Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: Security Problems with Linux 2.2.x IP Masquerading (fwd)
From: tony () CHELLO NL (Tony den Haan)
Date: Thu, 30 Mar 2000 20:07:53 +0200


---------- Forwarded message ----------
Date: Thu, 30 Mar 2000 14:52:36 -0300
From: Juanjo Ciarlante <jjo () mendoza gov ar>
To: Tony den Haan <tony () chello nl>
Cc: linux-kernel () vger rutgers edu
Subject: Re: Security Problems with Linux 2.2.x IP Masquerading (fwd)

On Tue, Mar 28, 2000 at 10:53:51PM +0200, Tony den Haan wrote:
didn't see it here yet, so i decided to forward:

[ Security Problems with Linux 2.2.x IP Masquerading ]



Summary:

Due to lax checking in the masquerading kernel code, an attacker is able
to rewrite a linux masq gateway's UDP masquerading entries so that the
remote host and port are whatever they choose. This creates a tunnel
between whatever host and port they want and a UDP port on an inside
machine.  The attacker is unable to tell what local inside ports and
addresses are being used, but they can determine the number of currently
masqueraded connections and the number of different hosts using those
connections behind the firewall.  Any network where UDP traffic is
masqueraded to the outside is vulnerable to this, including DNS, TFTP,
NetBIOS, and a multitude of other applications which rely on UDP
transport.  Since UDP is a connectionless protocol, the only way to
determine that a masqueraded connection is no longer being used is by
timing it out due to lack of activity or receiving ICMP messages
indication the port is closed. The result is that there is a 5 minute
time-out by default for all masqueraded UDP sessions, allowing an
attacker enough time to find and exploit the connection with some of the
methods outlined in the Examples section below.

{nice example snipped}
Current UDP semantics were inserted sometime ago as a resource saving
hack:
  _map_ internal box UDP port _at_ masq box by being "destination
  loose" (DLOOSE) and thus:
       . saving from creating a new masq tunnel for each {src,dst} pair
       . allowing some applications that require comunicating with
         same (masq'd) UDP source addr:port.
The core problem is precisely not being able to actually _know_ when
internal box has closed the port.

You can easily revert to good"old" way (1 tunnel/pair) by commenting out
#define CONFIG_IP_MASQ_LOOSE_DEFAULT 1
at ip_masq.c:418 (stupid patch attached)

This should drop hijack'ing ... Could you try and tell us?

Of course, if we change the default, some way to enable it back
perhaps on a per-application basis (ip_masq module) MUST be done.

Regards

--
-- Juanjo       http://juanjox.kernelnotes.org/
            ... because there IS an OS that CAN follow your power


<HR NOSHADE>
<UL>
<LI>TEXT/PLAIN attachment: stored
</UL>


  By Date           By Thread  

Current thread:
  • Re: Security Problems with Linux 2.2.x IP Masquerading (fwd) Tony den Haan (Mar 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]