Security Vulnerability in IPFilter 3.3.15 and 3.4.3

Contributed by Dengue on 2000-05-26 from the bummer dept.

Erik Fichtner has found and posted to BUGTRAQ a weakness in IPFilter that exploits a common ruleset misconfiguration. Kjell Wooding's patch for 2.6 & 2.7 fixes this. The text of the BUGTRAQ post, minus the "GORY DETAILS" section follows:


From emf@PRETTYHATEMACHINE.OBFUSCATION.ORG Fri May 26 19:02:26 2000
Date: Fri, 26 May 2000 00:04:56 -0400
From: emf


To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Security Vulnerability in IPFilter 3.3.15 and 3.4.3

	Obfuscation Research Laboratories Security Advisory #ORL-2000-05-19-01

			IPFILTER FIREWALLS

SYNOPSIS
		A weakness exists in the IPFilter firewalling package in
	all versions up to and including 3.3.15 and 3.4.3 that allows an
	attacker to penetrate the firewall when a common, yet admittedly
	flawed, configuration is used.

DETAILS

		If IPFilter rulesets are constructed such that
	"return-rst" and "keep state" overlap, e.g.:

		block return-rst in proto tcp from A to V
		pass out proto tcp from V' to A' keep state

	where A, A', V and V' are hostmasks that can include "any", and
	the attacker matches against A and A' and the victim matches against
	V and V', the attacker may exploit a race condition in the state
	table generation code that results from fr_addstate()'s fault of
	creating a new state entry for the outgoing RST packet generated
	by the "return-rst" rule.  If a new SYN packet comes in before
	the state entry created by the RST expires, the state entry
	will allow the SYN packet to pass through the firewall, and the
	explicit permissiveness of a "pass out all keep state" or similar
	rules then allows the SYN-ACK and all successive ACK's to create
	new state entries.  The attacker merely needs to ignore the RST's
	that are being sent to him and continue to attack the victim.

		For the curious, traces of an exploitation are included
	in the "GORY DETAILS" section at the end of this message.

PATCHES/WORKAROUNDS

        A patch has been made available for all versions of IPFilter that
        prevents fr_addstate() from creating a state entry when triggered
        by a RST packet.  This patch has been incorporated into IPFilter
	releases 3.3.16 and 3.4.4.

        If you are unable to patch your systems, remove all "return-rst"
	keywords or replace the rule which adds state for all outbound TCP
	packets:

        pass out proto tcp ... keep state    # No TCP flags matched upon!

        with the following three rules:

        pass out quick proto tcp ... flags R/R
        pass out proto tcp ... flags AR/A keep state
        pass out proto tcp ... flags S keep state

        This will support the current behavior of allowing state to be
        created by connections which are already open as well as new
        connections, so long as at least the ACK bit is set in the TCP
        header.  The use of the other rule, which matches all TCP packets,
        regardless of flag settings, is strongly discouraged.

        If you use a single rule such as this:

        pass out proto tcp/udp ... keep state

        then you must replace it with these four rules:

        pass out quick proto tcp ... flags R/R
        pass out proto tcp ... flags AR/A keep state
        pass out proto tcp ... flags S keep state
        pass out proto udp ... keep state

*** ip_state.c.old      Fri May 19 11:54:43 2000
--- ip_state.c  Sun May 21 15:50:11 2000
***************
*** 558,567 ****
--- 558,569 ----
            }
        case IPPROTO_TCP :
            {
                tcp = (tcphdr_t *)fin->fin_dp;

+               if (tcp->th_flags & TH_RST) return NULL;
+
                /*
                 * The endian of the ports doesn't matter, but the ack and
                 * sequence numbers do as we do mathematics on them later.
                 */
                is->is_dport = tcp->th_dport;

VENDOR INFORMATION

	The latest source releases of IPFilter can be obtained at:



	In addition, FreeBSD, NetBSD, and OpenBSD contain IPFilter in
	their operating systems, and patches have been applied to the
	following:
		FreeBSD 3-stable, FreeBSD 4-stable, FreeBSD-current,
		NetBSD-current, and OpenBSD 2.7-current.

	Errata patches will be available shortly for the following:
		NetBSD-1.4, OpenBSD 2.6-base, and OpenBSD 2.7-base

GORY DETAILS
(removed for brevity, look up the post -dengue)


--
.emf.

(Comments are closed)

Latest Articles

Fri, Apr 26
- 08:33 Passphrase timeout for disk decryption at boot added (potential battery lifesaver) (1)
Wed, Apr 24
- 04:35 Game of Trees 0.98 released (2)
Tue, Apr 23
- 05:25 pfctl(8) and systat(8) to display fragment reassembly statistics (0)
Thu, Apr 18
- 05:05 Coming soon to a -current system near you: parallel raw IP input (0)
Wed, Apr 17
- 05:33 In -current, default write format for tar(1) changed to "pax" (12)
Wed, Apr 10
- 18:50 OpenSMTPD 7.5.0p0 Released (2)
Tue, Apr 09
- 04:49 20 years since "and we're just starting": undeadly.org turns 20 (2024-04-09) (13)
Fri, Apr 05
- 06:16 OpenBSD 7.5 released (3)
Thu, Mar 28
- 18:18 LibreSSL 3.8.4 and 3.9.1 released (0)

Credits

Copyright © 2004-2008 Daniel Hartmeier. All rights reserved. Articles and comments are copyright their respective authors, submission implies license to publish on this web site. Contents of the archive prior to April 2nd 2004 as well as images and HTML templates were copied from the fabulous original deadly.org with Jose's and Jim's kind permission. This journal runs as CGI with httpd(8) on OpenBSD, the source code is BSD licensed. undeadly \Un*dead"ly\, a. Not subject to death; immortal. [Obs.]