[BUG] Security Announcement: ip6tables bug - level: very high

[Andras Kis-Szabo <kisza@securityaudit.hu>]

[-- Attachment #1: Type: text/plain, Size: 3854 bytes --]

Hi,

My worst nightmare came true: a very serious bug in the ip6tables code.
I can not beleive it, so please test it!

On 31 May 2002, Kraus, Darko sent a letter to Jozsef Kadlecsik:
> I have notices two not functional things in ip6tables:
> - ip6tables -A FORWARD -j ACCEPT -p all   <--- the protocol type "all" does
> not match anything. I have to specify individually tcp, udp and icmpv6 in
> order to get forwarded.
> - ip6tables -A FORWARD -j REJECT causes segmentation fault.
> I am using kernel V2.4.18 with latest IPtables 1.2.6a. Also I have applied
> Rusty's patch-o-matic that came with iptables-1.2.6a.tar.gz to that kernel.
> My host is running as a router, and I have no problems setting up iptables
> for IPv4. IPv6 is the one who causes these problems. I am using a tunnel
> broker to connect to the internet via IPv6. If you need some additional info
> please let me know.
Yes, it's true (I will fix this ASAP).
After this I started to play with the test packets.

The exapmle scenario:
# ip6tables -L
# tcpreplay6 <pure-icmpv6
# tcpreplay6 <ah-len24-spi4096-clean-dst-len8-sub2-len4-pad1-pad1
// or any other packet with extension headers
# ip6tables -A OUTPUT -p ipv6-icmp
# tcpreplay6 <pure-icmpv6
# ip6tables -L OUTPUT -n -v
Chain OUTPUT (policy ACCEPT 1 packets, 57 bytes)
 pkts bytes target     prot opt in     out    source destination        
    1    57            icmpv6    *      *      ::/0   ::/0       
# tcpreplay6 <ah-len24-spi4096-clean-dst-len8-sub2-len4-pad1-pad1
// or any other packet with extension headers


*** The kernel crashed immediately. ***

(The test packets can be found in the pool:
http://www.securityaudit.hu/Netfilter/addons/TestPackets/ )

The POSSIBLE location of the problem:
linux/net/ipv6/netfilter/ip6_tables.c
ip6_packet_match() function,
line 231:
-                hdrptr = (u_int8_t *)(ipv6 + 1);
+                hdrptr = (u_int8_t *)((void *)ipv6 + 1);

In patch form:
[..............]
--- ip6_tables-p0bug.c	Wed Jun  5 23:57:31 2002
+++ ip6_tables.c	Thu Jun  6 00:45:54 2002
@@ -228,7 +228,7 @@
 	if((ip6info->flags & IP6T_F_PROTO)) {
 		u_int8_t currenthdr = ipv6->nexthdr;
 		u_int8_t *hdrptr;
-		hdrptr = (u_int8_t *)(ipv6 + 1);
+		hdrptr = (u_int8_t *)((void *)ipv6 + 1);
 		do {
 			if (ip6info->proto == currenthdr) {
 				if(ip6info->invflags & IP6T_INV_PROTO)
[..............]

Other problem:
ip6_nexthdr() function:
[..............]
--- ip6_tables-p0bug.c	Wed Jun  5 23:57:31 2002
+++ ip6_tables.c	Thu Jun  6 00:50:11 2002
@@ -138,7 +138,6 @@
    and returns the new header value, else returns 0 */
 static u_int8_t ip6_nexthdr(u_int8_t currenthdr, u_int8_t *hdrptr)
 {
-	int i;
 	u_int8_t hdrlen, nexthdr = 0;
 	switch(currenthdr){
 		case IPPROTO_AH:
@@ -147,7 +146,7 @@
 		repeatedly...with a large stick...no, an even LARGER
 		stick...no, you're still not thinking big enough */
 			nexthdr = *hdrptr;
-			hdrlen = hdrptr[i] * 4 + 8;
+			hdrlen = hdrptr[1] * 4 + 8;
 			hdrptr = hdrptr + hdrlen;
 			break;
 		/*stupid rfc2402 */
[..............]
The variable 'i' used uninitzialized - a copied buggy code?

I don't know which one is the correct solution, I will test it (maybe in
an hour).

*** Affected systems ***
Any Linux system, which has a rule with protocol match (-p)!

*** Preparedness ***
Any script-kiddie, or a plain user with instructions.
Automated tool: possible

*** Result ***
Kernel crash

*** Required packet ***
- any IPv6 packet with options (fix: near the 1st patch)
- IPv6 packet with AH option (fix: near the 2nd patch)

Regards,

	kisza

-- 
    Andras Kis-Szabo       Security Development, Design and Audit
-------------------------/        Zorp, NetFilter and IPv6
 kisza@SecurityAudit.hu /-----Member of the BUTE-MIS-SEARCHlab------>

[-- Attachment #2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 189 bytes --]