thr3ads.net - netfilter announce - Security Advisory [May 2002]

If this information is useful, please help other people find it:
Share via:
Harald Welte
2002-May-08 14:07 UTC
Security Advisory

--Qz2CZ664xQdCRdPu
Content-Type: multipart/mixed; boundary="BI5RvnYi6R4T2M87"
Content-Disposition: inline


--BI5RvnYi6R4T2M87
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

Hi!

Unfortunately there is a very unpopular announcement to be made on this
list:  A netfilter security advisory.

Phillipe Biondi has been reporting this bug and preparing the advisory,
the [still preliminary] solution is by Rusty Russell and James Morris.

--=20
Live long and prosper
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+=20
V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)

--BI5RvnYi6R4T2M87
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: attachment; filename=advisory
Content-Transfer-Encoding: quoted-printable

----------------------------------------------------------------------
               Cartel S=E9curit=E9 --- Security Advisory

Advisory Number: CARTSA-20020402
Subject:         Linux Netfilter NAT/ICMP code information leak
Author:		 Philippe Biondi <biondi@cartel-securite.fr>
Discovered:      2002, April 2
Published:       Not yet
----------------------------------------------------------------------

NOTE: Do not release in public before May 8, 2002.

Problem description
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

The following bug exists in the netfilter NAT implementation: When the
first packet of a connection is hitting a NAT rule, and this packet
causes the NAT box itself to reply with an ICMP error message, the
inner IP packet inside the ICMP error message is not un-NAT'ed
correctly.  This leads to the ability to discover which ports of a
host are NATed and where the packet will really go. This can also lead to
those ICMP error packets being dropped by stateful firewalls not
recognizing
the related connection.


Vulnerable versions
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

All kernel patches from iptables package < ipables-1.2.6a are vulnerable.
All versions of kernel >=3D 2.4.4 and up to (at least) 2.4.19-pre6 use a
vulnerable version.

Vendor status
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

The netfilter team has solved this bug with a patch that has been refused
for inclusion in the linux kernel. They are working on a new patch.


Solutions
=3D=3D=3D=3D=3D=3D=3D=3D=3D

* Use the attached patch
* Upgrade your kernel using the patch at
  http://www.netfilter.org/security/2002-04-02-icmp-dnat.html
  (link active starting with May 8)
* Use a workarround until the final solution to this bug is implemented
  and included in the linux kernel source


Workarounds
=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D

Filter out untracked local packets:
iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP


Example
=3D=3D=3D=3D=3D=3D=3D

Let's take a machine (172.16.1.40) that DNAT port 666 to 172.16.3.26:22 :
iptables -t nat -A PREROUTING -p tcp --dport 666 -j DNAT --to
172.16.3.26:22

Then if a host sends a packet that will die on 172.16.1.40 :
hping  -t 1 --syn -p 666  172.16.1.40

This is the icmp packet we'll get from 172.16.1.40 :
17:07:46.709230 172.16.1.40 > 172.16.1.28: icmp: time exceeded in-transit
0x0000   45c0 0044 eaa6 0000 ff01 75f1 ac10 0128        E..D......u....(
0x0010   ac10 0118
                   0b00 516d 0000 0000
                                       4500 0028        ......Qm....E..(
0x0020   b0f3 0000 0106 ac8a ac10 0118 ac10 031a <-+    ................
0x0030   04bd 0016 3206 3ec0 0490 00b4 5002 0200   |    ....2.>.....P...
0x0040   d6b2 00^0                                 |    ....
                |                            172.16.3.26
                +-- port 22


You can also try a patch to nmap that does that and much more :
http://www.cartel-info.fr/pbiondi/nmap/

# ./nmap -sS -P0 xxx.xxx.xxx.xxx -p 22,23,666,667 -t 9

Starting nmap V. 2.54BETA32 ( www.insecure.org/nmap/ )
Interesting ports on xxx.xxx.xxx.xxx:
Port       State       Service
22/tcp     open        ssh
23/tcp     filtered    telnet
666/tcp    UNfiltered  unknown                  DNAT to 192.168.8.10:22
667/tcp    UNfiltered  unknown                  DNAT to 192.168.26.10:22


Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds

----------------------------------------------------------------------
Copyright (c) Cartel S=E9curit=E9
This document is copyrighted. It can't be edited nor republished
without explicit consent of Cartel S=E9curit=E9.
For more informations, feel free to contact us.
http://securite.cartel-securite.fr/
----------------------------------------------------------------------


--=20
Philippe Biondi <biondi@ cartel-securite.fr> Cartel S=E9curit=E9
Security Consultant/R&D                      http://www.cartel-securite.fr
Phone: +33 1 44 06 97 94                     Fax: +33 1 44 06 97 99
PGP KeyID:3D9A43E2  FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2




--BI5RvnYi6R4T2M87
Content-Type: text/plain; charset=us-ascii
Content-Disposition: attachment; filename="2.4.19-pre6_icmp-nat.patch"
Content-Transfer-Encoding: quoted-printable

diff -urN linux-2.4.19-pre6.orig/include/linux/skbuff.h
linux-2.4.19-pre6-nf-01/include/linux/skbuff.h
--- linux-2.4.19-pre6.orig/include/linux/skbuff.h	Sun Apr  7 15:27:29 2002
+++ linux-2.4.19-pre6-nf-01/include/linux/skbuff.h	Fri Apr 12 00:52:31 2002
@@ -1144,6 +1144,17 @@
 	if (nfct)
 		atomic_inc(&nfct->master->use);
 }
+static inline struct nf_ct_info *
+skb_nf_ct(struct sk_buff *skb)
+{
+	return skb->nfct;
+}
+#else
+static inline struct nf_ct_info *
+skb_nf_ct(struct sk_buff *skb)
+{
+	return NULL;
+}
 #endif
=20
 #endif	/* __KERNEL__ */
diff -urN linux-2.4.19-pre6.orig/include/net/ip.h
linux-2.4.19-pre6-nf-01/include/net/ip.h
--- linux-2.4.19-pre6.orig/include/net/ip.h	Sat Apr 28 22:01:26 2001
+++ linux-2.4.19-pre6-nf-01/include/net/ip.h	Fri Apr 12 00:52:31 2002
@@ -66,6 +66,7 @@
=20
 extern struct ip_ra_chain *ip_ra_chain;
 extern rwlock_t ip_ra_lock;
+struct nf_ct_info;
=20
 /* IP flags. */
 #define IP_CE		0x8000		/* Flag: "Congestion"		*/
@@ -106,7 +107,8 @@
 				      unsigned length,
 				      struct ipcm_cookie *ipc,
 				      struct rtable *rt,
-				      int flags);
+				      int flags,
+				      struct nf_ct_info *nfct);
=20
 /*
  *	Map a multicast IP onto multicast MAC for type Token Ring.
diff -urN linux-2.4.19-pre6.orig/net/ipv4/icmp.c
linux-2.4.19-pre6-nf-01/net/ipv4/icmp.c
--- linux-2.4.19-pre6.orig/net/ipv4/icmp.c	Sun Apr  7 15:27:29 2002
+++ linux-2.4.19-pre6-nf-01/net/ipv4/icmp.c	Fri Apr 12 00:52:31 2002
@@ -370,7 +370,7 @@
 			       icmp_param->data.icmph.code)) {=20
 		ip_build_xmit(sk, icmp_glue_bits, icmp_param,=20
 			      icmp_param->data_len+icmp_param->head_len,
-			      &ipc, rt, MSG_DONTWAIT);
+			      &ipc, rt, MSG_DONTWAIT, NULL);
 	}
 	ip_rt_put(rt);
 out:
@@ -528,7 +529,7 @@
=20
 	ip_build_xmit(icmp_socket->sk, icmp_glue_bits, &icmp_param,=20
 		icmp_param.data_len+sizeof(struct icmphdr),
-		&ipc, rt, MSG_DONTWAIT);
+		&ipc, rt, MSG_DONTWAIT, skb_nf_ct(skb_in));
=20
 ende:
 	ip_rt_put(rt);
diff -urN linux-2.4.19-pre6.orig/net/ipv4/ip_output.c
linux-2.4.19-pre6-nf-01/net/ipv4/ip_output.c
--- linux-2.4.19-pre6.orig/net/ipv4/ip_output.c	Sun Apr  7 15:27:29 2002
+++ linux-2.4.19-pre6-nf-01/net/ipv4/ip_output.c	Fri Apr 12 00:52:31 2002
@@ -405,6 +405,22 @@
 	return -EHOSTUNREACH;
 }
=20
+#ifdef CONFIG_NETFILTER
+/* If the original packet is part of a connection, but the connection
+   is not confirmed, our manufactured reply will not be associated
+   with it, so we need to do this manually. */
+static void nfct_attach(struct sk_buff *new_skb, struct nf_ct_info *nfct)
+{
+	void (*attach)(struct sk_buff *, struct nf_ct_info *);
+
+	/* Avoid module unload race with ip_ct_attach being NULLed out */
+	if (nfct && (attach =3D ip_ct_attach) !=3D NULL)
+		attach(new_skb, nfct);
+}
+#else
+static void nfct_attach(struct sk_buff *new_skb, struct nf_ct_info *nfct) { }
+#endif
+
 /*
  *	Build and send a packet, with as little as one copy
  *
@@ -434,7 +450,8 @@
 		  unsigned length,
 		  struct ipcm_cookie *ipc,
 		  struct rtable *rt,
-		  int flags)
+		  int flags,
+		  struct nf_ct_info *nfct)
 {
 	unsigned int fraglen, maxfraglen, fragheaderlen;
 	int err;
@@ -599,6 +616,7 @@
=20
 		nfrags++;
=20
+		nfct_attach(skb, nfct);
 		err =3D NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL,=20
 			      skb->dst->dev, output_maybe_reroute);
 		if (err) {
@@ -633,7 +651,8 @@
 		  unsigned length,
 		  struct ipcm_cookie *ipc,
 		  struct rtable *rt,
-		  int flags)
+		  int flags,
+		  struct nf_ct_info *nfct)
 {
 	int err;
 	struct sk_buff *skb;
@@ -652,7 +671,7 @@
 		 * 	Check for slow path.
 		 */
 		if (length > rt->u.dst.pmtu || ipc->opt !=3D NULL) =20
-			return ip_build_xmit_slow(sk,getfrag,frag,length,ipc,rt,flags);=20
+			return ip_build_xmit_slow(sk,getfrag,frag,length,ipc,rt,flags,nfct);=20
 	} else {
 		if (length > rt->u.dst.dev->mtu) {
 			ip_local_error(sk, EMSGSIZE, rt->rt_dst, sk->dport,
rt->u.dst.dev->mtu);
@@ -710,6 +729,7 @@
 	if (err)
 		goto error_fault;
=20
+	nfct_attach(skb, nfct);
 	err =3D NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, skb, NULL, rt->u.dst.dev,
 		      output_maybe_reroute);
 	if (err > 0)
@@ -977,7 +997,8 @@
 	sk->protinfo.af_inet.tos =3D skb->nh.iph->tos;
 	sk->priority =3D skb->priority;
 	sk->protocol =3D skb->nh.iph->protocol;
-	ip_build_xmit(sk, ip_reply_glue_bits, arg, len, &ipc, rt, MSG_DONTWAIT);
+	ip_build_xmit(sk, ip_reply_glue_bits, arg, len, &ipc, rt, MSG_DONTWAIT,
+		      NULL);
 	bh_unlock_sock(sk);
=20
 	ip_rt_put(rt);
diff -urN linux-2.4.19-pre6.orig/net/ipv4/netfilter/ip_nat_core.c
linux-2.4.19-pre6-nf-01/net/ipv4/netfilter/ip_nat_core.c
--- linux-2.4.19-pre6.orig/net/ipv4/netfilter/ip_nat_core.c	Sun Apr  7 15:27:29
2002
+++ linux-2.4.19-pre6-nf-01/net/ipv4/netfilter/ip_nat_core.c	Fri Apr 12 00:52:31
2002
@@ -780,6 +780,18 @@
 	} else return NF_ACCEPT;
 }
=20
+/*
+ * Decide whether to map inner header of an ICMP reply, including when
+ * we generate the reply ourselves.
+ */
+static inline int
+map_innards(unsigned int maniphook, unsigned int hooknum)
+{
+	return (maniphook =3D=3D opposite_hook[hooknum]
+	        || (hooknum =3D=3D NF_IP_LOCAL_OUT
+	             && HOOK2MANIP(maniphook) =3D=3D IP_NAT_MANIP_SRC));
+}
+
 unsigned int
 icmp_reply_translation(struct sk_buff *skb,
 		       struct ip_conntrack *conntrack,
@@ -837,7 +849,7 @@
 		   packet, except it was never src/dst reversed, so
 		   where we would normally apply a dst manip, we apply
 		   a src, and vice versa. */
-		if (info->manips[i].hooknum =3D=3D opposite_hook[hooknum]) {
+		if (map_innards(info->manips[i].hooknum, hooknum)) {
 			DEBUGP("icmp_reply: inner %s -> %u.%u.%u.%u %u\n",
 			       info->manips[i].maniptype =3D=3D IP_NAT_MANIP_SRC
 			       ? "DST" : "SRC",
diff -urN linux-2.4.19-pre6.orig/net/ipv4/netfilter/ipt_REJECT.c
linux-2.4.19-pre6-nf-01/net/ipv4/netfilter/ipt_REJECT.c
--- linux-2.4.19-pre6.orig/net/ipv4/netfilter/ipt_REJECT.c	Sun Apr  7 15:27:29
2002
+++ linux-2.4.19-pre6-nf-01/net/ipv4/netfilter/ipt_REJECT.c	Fri Apr 12 00:52:31
2002
@@ -32,7 +32,8 @@
 		attach(new_skb, nfct);
 }
=20
-/* Send RST reply */
+/* Send RST reply: we want to use the dest as the RST src ip, so can't
+   use normal RST routine. --RR */
 static void send_reset(struct sk_buff *oldskb, int local)
 {
 	struct sk_buff *nskb;
@@ -153,6 +154,7 @@
 	kfree_skb(nskb);
 }
=20
+#if 0
 static void send_unreach(struct sk_buff *skb_in, int code)
 {
 	struct iphdr *iph;
@@ -270,6 +272,12 @@
 	NF_HOOK(PF_INET, NF_IP_LOCAL_OUT, nskb, NULL, nskb->dst->dev,
 		ip_finish_output);
 }=09
+#else
+static void send_unreach(struct sk_buff *skb_in, int code)
+{
+	icmp_send(skb_in, ICMP_DEST_UNREACH, code, 0);
+}
+#endif
=20
 static unsigned int reject(struct sk_buff **pskb,
 			   unsigned int hooknum,
diff -urN linux-2.4.19-pre6.orig/net/ipv4/raw.c
linux-2.4.19-pre6-nf-01/net/ipv4/raw.c
--- linux-2.4.19-pre6.orig/net/ipv4/raw.c	Sun Apr  7 15:27:29 2002
+++ linux-2.4.19-pre6-nf-01/net/ipv4/raw.c	Fri Apr 12 00:54:14 2002
@@ -427,7 +427,8 @@
 	if (!ipc.addr)
 		ipc.addr =3D rt->rt_dst;
 	err =3D ip_build_xmit(sk, sk->protinfo.af_inet.hdrincl ? raw_getrawfrag :
-		       	    raw_getfrag, &rfh, len, &ipc, rt, msg->msg_flags);
+		       	    raw_getfrag, &rfh, len, &ipc, rt, msg->msg_flags,
+		       	    NULL);
=20
 done:
 	if (free)
diff -urN linux-2.4.19-pre6.orig/net/ipv4/udp.c
linux-2.4.19-pre6-nf-01/net/ipv4/udp.c
--- linux-2.4.19-pre6.orig/net/ipv4/udp.c	Sun Apr  7 15:27:29 2002
+++ linux-2.4.19-pre6-nf-01/net/ipv4/udp.c	Fri Apr 12 00:52:32 2002
@@ -548,7 +548,7 @@
 			    (sk->no_check =3D=3D UDP_CSUM_NOXMIT ?
 			     udp_getfrag_nosum :
 			     udp_getfrag),
-			    &ufh, ulen, &ipc, rt, msg->msg_flags);
+			    &ufh, ulen, &ipc, rt, msg->msg_flags, NULL);
=20
 out:
 	ip_rt_put(rt);

--BI5RvnYi6R4T2M87--

--Qz2CZ664xQdCRdPu
Content-Type: application/pgp-signature
Content-Disposition: inline

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org

iD8DBQE82TEINfqJzMqajVsRAtfdAJ48ozMvO2ZoFdW0WXg859UIC8slKQCgnY8n
fP3c0Y9JNxDEhF7d/cTdGAA=TNFX
-----END PGP SIGNATURE-----

--Qz2CZ664xQdCRdPu--
Maybe Matching Threads

Search for more possibly parallel threads
netfilter announce - May 2002 - Security Advisory

Security Advisory

Maybe Matching Threads

Wisdom of the Ancients
