thr3ads.net - Shorewall announce - [SECURITY] Netfilter Security Advisory: NAT Remote DOS (SACK mangle) [Aug 2003]

If this information is useful, please help other people find it:
Share via:

Netfilter Core Team

2003-Aug-02 14:34 UTC

[SECURITY] Netfilter Security Advisory: NAT Remote DOS (SACK mangle)

--7ZAtKRhVyVSsbBD2
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

                  Netfilter Core Team Security Advisory
                 =20
                           CVE: CAN-2003-0467

Subject:

  Netfilter / NAT Remote DoS

Released:

  01 Aug 2003

Effects:

  Under limited circumstances, a remote user may be able to crash a
  machine doing Network Address Translation (NAT).

Estimated Severity:

  Medium.

Systems Affected:

  Linux 2.4.20 kernels and recent 2.5 kernels with
  CONFIG_IP_NF_NAT_FTP or CONFIG_IP_NF_NAT_IRC enabled, or the
  ip_nat_ftp or ip_nat_irc modules loaded, on which ftp and irc users
  are not packet filtered out.

Solution:

  BEST: Upgrade to Linux kernels 2.4.21 (stable), or apply the patch below.

  OR: As a workaround, the modules can be removed, or iptables can
  be used to block untrusted users from initiating ftp or irc
  connections through the NAT machine.

Details:

  This was verified by Rusty Russell on 2.4.20, and verified fixed
  with this patch.

Vendor Statement:

  Red Hat: All of the 2.4.20-based kernels shipped by Red Hat already
           contain the patch and are not vulnerable to this issue.
  Others:  unknown

Credits:
  The problem was found, and the fix implemented by the Netfilter Core Team.

Contact:
  coreteam@netfilter.org

diff -urpN --exclude TAGS -X
/home/rusty/devel/kernel/kernel-patches/current-dontdiff --minimal
linux-2.4.21-pre7/net/ipv4/netfilter/ip_nat_helper.c
working-2.4.21-pre7-sackadjust/net/ipv4/netfilter/ip_nat_helper.c
--- linux-2.4.21-pre7/net/ipv4/netfilter/ip_nat_helper.c	2003-04-06
15:26:48.000000000 +1000
+++ working-2.4.21-pre7-sackadjust/net/ipv4/netfilter/ip_nat_helper.c	2003-04-14
23:18:38.000000000 +1000
@@ -366,54 +365,49 @@ sack_adjust(struct tcphdr *tcph,=20
 }
 		=09
=20
-/* TCP SACK sequence number adjustment, return 0 if sack found and adjusted */
-static inline int
+/* TCP SACK sequence number adjustment. */
+static inline void
 ip_nat_sack_adjust(struct sk_buff *skb,
-			struct ip_conntrack *ct,
-			enum ip_conntrack_info ctinfo)
+		   struct ip_conntrack *ct,
+		   enum ip_conntrack_info ctinfo)
 {
-	struct iphdr *iph;
 	struct tcphdr *tcph;
-	unsigned char *ptr;
-	int length, dir, sack_adjusted =3D 0;
+	unsigned char *ptr, *optend;
+	unsigned int dir;
=20
-	iph =3D skb->nh.iph;
-	tcph =3D (void *)iph + iph->ihl*4;
-	length =3D (tcph->doff*4)-sizeof(struct tcphdr);
+	tcph =3D (void *)skb->nh.iph + skb->nh.iph->ihl*4;
+	optend =3D (unsigned char *)tcph + tcph->doff*4;
 	ptr =3D (unsigned char *)(tcph+1);
=20
 	dir =3D CTINFO2DIR(ctinfo);
=20
-	while (length > 0) {
-		int opcode =3D *ptr++;
+	while (ptr < optend) {
+		int opcode =3D ptr[0];
 		int opsize;
=20
 		switch (opcode) {
 		case TCPOPT_EOL:
-			return !sack_adjusted;
+			return;
 		case TCPOPT_NOP:
-			length--;
+			ptr++;
 			continue;
 		default:
-			opsize =3D *ptr++;
-			if (opsize > length) /* no partial opts */
-				return !sack_adjusted;
+			opsize =3D ptr[1];
+			 /* no partial opts */
+			if (ptr + opsize > optend || opsize < 2)
+				return;
 			if (opcode =3D=3D TCPOPT_SACK) {
 				/* found SACK */
 				if((opsize >=3D (TCPOLEN_SACK_BASE
 					       +TCPOLEN_SACK_PERBLOCK)) &&
 				   !((opsize - TCPOLEN_SACK_BASE)
 				     % TCPOLEN_SACK_PERBLOCK))
-					sack_adjust(tcph, ptr-2,
+					sack_adjust(tcph, ptr,
 						    &ct->nat.info.seq[!dir]);
-			=09
-				sack_adjusted =3D 1;
 			}
-			ptr +=3D opsize-2;
-			length -=3D opsize;
+			ptr +=3D opsize;
 		}
 	}
-	return !sack_adjusted;
 }
=20
 /* TCP sequence number adjustment */

--
- Harald Welte <laforge@netfilter.org>            
http://www.netfilter.org/
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
  "Fragmentation is like classful addressing -- an interesting early
   architectural error that shows how much experimentation was going
   on while IP was being designed."                    -- Paul Vixie

--7ZAtKRhVyVSsbBD2
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQE/K8vpNfqJzMqajVsRAuIqAKCackGU/IeQsPjPkOi5Yy237ccQFACfYEIW
8L8yUtqjWrWQC2zFJAvILXU=Cro8
-----END PGP SIGNATURE-----

--7ZAtKRhVyVSsbBD2--

Tom Eastep

2003-Aug-03 18:05 UTC

head link

[Shorewall-users] Fwd: [SECURITY] Netfilter Security Advisory: NAT Remote DOS (SACK mangle)

FYI for those of you running 2.4.20 Kernels.

------- Forwarded message -------
From: Netfilter Core Team <coreteam@netfilter.org>
To: Netfilter Announcement List <netfilter-announce@lists.netfilter.org>, 
Netfilter Mailinglist <netfilter@lists.netfilter.org>, Netfilter 
Development Mailinglist <netfilter-devel@lists.netfilter.org>
Subject: [SECURITY] Netfilter Security Advisory: NAT Remote DOS (SACK 
mangle)
Date: Sat, 2 Aug 2003 16:34:17 +0200
> Netfilter Core Team Security Advisory
> CVE: CAN-2003-0467
>
> Subject:
>
> Netfilter / NAT Remote DoS
>
> Released:
>
> 01 Aug 2003
>
> Effects:
>
> Under limited circumstances, a remote user may be able to crash a
> machine doing Network Address Translation (NAT).
>
> Estimated Severity:
>
> Medium.
>
> Systems Affected:
>
> Linux 2.4.20 kernels and recent 2.5 kernels with
> CONFIG_IP_NF_NAT_FTP or CONFIG_IP_NF_NAT_IRC enabled, or the
> ip_nat_ftp or ip_nat_irc modules loaded, on which ftp and irc users
> are not packet filtered out.
>
> Solution:
>
> BEST: Upgrade to Linux kernels 2.4.21 (stable), or apply the patch below.
>
> OR: As a workaround, the modules can be removed, or iptables can
> be used to block untrusted users from initiating ftp or irc
> connections through the NAT machine.
>
> Details:
>
> This was verified by Rusty Russell on 2.4.20, and verified fixed
> with this patch.
>
> Vendor Statement:
>
> Red Hat: All of the 2.4.20-based kernels shipped by Red Hat already
> contain the patch and are not vulnerable to this issue.
> Others:  unknown
>
> Credits:
> The problem was found, and the fix implemented by the Netfilter Core 
> Team.
>
> Contact:
> coreteam@netfilter.org
>
> diff -urpN --exclude TAGS -X /home/rusty/devel/kernel/kernel- 
> patches/current-dontdiff --minimal linux-2.4.21- 
> pre7/net/ipv4/netfilter/ip_nat_helper.c working-2.4.21-pre7- 
> sackadjust/net/ipv4/netfilter/ip_nat_helper.c
> --- linux-2.4.21-pre7/net/ipv4/netfilter/ip_nat_helper.c	2003-04-06 
> 15:26:48.000000000 +1000
> +++ working-2.4.21-pre7- 
> sackadjust/net/ipv4/netfilter/ip_nat_helper.c	2003-04-14 
> 23:18:38.000000000 +1000
> @@ -366,54 +365,49 @@ sack_adjust(struct tcphdr *tcph, }
> 			
> -/* TCP SACK sequence number adjustment, return 0 if sack found and 
> adjusted */
> -static inline int
> +/* TCP SACK sequence number adjustment. */
> +static inline void
> ip_nat_sack_adjust(struct sk_buff *skb,
> -			struct ip_conntrack *ct,
> -			enum ip_conntrack_info ctinfo)
> +		   struct ip_conntrack *ct,
> +		   enum ip_conntrack_info ctinfo)
> {
> -	struct iphdr *iph;
> 	struct tcphdr *tcph;
> -	unsigned char *ptr;
> -	int length, dir, sack_adjusted = 0;
> +	unsigned char *ptr, *optend;
> +	unsigned int dir;
> -	iph = skb->nh.iph;
> -	tcph = (void *)iph + iph->ihl*4;
> -	length = (tcph->doff*4)-sizeof(struct tcphdr);
> +	tcph = (void *)skb->nh.iph + skb->nh.iph->ihl*4;
> +	optend = (unsigned char *)tcph + tcph->doff*4;
> 	ptr = (unsigned char *)(tcph+1);
> 	dir = CTINFO2DIR(ctinfo);
> -	while (length > 0) {
> -		int opcode = *ptr++;
> +	while (ptr < optend) {
> +		int opcode = ptr[0];
> 		int opsize;
> 		switch (opcode) {
> 		case TCPOPT_EOL:
> -			return !sack_adjusted;
> +			return;
> 		case TCPOPT_NOP:
> -			length--;
> +			ptr++;
> 			continue;
> 		default:
> -			opsize = *ptr++;
> -			if (opsize > length) /* no partial opts */
> -				return !sack_adjusted;
> +			opsize = ptr[1];
> +			 /* no partial opts */
> +			if (ptr + opsize > optend || opsize < 2)
> +				return;
> 			if (opcode == TCPOPT_SACK) {
> 				/* found SACK */
> 				if((opsize >= (TCPOLEN_SACK_BASE
> 					       +TCPOLEN_SACK_PERBLOCK)) &&
> 				   !((opsize - TCPOLEN_SACK_BASE)
> 				     % TCPOLEN_SACK_PERBLOCK))
> -					sack_adjust(tcph, ptr-2,
> +					sack_adjust(tcph, ptr,
> 						    &ct->nat.info.seq[!dir]);
> -				
> -				sack_adjusted = 1;
> 			}
> -			ptr += opsize-2;
> -			length -= opsize;
> +			ptr += opsize;
> 		}
> 	}
> -	return !sack_adjusted;
> }
> /* TCP sequence number adjustment */
>
> --
> - Harald Welte <laforge@netfilter.org>             
> http://www.netfilter.org/
>
============================================================================
>
>
> "Fragmentation is like classful addressing -- an interesting early
> architectural error that shows how much experimentation was going
> on while IP was being designed."                    -- Paul Vixie
>


-- 
Tom Eastep    \ Shorewall - iptables made easy
Shoreline,     \ http://shorewall.net
Washington USA  \ teastep@shorewall.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: attachment127.dat
Type: application/octet-stream
Size: 195 bytes
Desc: not available
Url :
http://lists.shorewall.net/pipermail/shorewall-users/attachments/20030803/4657842e/attachment127.obj

Possibly Parallel Threads

Search for more seemingly similar threads

Shorewall announce - Aug 2003 - [SECURITY] Netfilter Security Advisory: NAT Remote DOS (SACK mangle)

[SECURITY] Netfilter Security Advisory: NAT Remote DOS (SACK mangle)

[Shorewall-users] Fwd: [SECURITY] Netfilter Security Advisory: NAT Remote DOS (SACK mangle)

Possibly Parallel Threads