[PATCH]: fix ipt_REJECT broken UDP crc firewall spotting (phrack 60)

[PATCH]: fix ipt_REJECT broken UDP crc firewall spotting (phrack 60)

[Patrick McHardy]

[-- Attachment #1: Type: text/plain, Size: 667 bytes --]

Hi.

Sorry if this mail arrives twice, mozilla crashed while sending and it 
seems it did not make it out before.
ipt_REJECT sends unreachables in response to UDP packets with invalid 
checksums, thereby exposing the
existance of a firewall  (as described in phrack #60, "broken crc 
firewall spotting" (or something like this), www.phrack.com).
to verify please try this:
# send udp with correct checksum
hping -2 host -p 20000
# send udp with invalid checksum
hping -2 host -p 20000 -b

now insert a rule to reject those packets on host or somewhere between 
you and host and try it again.
The patch makes ipt_REJECT verify UDP checksums if set.

Regards,
Patrick


[-- Attachment #2: ipt_REJECT-fwspotting-phrack60-fix.diff --]
[-- Type: text/plain, Size: 1641 bytes --]

diff -urN linux-2.4.21-pre2-clean/net/ipv4/netfilter/ipt_REJECT.c linux-2.4.21-pre2/net/ipv4/netfilter/ipt_REJECT.c
--- linux-2.4.21-pre2-clean/net/ipv4/netfilter/ipt_REJECT.c	2002-11-29 00:53:15.000000000 +0100
+++ linux-2.4.21-pre2/net/ipv4/netfilter/ipt_REJECT.c	2003-01-05 19:59:27.000000000 +0100
@@ -6,6 +6,8 @@
 #include <linux/module.h>
 #include <linux/skbuff.h>
 #include <linux/ip.h>
+#include <linux/udp.h>
+#include <linux/icmp.h>
 #include <net/icmp.h>
 #include <net/ip.h>
 #include <net/tcp.h>
@@ -157,6 +159,7 @@
 static void send_unreach(struct sk_buff *skb_in, int code)
 {
 	struct iphdr *iph;
+	struct udphdr *udph;
 	struct icmphdr *icmph;
 	struct sk_buff *nskb;
 	u32 saddr;
@@ -186,6 +189,19 @@
 	if (iph->frag_off&htons(IP_OFFSET))
 		return;
 
+	/* if UDP checksum is set, verify it's correct */
+	if (iph->protocol == IPPROTO_UDP
+	    && skb_in->tail-(u8*)iph >= sizeof(struct udphdr)) {
+		int datalen = skb_in->len - (iph->ihl<<2);
+		udph = (struct udphdr *)((char *)iph + (iph->ihl<<2));
+		if (udph->check
+		    && csum_tcpudp_magic(iph->saddr, iph->daddr,
+		                         datalen, IPPROTO_UDP,
+		                         csum_partial((char *)udph, datalen,
+		                                      0)) != 0)
+			return;
+	}
+		    
 	/* If we send an ICMP error to an ICMP error a mess would result.. */
 	if (iph->protocol == IPPROTO_ICMP
 	    && skb_in->tail-(u8*)iph >= sizeof(struct icmphdr)) {
Binärdateien linux-2.4.21-pre2-clean/net/ipv4/netfilter/.ipt_REJECT.c.swp and linux-2.4.21-pre2/net/ipv4/netfilter/.ipt_REJECT.c.swp sind verschieden.

Re: [PATCH]: fix ipt_REJECT broken UDP crc firewall spotting (phrack 60)

[Harald Welte]

[-- Attachment #1: Type: text/plain, Size: 740 bytes --]

On Sun, Jan 05, 2003 at 08:40:52PM +0100, Patrick McHardy wrote:
> Hi.
> 
> ipt_REJECT sends unreachables in response to UDP packets with invalid 
> checksums, thereby exposing the
> existance of a firewall  (as described in phrack #60, "broken crc 
> firewall spotting" (or something like this), www.phrack.com).

Thanks for fixing this issue.  I will put your patch into the 'pending'
queue of patch-o-matic.

> Regards,
> Patrick
-- 
- Harald Welte / laforge@gnumonks.org               http://www.gnumonks.org/
============================================================================
"If this were a dictatorship, it'd be a heck of a lot easier, just so long
 as I'm the dictator."  --  George W. Bush Dec 18, 2000

[-- Attachment #2: Type: application/pgp-signature, Size: 232 bytes --]