--------------Boundary-00=_8CRSI86UEWBBRUCQL9MH
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
---------- Forwarded Message ----------
Subject: Security Advisory
Date: Wed, 8 May 2002 16:07:05 +0200
From: Harald Welte <laforge@gnumonks.org>
To: netfilter-announce@lists.samba.org
Cc: Netfilter Mailinglist <netfilter@lists.samba.org>, Netfilter
Development Mailinglist <netfilter-devel@lists.samba.org>
Hi!
Unfortunately there is a very unpopular announcement to be made on this
list: A netfilter security advisory.
Phillipe Biondi has been reporting this bug and preparing the advisory,
the [still preliminary] solution is by Rusty Russell and James Morris.
--
Live long and prosper
- Harald Welte / laforge@gnumonks.org http://www.gnumonks.org/
===========================================================================GCS/E/IT
d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+
V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
-------------------------------------------------------
--
Tom Eastep \ Shorewall -- iptables made easy
teastep@shorewall.net \ http://www.shorewall.net
--------------Boundary-00=_8CRSI86UEWBBRUCQL9MH
Content-Type: text/plain;
charset="iso-8859-1";
name="Attachment: 1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment; filename=advisory
----------------------------------------------------------------------
Cartel S=E9curit=E9 --- Security Advisory
Advisory Number: CARTSA-20020402
Subject: Linux Netfilter NAT/ICMP code information leak
Author: Philippe Biondi <biondi@cartel-securite.fr>
Discovered: 2002, April 2
Published: Not yet
----------------------------------------------------------------------
NOTE: Do not release in public before May 8, 2002.
Problem description
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
The following bug exists in the netfilter NAT implementation: When the
first packet of a connection is hitting a NAT rule, and this packet
causes the NAT box itself to reply with an ICMP error message, the
inner IP packet inside the ICMP error message is not un-NAT''ed
correctly. This leads to the ability to discover which ports of a
host are NATed and where the packet will really go. This can also lead to
those ICMP error packets being dropped by stateful firewalls not
recognizing
the related connection.
Vulnerable versions
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
All kernel patches from iptables package < ipables-1.2.6a are vulnerable.
All versions of kernel >=3D 2.4.4 and up to (at least) 2.4.19-pre6 use a
vulnerable version.
Vendor status
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
The netfilter team has solved this bug with a patch that has been refused
for inclusion in the linux kernel. They are working on a new patch.
Solutions
=3D=3D=3D=3D=3D=3D=3D=3D=3D
* Use the attached patch
* Upgrade your kernel using the patch at
http://www.netfilter.org/security/2002-04-02-icmp-dnat.html
(link active starting with May 8)
* Use a workarround until the final solution to this bug is implemented
and included in the linux kernel source
Workarounds
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
Filter out untracked local packets:
iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
Example
=3D=3D=3D=3D=3D=3D=3D
Let''s take a machine (172.16.1.40) that DNAT port 666 to 172.16.3.26:22
:
iptables -t nat -A PREROUTING -p tcp --dport 666 -j DNAT --to
172.16.3.26:22
Then if a host sends a packet that will die on 172.16.1.40 :
hping -t 1 --syn -p 666 172.16.1.40
This is the icmp packet we''ll get from 172.16.1.40 :
17:07:46.709230 172.16.1.40 > 172.16.1.28: icmp: time exceeded in-transit
0x0000 45c0 0044 eaa6 0000 ff01 75f1 ac10 0128 E..D......u....(
0x0010 ac10 0118
0b00 516d 0000 0000
4500 0028 ......Qm....E..(
0x0020 b0f3 0000 0106 ac8a ac10 0118 ac10 031a <-+ ................
0x0030 04bd 0016 3206 3ec0 0490 00b4 5002 0200 | ....2.>.....P...
0x0040 d6b2 00^0 | ....
| 172.16.3.26
+-- port 22
You can also try a patch to nmap that does that and much more :
http://www.cartel-info.fr/pbiondi/nmap/
# ./nmap -sS -P0 xxx.xxx.xxx.xxx -p 22,23,666,667 -t 9
Starting nmap V. 2.54BETA32 ( www.insecure.org/nmap/ )
Interesting ports on xxx.xxx.xxx.xxx:
Port State Service
22/tcp open ssh
23/tcp filtered telnet
666/tcp UNfiltered unknown DNAT to 192.168.8.10:22
667/tcp UNfiltered unknown DNAT to 192.168.26.10:22
Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds
----------------------------------------------------------------------
Copyright (c) Cartel S=E9curit=E9
This document is copyrighted. It can''t be edited nor republished
without explicit consent of Cartel S=E9curit=E9.
For more informations, feel free to contact us.
http://securite.cartel-securite.fr/
----------------------------------------------------------------------
--=20
Philippe Biondi <biondi@ cartel-securite.fr> Cartel S=E9curit=E9
Security Consultant/R&D http://www.cartel-securite.fr
Phone: +33 1 44 06 97 94 Fax: +33 1 44 06 97 99
PGP KeyID:3D9A43E2 FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2
--------------Boundary-00=_8CRSI86UEWBBRUCQL9MH
Content-Type: text/plain;
charset="us-ascii";
name="Attachment: 2"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: attachment; filename="2.4.19-pre6_icmp-nat.patch"
diff -urN linux-2.4.19-pre6.orig/include/linux/skbuff.h
linux-2.4.19-pre6-nf-01/include/linux/skbuff.h
--- linux-2.4.19-pre6.orig/include/linux/skbuff.h Sun Apr 7 15:27:29 2002
+++ linux-2.4.19-pre6-nf-01/include/linux/skbuff.h Fri Apr 12 00:52:31 2002
@@ -1144,6 +1144,17 @@
if (nfct)
atomic_inc(&nfct->master->use);
}
+static inline struct nf_ct_info *
+skb_nf_ct(struct sk_buff *skb)
+{
+ return skb->nfct;
+}
+#else
+static inline struct nf_ct_info *
+skb_nf_ct(struct sk_buff *skb)
+{
+ return NULL;
+}
#endif
=20
#endif /* __KERNEL__ */
diff -urN linux-2.4.19-pre6.orig/include/net/ip.h
linux-2.4.19-pre6-nf-01/include/net/ip.h
--- linux-2.4.19-pre6.orig/include/net/ip.h Sat Apr 28 22:01:26 2001
+++ linux-2.4.19-pre6-nf-01/include/net/ip.h Fri Apr 12 00:52:31 2002
@@ -66,6 +66,7 @@
=20
extern struct ip_ra_chain *ip_ra_chain;
extern rwlock_t ip_ra_lock;
+struct nf_ct_info;
=20
/* IP flags. */
#define IP_CE 0x8000 /* Flag: "Congestion" */
@@ -106,7 +107,8 @@
unsigned length,
struct ipcm_cookie *ipc,
struct rtable *rt,
- int flags);
+ int flags,
+ struct nf_ct_info *nfct);
=20
/*
* Map a multicast IP onto multicast MAC for type Token Ring.
diff -urN linux-2.4.19-pre6.orig/net/ipv4/icmp.c
linux-2.4.19-pre6-nf-01/net/ipv4/icmp.c
--- linux-2.4.19-pre6.orig/net/ipv4/icmp.c Sun Apr 7 15:27:29 2002
+++ linux-2.4.19-pre6-nf-01/net/ipv4/icmp.c Fri Apr 12 00:52:31 2002
@@ -370,7 +370,7 @@
icmp_param->data.icmph.code)) {=20
ip_build_xmit(sk, icmp_glue_bits, icmp_param,=20
icmp_param->data_len+icmp_param->head_len,
- &ipc, rt, MSG_DONTWAIT);
+ &ipc, rt, MSG_DONTWAIT, NULL);
}
ip_rt_put(rt);
out:
@@ -528,7 +529,7 @@
=20
ip_build_xmit(icmp_socket->sk, icmp_glue_bits, &icmp_param,=20
icmp_param.data_len+sizeof(struct icmphdr),
- &ipc, rt, MSG_DONTWAIT);
+ &ipc, rt, MSG_DONTWAIT, skb_nf_ct(skb_in));
=20
ende:
ip_rt_put(rt);
diff -urN linux-2.4.19-pre6.orig/net/ipv4/ip_output.c
linux-2.4.19-pre6-nf-01/net/ipv4/ip_output.c
--- linux-2.4.19-pre6.orig/net/ipv4/ip_output.c Sun Apr 7 15:27:29 2002
+++ linux-2.4.19-pre6-nf-01/net/ipv4/ip_output.c Fri Apr 12 00:52:31 2002
@@ -405,6 +405,22 @@
return -EHOSTUNREACH;
}
=20
+#ifdef CONFIG_NETFILTER
+/* If the original packet is part of a connection, but the connection
+ is not confirmed, our manufactured reply will not be associated
+ with it, so we need to do this manually. */
+static void nfct_attach(struct sk_buff *new_skb, struct nf_ct_info *nfct)
+{
+ void (*attach)(struct sk_buff *, struct nf_ct_info *);
+
+ /* Avoid module unload race with ip_ct_attach being NULLed out */
+ if (nfct && (attach =3D ip_ct_attach) !=3D NULL)
+ attach(new_skb, nfct);
+}
+#else
+static void nfct_attach(struct sk_buff *new_skb, struct nf_ct_info *nfct) { }
+#endif
+
/*
* Build and send a packet, with as little as one copy
*
@@ -434,7 +450,8 @@
unsigned length,
struct ipcm_cookie *ipc,
struct rtable *rt,
- int flags)
+ int flags,
+ struct nf_ct_info *nfct)
{
unsigned int fraglen, maxfraglen, fragheaderlen;
int err;
@@ -599,6 +616,7 @@
=20
nfrags++;
=20
+ nfct_attach(skb, nfct);
err =3D NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL,=20
skb->dst->dev, output_maybe_reroute);
if (err) {
@@ -633,7 +651,8 @@
unsigned length,
struct ipcm_cookie *ipc,
struct rtable *rt,
- int flags)
+ int flags,
+ struct nf_ct_info *nfct)
{
int err;
struct sk_buff *skb;
@@ -652,7 +671,7 @@
* Check for slow path.
*/
if (length > rt->u.dst.pmtu || ipc->opt !=3D NULL) =20
- return ip_build_xmit_slow(sk,getfrag,frag,length,ipc,rt,flags);=20
+ return ip_build_xmit_slow(sk,getfrag,frag,length,ipc,rt,flags,nfct);=20
} else {
if (length > rt->u.dst.dev->mtu) {
ip_local_error(sk, EMSGSIZE, rt->rt_dst, sk->dport,
rt->u.dst.dev->mtu);
@@ -710,6 +729,7 @@
if (err)
goto error_fault;
=20
+ nfct_attach(skb, nfct);
err =3D NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
output_maybe_reroute);
if (err > 0)
@@ -977,7 +997,8 @@
sk->protinfo.af_inet.tos =3D skb->nh.iph->tos;
sk->priority =3D skb->priority;
sk->protocol =3D skb->nh.iph->protocol;
- ip_build_xmit(sk, ip_reply_glue_bits, arg, len, &ipc, rt, MSG_DONTWAIT);
+ ip_build_xmit(sk, ip_reply_glue_bits, arg, len, &ipc, rt, MSG_DONTWAIT,
+ NULL);
bh_unlock_sock(sk);
=20
ip_rt_put(rt);
diff -urN linux-2.4.19-pre6.orig/net/ipv4/netfilter/ip_nat_core.c
linux-2.4.19-pre6-nf-01/net/ipv4/netfilter/ip_nat_core.c
--- linux-2.4.19-pre6.orig/net/ipv4/netfilter/ip_nat_core.c Sun Apr 7 15:27:29
2002
+++ linux-2.4.19-pre6-nf-01/net/ipv4/netfilter/ip_nat_core.c Fri Apr 12 00:52:31
2002
@@ -780,6 +780,18 @@
} else return NF_ACCEPT;
}
=20
+/*
+ * Decide whether to map inner header of an ICMP reply, including when
+ * we generate the reply ourselves.
+ */
+static inline int
+map_innards(unsigned int maniphook, unsigned int hooknum)
+{
+ return (maniphook =3D=3D opposite_hook[hooknum]
+ || (hooknum =3D=3D NF_IP_LOCAL_OUT
+ && HOOK2MANIP(maniphook) =3D=3D IP_NAT_MANIP_SRC));
+}
+
unsigned int
icmp_reply_translation(struct sk_buff *skb,
struct ip_conntrack *conntrack,
@@ -837,7 +849,7 @@
packet, except it was never src/dst reversed, so
where we would normally apply a dst manip, we apply
a src, and vice versa. */
- if (info->manips[i].hooknum =3D=3D opposite_hook[hooknum]) {
+ if (map_innards(info->manips[i].hooknum, hooknum)) {
DEBUGP("icmp_reply: inner %s -> %u.%u.%u.%u %u\n",
info->manips[i].maniptype =3D=3D IP_NAT_MANIP_SRC
? "DST" : "SRC",
diff -urN linux-2.4.19-pre6.orig/net/ipv4/netfilter/ipt_REJECT.c
linux-2.4.19-pre6-nf-01/net/ipv4/netfilter/ipt_REJECT.c
--- linux-2.4.19-pre6.orig/net/ipv4/netfilter/ipt_REJECT.c Sun Apr 7 15:27:29
2002
+++ linux-2.4.19-pre6-nf-01/net/ipv4/netfilter/ipt_REJECT.c Fri Apr 12 00:52:31
2002
@@ -32,7 +32,8 @@
attach(new_skb, nfct);
}
=20
-/* Send RST reply */
+/* Send RST reply: we want to use the dest as the RST src ip, so can''t
+ use normal RST routine. --RR */
static void send_reset(struct sk_buff *oldskb, int local)
{
struct sk_buff *nskb;
@@ -153,6 +154,7 @@
kfree_skb(nskb);
}
=20
+#if 0
static void send_unreach(struct sk_buff *skb_in, int code)
{
struct iphdr *iph;
@@ -270,6 +272,12 @@
NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
ip_finish_output);
}=09
+#else
+static void send_unreach(struct sk_buff *skb_in, int code)
+{
+ icmp_send(skb_in, ICMP_DEST_UNREACH, code, 0);
+}
+#endif
=20
static unsigned int reject(struct sk_buff **pskb,
unsigned int hooknum,
diff -urN linux-2.4.19-pre6.orig/net/ipv4/raw.c
linux-2.4.19-pre6-nf-01/net/ipv4/raw.c
--- linux-2.4.19-pre6.orig/net/ipv4/raw.c Sun Apr 7 15:27:29 2002
+++ linux-2.4.19-pre6-nf-01/net/ipv4/raw.c Fri Apr 12 00:54:14 2002
@@ -427,7 +427,8 @@
if (!ipc.addr)
ipc.addr =3D rt->rt_dst;
err =3D ip_build_xmit(sk, sk->protinfo.af_inet.hdrincl ? raw_getrawfrag :
- raw_getfrag, &rfh, len, &ipc, rt, msg->msg_flags);
+ raw_getfrag, &rfh, len, &ipc, rt, msg->msg_flags,
+ NULL);
=20
done:
if (free)
diff -urN linux-2.4.19-pre6.orig/net/ipv4/udp.c
linux-2.4.19-pre6-nf-01/net/ipv4/udp.c
--- linux-2.4.19-pre6.orig/net/ipv4/udp.c Sun Apr 7 15:27:29 2002
+++ linux-2.4.19-pre6-nf-01/net/ipv4/udp.c Fri Apr 12 00:52:32 2002
@@ -548,7 +548,7 @@
(sk->no_check =3D=3D UDP_CSUM_NOXMIT ?
udp_getfrag_nosum :
udp_getfrag),
- &ufh, ulen, &ipc, rt, msg->msg_flags);
+ &ufh, ulen, &ipc, rt, msg->msg_flags, NULL);
=20
out:
ip_rt_put(rt);
--------------Boundary-00=_8CRSI86UEWBBRUCQL9MH
Content-Type: application/pgp-signature;
charset="us-ascii";
name="Attachment: 3"
Content-Transfer-Encoding: 7bit
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE82TEINfqJzMqajVsRAtfdAJ48ozMvO2ZoFdW0WXg859UIC8slKQCgnY8n
fP3c0Y9JNxDEhF7d/cTdGAA=TNFX
-----END PGP SIGNATURE-----
--------------Boundary-00=_8CRSI86UEWBBRUCQL9MH--
Eduardo Ferreira
2002-May-08 15:13 UTC
[Shorewall-users] Fwd: Security Advisory (Second Try)
This is a multipart message in MIME format. --=_alternative 005396F183256BB3_Content-Type: text/plain; charset="us-ascii" Hi, tom. as I see from the document in the advisory, there is an workaround that can be used temporarily before I got the time to apply the patch. the document says: Workarounds ==========Filter out untracked local packets: iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP How can I implement this rule in the shorewall conf files? TIA, Eduardo Ferreira --=_alternative 005396F183256BB3_Content-Type: text/html; charset="us-ascii" <br><font size=2 face="sans-serif">Hi, tom.</font> <br> <br><font size=2 face="sans-serif">as I see from the document in the advisory, there is an workaround that can be used temporarily before I got the time to apply the patch. the document says:</font> <br> <br><font size=3 face="Courier New">Workarounds<br> ===========<br> Filter out untracked local packets:<br> iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP<br> </font> <br><font size=2 face="sans-serif">How can I implement this rule in the shorewall conf files?</font> <br> <br><font size=2 face="sans-serif">TIA,</font> <br> <br><font size=2 face="sans-serif">Eduardo Ferreira</font> <br> --=_alternative 005396F183256BB3_=--
On Wed, 8 May 2002, Eduardo Ferreira wrote:> Hi, tom. > > as I see from the document in the advisory, there is an workaround that > can be used temporarily before I got the time to apply the patch. the > document says: > > Workarounds > ==========> Filter out untracked local packets: > iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP > > How can I implement this rule in the shorewall conf files? >Create /etc/shorewall/start and in it place: run_iptables -I OUTPUT 2 -m state -p icmp --state INVALID -j DROP Restart Shorewall. -Tom -- Tom Eastep \ Shorewall - iptables made easy AIM: tmeastep \ http://www.shorewall.net ICQ: #60745924 \ teastep@shorewall.net
Eduardo Ferreira
2002-May-08 16:26 UTC
[Shorewall-users] Fwd: Security Advisory (Second Try)
This is a multipart message in MIME format.
--=_alternative 005A4A9483256BB3_Content-Type: text/plain;
charset="us-ascii"
thanks,
the rule is there. hope it is enough for the time being.
Eduardo Ferreira
Tom Eastep <teastep@shorewall.net>
Sent by: shorewall-users-admin@shorewall.net
08/05/2002 12:25
To: Eduardo Ferreira <duda@icatu.com.br>
cc: Shorewall Users <shorewall-users@shorewall.net>
Subject: Re: [Shorewall-users] Fwd: Security Advisory (Second
Try)
On Wed, 8 May 2002, Eduardo Ferreira wrote:
> Hi, tom.
>
> as I see from the document in the advisory, there is an workaround that
> can be used temporarily before I got the time to apply the patch. the
> document says:
>
> Workarounds
> ==========> Filter out untracked local packets:
> iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
>
> How can I implement this rule in the shorewall conf files?
>
Create /etc/shorewall/start and in it place:
run_iptables -I OUTPUT 2 -m state -p icmp --state INVALID -j DROP
Restart Shorewall.
-Tom
--
Tom Eastep \ Shorewall - iptables made easy
AIM: tmeastep \ http://www.shorewall.net
ICQ: #60745924 \ teastep@shorewall.net
_______________________________________________
Shorewall-users mailing list
Shorewall-users@shorewall.net
http://www.shorewall.net/mailman/listinfo/shorewall-users
--=_alternative 005A4A9483256BB3_Content-Type: text/html;
charset="us-ascii"
<br><font size=2 face="sans-serif">thanks, </font>
<br>
<br><font size=2 face="sans-serif">the rule is there. hope
it is enough for the time being.</font>
<br>
<br><font size=2 face="sans-serif">Eduardo
Ferreira</font>
<br>
<br>
<br>
<table width=100%>
<tr valign=top>
<td>
<td><font size=1 face="sans-serif"><b>Tom Eastep
<teastep@shorewall.net></b></font>
<br><font size=1 face="sans-serif">Sent by:
shorewall-users-admin@shorewall.net</font>
<p><font size=1 face="sans-serif">08/05/2002
12:25</font>
<br>
<td><font size=1 face="Arial">
</font>
<br><font size=1 face="sans-serif">
To: Eduardo
Ferreira <duda@icatu.com.br></font>
<br><font size=1 face="sans-serif">
cc: Shorewall
Users <shorewall-users@shorewall.net></font>
<br><font size=1 face="sans-serif">
Subject: Re:
[Shorewall-users] Fwd: Security Advisory (Second Try)</font></table>
<br>
<br>
<br><font size=2 face="Courier New">On Wed, 8 May 2002,
Eduardo Ferreira wrote:<br>
<br>
> Hi, tom.<br>
> <br>
> as I see from the document in the advisory, there is an workaround that
<br>
> can be used temporarily before I got the time to apply the patch.
the <br>
> document says:<br>
> <br>
> Workarounds<br>
> ===========<br>
> Filter out untracked local packets:<br>
> iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP<br>
> <br>
> How can I implement this rule in the shorewall conf files?<br>
> <br>
<br>
Create /etc/shorewall/start and in it place:<br>
<br>
run_iptables -I OUTPUT 2 -m state -p icmp --state INVALID -j
DROP<br>
<br>
Restart Shorewall.<br>
<br>
-Tom<br>
-- <br>
Tom Eastep \ Shorewall - iptables made easy<br>
AIM: tmeastep \ http://www.shorewall.net<br>
ICQ: #60745924 \ teastep@shorewall.net<br>
<br>
_______________________________________________<br>
Shorewall-users mailing list<br>
Shorewall-users@shorewall.net<br>
http://www.shorewall.net/mailman/listinfo/shorewall-users<br>
</font>
<br>
<br>
--=_alternative 005A4A9483256BB3_=--