From: Patrick McHardy <kaber@trash.net>
To: Netfilter Development Mailinglist <netfilter-devel@lists.netfilter.org>
Subject: [PATCH]: fix ipt_REJECT broken UDP crc firewall spotting (phrack 60)
Date: Sun, 05 Jan 2003 20:40:52 +0100 [thread overview]
Message-ID: <3E188A44.4000606@trash.net> (raw)
[-- Attachment #1: Type: text/plain, Size: 667 bytes --]
Hi.
Sorry if this mail arrives twice, mozilla crashed while sending and it
seems it did not make it out before.
ipt_REJECT sends unreachables in response to UDP packets with invalid
checksums, thereby exposing the
existance of a firewall (as described in phrack #60, "broken crc
firewall spotting" (or something like this), www.phrack.com).
to verify please try this:
# send udp with correct checksum
hping -2 host -p 20000
# send udp with invalid checksum
hping -2 host -p 20000 -b
now insert a rule to reject those packets on host or somewhere between
you and host and try it again.
The patch makes ipt_REJECT verify UDP checksums if set.
Regards,
Patrick
[-- Attachment #2: ipt_REJECT-fwspotting-phrack60-fix.diff --]
[-- Type: text/plain, Size: 1641 bytes --]
diff -urN linux-2.4.21-pre2-clean/net/ipv4/netfilter/ipt_REJECT.c linux-2.4.21-pre2/net/ipv4/netfilter/ipt_REJECT.c
--- linux-2.4.21-pre2-clean/net/ipv4/netfilter/ipt_REJECT.c 2002-11-29 00:53:15.000000000 +0100
+++ linux-2.4.21-pre2/net/ipv4/netfilter/ipt_REJECT.c 2003-01-05 19:59:27.000000000 +0100
@@ -6,6 +6,8 @@
#include <linux/module.h>
#include <linux/skbuff.h>
#include <linux/ip.h>
+#include <linux/udp.h>
+#include <linux/icmp.h>
#include <net/icmp.h>
#include <net/ip.h>
#include <net/tcp.h>
@@ -157,6 +159,7 @@
static void send_unreach(struct sk_buff *skb_in, int code)
{
struct iphdr *iph;
+ struct udphdr *udph;
struct icmphdr *icmph;
struct sk_buff *nskb;
u32 saddr;
@@ -186,6 +189,19 @@
if (iph->frag_off&htons(IP_OFFSET))
return;
+ /* if UDP checksum is set, verify it's correct */
+ if (iph->protocol == IPPROTO_UDP
+ && skb_in->tail-(u8*)iph >= sizeof(struct udphdr)) {
+ int datalen = skb_in->len - (iph->ihl<<2);
+ udph = (struct udphdr *)((char *)iph + (iph->ihl<<2));
+ if (udph->check
+ && csum_tcpudp_magic(iph->saddr, iph->daddr,
+ datalen, IPPROTO_UDP,
+ csum_partial((char *)udph, datalen,
+ 0)) != 0)
+ return;
+ }
+
/* If we send an ICMP error to an ICMP error a mess would result.. */
if (iph->protocol == IPPROTO_ICMP
&& skb_in->tail-(u8*)iph >= sizeof(struct icmphdr)) {
Binärdateien linux-2.4.21-pre2-clean/net/ipv4/netfilter/.ipt_REJECT.c.swp and linux-2.4.21-pre2/net/ipv4/netfilter/.ipt_REJECT.c.swp sind verschieden.
next reply other threads:[~2003-01-05 19:40 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2003-01-05 19:40 Patrick McHardy [this message]
2003-01-06 12:29 ` [PATCH]: fix ipt_REJECT broken UDP crc firewall spotting (phrack 60) Harald Welte
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3E188A44.4000606@trash.net \
--to=kaber@trash.net \
--cc=netfilter-devel@lists.netfilter.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.