In this paper, we uncover a new side-channel vulnerability in the widely used NAT port preservation strategy and an insufficient reverse path validation strategy of Wi-Fi routers, which allows an off-path attacker to infer if there is one victim client in the same network communicating with another host on the Internet using TCP. After detecting the presence of TCP connections between the victim client and the server, the attacker can evict the original NAT mapping and reconstruct a new mapping at the router by sending fake TCP packets due to the routers' vulnerability of disabling TCP window tracking strategy, which has been faithfully implemented in most of the routers for years. In this way, the attacker can intercept TCP packets from the server and obtain the current sequence and acknowledgment numbers, which in turn allows the attacker to forcibly close the connection, poison the traffic in plain text, or reroute the server's incoming packets to the attacker. We test 67 widely used routers from 30 vendors and discover that 52 of them are affected by this attack. Also, we conduct an extensive measurement study on 93 real-world Wi-Fi networks. The experimental results show that 75 of these evaluated Wi-Fi networks (81%) are fully vulnerable to our attack. Our case study shows that it takes about 17.5, 19.4, and 54.5 seconds on average to terminate an SSH connection, download private files from FTP servers, and inject fake HTTP response packets with success rates of 87.4%, 82.6%, and 76.1%. We responsibly disclose the vulnerability and suggest mitigation strategies to all affected vendors and have received positive feedback, including acknowledgments, CVEs, rewards, and adoption of our suggestions.

翻译：本文揭示了广泛使用的NAT端口保留策略及Wi-Fi路由器反向路径验证策略不足所引发的新型侧信道漏洞。该漏洞允许离路径攻击者推断同一网络中是否存在受害客户端正通过TCP与互联网上的另一主机通信。在检测到受害客户端与服务器之间存在TCP连接后，攻击者可利用路由器多年来忠实践行的禁用TCP窗口跟踪策略的漏洞，通过发送伪造TCP数据包驱逐原始NAT映射并在路由器上重建新映射。通过这种方式，攻击者能拦截来自服务器的TCP数据包，获取当前序列号和确认号，从而强制关闭连接、污染明文流量或将服务器的入站数据包重定向至攻击者。我们对来自30家厂商的67款广泛使用的路由器进行测试，发现其中52款受此攻击影响。同时，对93个真实世界Wi-Fi网络的广泛测量研究表明，其中75个（81%）完全易受攻击。案例研究显示，终止SSH连接、从FTP服务器下载私密文件及注入伪造HTTP响应数据包的平均时间分别为约17.5秒、19.4秒和54.5秒，成功率分别达87.4%、82.6%和76.1%。我们已向所有受影响厂商负责任地披露漏洞并提出缓解策略，并获得积极反馈，包括致谢、CVE编号、奖励及对建议的采纳。