be doing. Yeah - it's broken with fragmentation, and possibly in other ways too.
> Is the story here that ALG is a crude hack, which works by naively looking at each packet, without trying to parse the whole stream, and so is vulnerable to this kind of confusion? If so, there are presumably endless varieties of ways to fool it.
Yes, ALGs basically try to understand the protocol while implementing as little of it as possible. They are likely always broken in some way, and there is almost always a better way to solve the problem they attempt to solve.
Is the story here that ALG is a crude hack, which works by naively looking at each packet, without trying to parse the whole stream, and so is vulnerable to this kind of confusion? If so, there are presumably endless varieties of ways to fool it.