| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <976b21f4-59b8-4ca3-99c0-5f22d25efa02@zimbra2.corp.accelance.fr>
Date: Thu, 08 Dec 2011 09:20:22 +0100 (CET)
From: Cedric Lagneau <cedric.lagneau@...nwide.fr>
To: netdev@...r.kernel.org
Cc: Dan Carpenter <dan.carpenter@...cle.com>
Subject: Fwd: ICMP-REDIRECT paquet & Host ARP TABLE corruption. verified on fedora kernel 3.1.0-7 and ubuntu 11.10 3.0.0
original mail:
> hi all,
>
> Since kernel => 3.0 we've found some strange behavior with kernel >=3.0 on our architecture. Some host cannot acces some network anymore after using this Kernel. Verified on ubuntu 11.10 and fedora fc16.
>
>
> Explaination:
>
> Host with simple ip
> default install
> default sysctl.conf :
> net.ipv4.conf.all.accept_redirects=1
> net.ipv4.conf.default.accept_redirects=1
> no netfilter
>
> A forged icmp type 5 redirect code 0 or 1 to this host from another host on the same network corrupt the ARP table with entry for non-local network
>
> sample:
> hostA ip 192.168.2.192/24
> gw 192.168.2.254
>
> arp -an
> 192.168.2.254 at 00:00:5e:00:01:60
>
>
> then from a B host , i forge an icmp-redirect paquet like this:
> 192.168.2.254 > 192.168.2.192: ICMP redirect 87.106.170.240 to net 192.168.10.10
>
> after that on hostA i do a simple icmp ping to 87.106.170.240 , sent arp from hostB and ARP table of hostA is corrupted:
>
> arp -an
> 192.168.2.254 at 00:00:5e:00:01:60
> 192.168.10.10 at <incomplete>
>
>
> if i put hostB ip as icmp-redirect gw, hostB receive paquet.
>
>
> Best regards,
>
>
> Cédric Lagneau
Then :
> So I downloaded an arp forger from:
> http://insecure.org/sploits/arp.games.html
>
> ./icmp_redir 192.168.1.1 192.168.1.101 153.104.63.227 192.168.4.8
> (gw) (3.0 system) (random ip) (not on my lan)
>
> I was able to make 153.104.63.227 unroutable on 2.6.39 and higher
> but not on 2.6.38. The new ip 192.168.4.8 does show up in arp -n
> but it gets cleaned out much faster.
>
>regards,
>dan carpenter
thanks, don't know this tools, i was using python-scarpy to forge icmp paquet.
for me bad arp entry is never cleaned and i need to reboot host. arp -d "ip" say this:
SIOCDARP(priv): Network is unreachable
This can cause problems on some architecture like this simplified version:
----backbone--- "Public network" with multiple gateways to reach multiple networks. Icmp-redirect allowed.
|
Firewall with outgoing NAT 192.168.2.0/24 -> IP from "public network". icmp-redirect blocked on fw to protect internal LAN.
|
-----LAN------ 192.168.2.0/24 gateway : Firewall
When a lan host want to reach non-local networks , its ip is natted through firewall,then session putted inside a state table.
On some firewall like OpenBSD with PF (http://openbsd.org/faq/pf/filter.html) ICMP-REDIRECT paquet pass through state table nat session.(this is a feature on openbsd, i've not tested for moment with linux). No way to block icmp paquet on the firewall because the state table is before PF...In this case no other choice to use sysctl on all internal host because host insert bad gateway from "public network" provided by icmp-redirect.
"
Another advantage of keeping state is that corresponding ICMP traffic will be passed through the firewall. For example, if a TCP connection passing through the firewall is being tracked statefully and an ICMP source-quench message referring to this TCP connection arrives, it will be matched to the appropriate state entry and passed through the firewall.
"
I know it's a bad idea to use a backbone ip for nat and allow icmp-redirect on a simple host (man in middle inside own network from others host like you say) but this can happend and this is an example.
regards,
--
Cédric Lagneau
--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at http://vger.kernel.org/majordomo-info.html
Powered by blists - more mailing lists