Linux netfilter

sergey_m

Интересно, на phoenix есть правила про tcp options?
Bugtraq:

From: Adam Osuchowski <polsl.gliwice.pl>

To: securityfocus.com

Subject: Remote DoS vulnerability in Linux kernel 2.6.x

Date: Wed, 30 Jun 2004 12:57:17 +0200

Mailing-List: contact bugtraq-securityfocus.com; run by ezmlm

Precedence: bulk

Delivered-To: mailing list securityfocus.com

Delivered-To: moderator for securityfocus.com

Reply-To: Adam Osuchowski <polsl.gliwice.pl>

Organization: Computer Centre of The Silesian University of Technology

X-nic-hdl: AO3196-RIPE

    

1. Overview

-----------

        

There is a remotely exploitable bug in all Linux kernel 2.6 series due to

using incorrect variable type. Vulnerability is connected to netfilter

subsystem and may cause DoS. It's disclosed only when using iptables with

rules matching TCP options (i.e.  --tcp-option). There is no difference

what action is taking up by matching rule.

Vulnerability was detected on i386 architecture. The other ones weren't tested

but it seems to be vulnerable too.

2. Details

----------

Problem lies in tcp_find_option function (net/ipv4/netfilter/ip_tables.c).

There is local array `opt' defined as:

    char opt[60 - sizeof(struct tcphdr)];

which contains TCP options extracted from packet. Function mentioned above

searches for specified option in this array.

Options in TCP packet, with some exceptions, are organized in the following

way:

        Octet no.       Length  Field

        -----------------------------

                0       1       Opcode

                1       1       Length of all option (N + 2)

                2       N       Params

The function iterates over options in array:

    for (i = 0; i < optlen; ) {

            if (opt[i] == option) return !invert;

            if (opt[i] < 2) i++;

            else i += opt[i+1]?:1;

    }

moving counter by the option length.  

But, in case the `length' value is greater than 127, the value of this octet

in `opt' is implicitly casted to char, which results in negative number and

the loop counter moving back. In some cases it is possible, that counter  

cycles throught the contents of this array infinitely.

3. Impact

---------

After sending one suitably prepared TCP packet to victim host, kernel goes

into infinite loop consuming all CPU resources, rendering the box

unresponsable. Of course, there is no need to have a shell access to attacked

host.

                

4. Exploitation

---------------

Example of packet-of-death:

0x0000:  4500 0030 1234 4000 ff06 e83f c0a8 0001 

0x0010:  c0a8 0002 0400 1000 0000 0064 0000 0064

0x0020:  7000 0fa0 dc6a 0000 0204 05b4 0101 04fd

5. Fix

------

There is only need to change type of `opt' array from signed char to unsigned

(or, better to u_int8_t) as it was defined in 2.4 kernel or prior to version

1.16 of net/ipv4/netfilter/ip_tables.c file.

--- net/ipv4/netfilter/ip_tables.c.orig 2004-04-04 05:36:47.000000000 +0200

+++ net/ipv4/netfilter/ip_tables.c      2004-06-24 21:24:26.000000000 +0200

@@ -1461,7 +1461,7 @@

                int *hotdrop)

 {

        /* tcp.doff is only 4 bits, ie. max 15 * 4 bytes */

-       char opt[60 - sizeof(struct tcphdr)];

+       u_int8_t opt[60 - sizeof(struct tcphdr)];

        unsigned int i;

        duprintf("tcp_match: finding option\n");

6. Credits

----------

Vulnerability was discovered, identified and fixed by Adam Osuchowski

and Tomasz Dubinski.

--

##  Adam Osuchowski   polsl.gliwice.pl, silesia.linux.org.pl

##  Silesian University of Technology, Computer Centre   Gliwice, Poland

---

irinkina

phoenix под Линухом стал работать ?

dailies

угу, Глебиус съехал - некому на путь истинный наставить

chamanaev

я вот примерно так же подумал, когда это прочитал

Marinavo_0507

И что надумали?

Chupa

затестить нада

Chupa

ну чё, добровольцы есть?

sergey_m

И что надумали?

Что правила про tcp options, если они были, ты уже убрал.

sergey_m

ну чё, добровольцы есть?

Не хочется рубить сук, на котором сидишь. В смысле через который пиздишь на форуме

Marinavo_0507

А нах они вообще могут быть нужны?
Думал полчаса - никаких идей

Chupa

не понял, что именно имеется ввиду

sergey_m

В том, что через него мы сейчас сидим на форуме.

Chupa

на фениксе это уже давно протестировано