lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Message-Id: <201008131307.38381.morgon.j.kanter@dartmouth.edu>
Date:	Fri, 13 Aug 2010 13:07:38 -0400
From:	"Morgon J. Kanter" <morgon.j.kanter@...tmouth.edu>
To:	netdev@...r.kernel.org
Subject: PROBLEM: raw sockets rewriting IP ID in rare cases.

I have stumbled across what I think is a rare bug in the raw socket mechanism 
of the kernel. When attempting to send a certain packet with an IP ID of zero 
from a raw socket created with the call "socket(AF_INET, SOCK_RAW, 
IPPROTO_RAW)", the kernel will modify the IP ID field and update the checksum. 
It only seems to do it with this specific packet for some reason, similar 
packets with an IP ID of zero do not get so mangled.

To reproduce, I have attached a packet that contains the issue and code that I 
use to send it. To reproduce, compile the sending code:
$ gcc -o testpacket testpacket.c
and run it on the packet:
$ sudo ./testpacket packet1189641421

(You may need to disable your firewall or whatnot. You might also need to 
change the IP field if you don't have a route that satisfies 192.168.1.*, but 
I haven't tried to see if this works or not with another IP.) Note the packet 
itself has an IP ID field of zero. But check in Wireshark or another scanner 
scanner, and when the packet comes out the IP ID is now non-zero! I've 
attached a pcap file with the packet as it was captured from Wireshark.

To double-check that Wireshark is right, you can do the following:

$ sudo iptables -A OUTPUT -p tcp --tcp-flags SYN,ACK SYN,ACK -m u32 ! --u32 "2 
& 0xFFFF = 0" -j DROP

(for those not used to reading iptables rules, that simply blocks anything 
with a non-zero IP ID and SYN/ACK flags) When you do such, and attempt to send 
the packet using the provided program, you'll get an EPERM because Netfilter 
is blocking the packet -- even though it is supposedly going in with an IP ID 
of zero, the kernel is rewriting the ID somewhere.

This seems like a bug, because IPPROTO_RAW means IP_HDRINCL should be on and 
we should be providing the IP header exactly as we want it sent out on the 
wire. It's really puzzling because this only happens on very specific packets 
(this was taken from a modified response to the 6th probe from nmap, probes 
1-5 went fine but probe 6 was blocked).

ver_linux output:
Linux mewtwo 2.6.34-gentoo-r1 #4 SMP PREEMPT Tue Aug 10 13:35:42 EDT 2010 
x86_64 Intel(R) Core(TM)2 Duo CPU T9600 @ 2.80GHz GenuineIntel GNU/Linux
 
Gnu C                  4.3.4
Gnu make               3.81
binutils               2.20.1.20100303
util-linux             scripts/ver_linux: line 23: fdformat: command not found
mount                  support
module-init-tools      found
Linux C Library        2.11.2
Dynamic linker (ldd)   2.11.2
Procps                 3.2.8
Kbd                    1.15
Sh-utils               8.5
Modules Loaded         r8192se_pci vboxnetadp vboxnetflt vboxdrv

If you need any more information, please let me know.
Thanks,
-- Morgon

PS: My apologies if the bug format is bad or sent to the wrong place, this is 
the first time I've submitted a bug to for the kernel.

Download attachment "packet1189641421" of type "application/octet-stream" (60 bytes)

View attachment "testpacket.c" of type "text/x-csrc" (829 bytes)

Download attachment "strange_packet.pcap" of type "application/octet-stream" (116 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ