Home page logo

bugtraq logo Bugtraq mailing list archives

Re: ICMP pokes holes in firewalls...
From: H D Moore <sflist () digitaloffense net>
Date: Thu, 25 Sep 2003 15:57:27 -0500

On Thursday 25 September 2003 02:21 pm, bugtraq () hackerfactor com wrote:
[ snip ]
  These are UDP services that open the firewall for inbound traffic.

Basically, a home firewall that does not manage connections at
layer-4 will be unable to stop this type of attack.

This also applies to Linux NAT gateways. Any outbound UDP packet creates 
an opening in the NAT firewall where any external source can fire packets 
back the client port. To make things worse, this UDP gateway stays open 
for a period of time after the initial response. It is exploitable in at 
least the following situations:

1) A malicious attacker knows that users in MediumCorp use a Linux NAT 
gateway and host their DNS server externally. They are able to send 
arbitrary responses back to the DNS client ports on internal systems, 
potentially exploiting one more resolver vulnerabilities.

2) There are a fairly small set of published public NTP servers. Many 
organizations synchronize internal systems (and routers) directly to 
these servers. Many of these servers have been configured so that it is 
possible to obtain a list of all clients who have recently polled this 
service. This list can then be checked for interesting organizations. 
Once a nice target has been identified and their NAT gateway has been 
detected as a ignore-the-source UDP forwarder, a malicious attacker could 
exploit any of the NTP client-side bugs. 

Client applications that make use of the recvfrom API call (vs connect and 
recv) can have arbitrary responses sent back to them through a NAT 
gateway with this problem. Applications using the connect API will simply 
respond back with an ICMP port unreachable, the response will be received 
by the attacked and can easility be differentiated from the responses 
from unused NAT gateway ports.

Again, this is low risk, fairly minor, and a trivial attack method.
But, I've not seen anyone mention this.

I posted about this in March of 2000, the kernel development team response 
was that many RPC services require this functionality and it would not be 
fixed. The reason is that many UDP-based RPC services will respond back 
to requests from an alternative interface using a different IP address 



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]