Linux kernel IGMP vulnerabilities

Linux kernel IGMP vulnerabilities

[David Jacoby]

Hi and Merry Xmas everyone!


I just have a little question, is there a way to turn on IGMP support in 
the kernel?, I removed
multicast support but is that enugh?

They said that you could see if you are vulnerable by looking at these 
files:

/proc/net/igmp
/proc/net/mcfilter

and if both existed and were non-emptu you were vulnerable.


On a defualt installation on Slackware 10 the files mcfilter
is empty but on other servers with various kernel versions
both files contains some data.

The slackware machine is running 2.4.24. As i said i removed
multicast support in the kernel but when i compiled it i saw
that it created igmp.o anyway.


Any advice about how people can patch this security issue?


Thnx!

//David



-- 
Outpost24 AB

David Jacoby
Research & Development

Office: +46-455-612310
Mobile: +46-455-612311
(www.outpost24.com) (dj@outpost24.com) 

Re: Linux kernel IGMP vulnerabilities

[YOSHIFUJI Hideaki / 吉藤英明]

In article <41BFF931.6030205@outpost24.com> (at Wed, 15 Dec 2004 09:43:29 +0100), David Jacoby <dj@outpost24.com> says:

> Any advice about how people can patch this security issue?

http://linux.bkbits.net:8080/linux-2.6/cset@41bf39b1RGfvOMInGewwDyzfcuL2OQ

--yoshfuji

Re: Linux kernel IGMP vulnerabilities, PATCH IS BROKEN!

[David Jacoby]

Hi!

Anyone else tried to apply this patch? The patch does work but not 
properly.
I guess the machie is secure against the DoS attack but after i 
installed the patch
i cant use SSH.When i tryed to SSH i didnt get any password prompt.


user@autopsia:~$ ssh user@192.168.0.1
Permission denied, please try again.
Permission denied, please try again.
Permission denied (publickey,password,keyboard-interactive).

The patch will crash SSH :|

//David


YOSHIFUJI Hideaki wrote:

>In article <41BFF931.6030205@outpost24.com> (at Wed, 15 Dec 2004 09:43:29 +0100), David Jacoby <dj@outpost24.com> says:
>
>  
>
>>Any advice about how people can patch this security issue?
>>    
>>
>
>http://linux.bkbits.net:8080/linux-2.6/cset@41bf39b1RGfvOMInGewwDyzfcuL2OQ
>
>--yoshfuji
>
>  
>


-- 
Outpost24 AB

David Jacoby
Research & Development

Office: +46-455-612310
Mobile: +46-455-612311
(www.outpost24.com) (dj@outpost24.com) 

Re: Linux kernel IGMP vulnerabilities, PATCH IS BROKEN!

[Marc-Christian Petersen]

On Wednesday 15 December 2004 12:49, David Jacoby wrote:

> Anyone else tried to apply this patch? The patch does work but not
> properly.
> I guess the machie is secure against the DoS attack but after i
> installed the patch
> i cant use SSH.When i tryed to SSH i didnt get any password prompt.
> user@autopsia:~$ ssh user@192.168.0.1
> Permission denied, please try again.
> Permission denied, please try again.
> Permission denied (publickey,password,keyboard-interactive).
> The patch will crash SSH :|

without looking at the patch, I think this isn't the causer of the patch at 
all.

ciao, Marc

Re: Linux kernel IGMP vulnerabilities, PATCH IS BROKEN!

[David Jacoby]

Marc-Christian Petersen wrote:

>On Wednesday 15 December 2004 12:49, David Jacoby wrote:
>
>  
>
>>Anyone else tried to apply this patch? The patch does work but not
>>properly.
>>I guess the machie is secure against the DoS attack but after i
>>installed the patch
>>i cant use SSH.When i tryed to SSH i didnt get any password prompt.
>>user@autopsia:~$ ssh user@192.168.0.1
>>Permission denied, please try again.
>>Permission denied, please try again.
>>Permission denied (publickey,password,keyboard-interactive).
>>The patch will crash SSH :|
>>    
>>
>
>without looking at the patch, I think this isn't the causer of the patch at 
>all.
>
>ciao, Marc
>
>  
>
Well it is, i booted on the old kernel and SSH worked perfect and then 
on the new kernel with the patch i cant SSH, i dont even
get an password prompt. I tried to ssh to more than one host aswell, i 
also removed the key in .known_hosts but it still doesnt work.

Have you installed the patch?

//David


-- 
Outpost24 AB

David Jacoby
Research & Development

Office: +46-455-612310
Mobile: +46-455-612311
(www.outpost24.com) (dj@outpost24.com) 

Re: Linux kernel IGMP vulnerabilities, PATCH IS BROKEN!

[David Jacoby]

Hi Peter!

Well as i said in an earlier mail im using the default 2.4.24 kernel 
that is shipped
with Slackware. And the patched kernel is an 2.6.9 kernel from kernel.org

I did an "ssh -vvv" against the same host with different kernel versions 
and here is the result:

user@autopisa:~$ diff ssh_new_kernel.log ssh_old_kernel.log > ssh_diff.log
user@autopisa:~$ cat ssh_diff.log

45,46c45,46
< debug2: dh_gen_key: priv key bits set: 129/256
< debug2: bits set: 510/1024
---
 > debug2: dh_gen_key: priv key bits set: 126/256
 > debug2: bits set: 512/1024
53c53
< debug2: bits set: 529/1024
---
 > debug2: bits set: 512/1024
94c94
< debug3: packet_send2: adding 64 (len 49 padlen 15 extra_pad 64)
---
 > debug3: packet_send2: adding 64 (len 57 padlen 7 extra_pad 64)
96,107c96,186
< debug1: Authentications that can continue: 
publickey,password,keyboard-interactive
< Permission denied, please try again.
< debug3: packet_send2: adding 64 (len 49 padlen 15 extra_pad 64)
< debug2: we sent a password packet, wait for reply
< debug1: Authentications that can continue: 
publickey,password,keyboard-interactive
< Permission denied, please try again.
< debug3: packet_send2: adding 64 (len 49 padlen 15 extra_pad 64)
< debug2: we sent a password packet, wait for reply
< debug1: Authentications that can continue: 
publickey,password,keyboard-interactive
< debug2: we did not send a packet, disable method
< debug1: No more authentication methods to try.
< Permission denied (publickey,password,keyboard-interactive).
---
 > debug1: Authentication succeeded (password).
 > debug2: fd 6 setting O_NONBLOCK
 > debug1: channel 0: new [client-session]
 > debug3: ssh_session2_open: channel_new: 0
 > debug2: channel 0: send open
 > debug1: Entering interactive session.
 > debug2: callback start
 > debug2: ssh_session2_setup: id 0
 > debug2: channel 0: request pty-req
 > debug3: tty_make_modes: ospeed 38400
 > debug3: tty_make_modes: ispeed 38400
 > debug3: tty_make_modes: 1 3
 > debug3: tty_make_modes: 2 28
 > debug3: tty_make_modes: 3 127
 > debug3: tty_make_modes: 4 21
 > debug3: tty_make_modes: 5 4
 > debug3: tty_make_modes: 6 0
 > debug3: tty_make_modes: 7 0
 > debug3: tty_make_modes: 8 17
 > debug3: tty_make_modes: 9 19
 > debug3: tty_make_modes: 10 26
 > debug3: tty_make_modes: 12 18
 > debug3: tty_make_modes: 13 23
 > debug3: tty_make_modes: 14 22
 > debug3: tty_make_modes: 18 15
 > debug3: tty_make_modes: 30 0
 > debug3: tty_make_modes: 31 0
 > debug3: tty_make_modes: 32 0
 > debug3: tty_make_modes: 33 0
 > debug3: tty_make_modes: 34 0
 > debug3: tty_make_modes: 35 0
 > debug3: tty_make_modes: 36 1
 > debug3: tty_make_modes: 37 0
 > debug3: tty_make_modes: 38 1
 > debug3: tty_make_modes: 39 0
 > debug3: tty_make_modes: 40 0
 > debug3: tty_make_modes: 41 0
 > debug3: tty_make_modes: 50 1
 > debug3: tty_make_modes: 51 1
 > debug3: tty_make_modes: 52 0
 > debug3: tty_make_modes: 53 1
 > debug3: tty_make_modes: 54 1
 > debug3: tty_make_modes: 55 1
 > debug3: tty_make_modes: 56 0
 > debug3: tty_make_modes: 57 0
 > debug3: tty_make_modes: 58 0
 > debug3: tty_make_modes: 59 1
 > debug3: tty_make_modes: 60 1
 > debug3: tty_make_modes: 61 1
 > debug3: tty_make_modes: 62 0
 > debug3: tty_make_modes: 70 1
 > debug3: tty_make_modes: 71 0
 > debug3: tty_make_modes: 72 1
 > debug3: tty_make_modes: 73 0
 > debug3: tty_make_modes: 74 0
 > debug3: tty_make_modes: 75 0
 > debug3: tty_make_modes: 90 1
 > debug3: tty_make_modes: 91 1
 > debug3: tty_make_modes: 92 0
 > debug3: tty_make_modes: 93 0
 > debug2: channel 0: request shell
 > debug2: fd 3 setting TCP_NODELAY
 > debug2: callback done
 > debug2: channel 0: open confirm rwindow 0 rmax 32768
 > debug2: channel 0: rcvd adjust 131072
 > debug2: channel 0: rcvd eof
 > debug2: channel 0: output open -> drain
 > debug2: channel 0: obuf empty
 > debug2: channel 0: close_write
 > debug2: channel 0: output drain -> closed
 > debug1: client_input_channel_req: channel 0 rtype exit-status reply 0
 > debug2: channel 0: rcvd close
 > debug2: channel 0: close_read
 > debug2: channel 0: input open -> closed
 > debug3: channel 0: will not send data after close
 > debug2: channel 0: almost dead
 > debug2: channel 0: gc: notify user
 > debug2: channel 0: gc: user detached
 > debug2: channel 0: send close
 > debug2: channel 0: is dead
 > debug2: channel 0: garbage collecting
 > debug1: channel 0: free: client-session, nchannels 1
 > debug3: channel 0: status: The following connections are open:
 >   #0 client-session (t4 r0 i3/0 o3/0 fd -1/-1)
 > debug3: channel 0: close_fds r -1 w -1 e 6
 > debug1: fd 2 clearing O_NONBLOCK
 > Connection to 192.168.200.1 closed.
 > debug1: Transferred: stdin 0, stdout 0, stderr 37 bytes in 1.3 seconds
 > debug1: Bytes per second: stdin 0.0, stdout 0.0, stderr 29.0
 > debug1: Exit status 0

The patch fucked something up, sorry for my language. Is there anyone 
else on
this list who has the patch installed?

//David



Peter Hicks wrote:

>On Wed, Dec 15, 2004 at 12:56:59PM +0100, David Jacoby wrote:
>
>  
>
>>Well it is, i booted on the old kernel and SSH worked perfect and then on
>>the new kernel with the patch i cant SSH, i dont even get an password
>>prompt. I tried to ssh to more than one host aswell, i also removed the
>>key in .known_hosts but it still doesnt work.
>>    
>>
>
>Compare the .config of the old and new kernels with 'diff' and check that
>nothing else at all was changed.  It is highly improbable that ssh uses IGMP
>functionality!
>
>
>Peter.
>
>  
>


-- 
Outpost24 AB

David Jacoby
Research & Development

Office: +46-455-612310
Mobile: +46-455-612311
(www.outpost24.com) (dj@outpost24.com) 

Re: Linux kernel IGMP vulnerabilities, PATCH IS BROKEN!

[YOSHIFUJI Hideaki / 吉藤英明]

In article <41C029F7.7010405@outpost24.com> (at Wed, 15 Dec 2004 13:11:35 +0100), David Jacoby <dj@outpost24.com> says:
> 
> Well as i said in an earlier mail im using the default 2.4.24 kernel 
> that is shipped
> with Slackware. And the patched kernel is an 2.6.9 kernel from kernel.org

please try 2.4.24+patch or such.

--yoshfuji

Re: Linux kernel IGMP vulnerabilities, PATCH IS BROKEN!

[Chris Wright]

* David Jacoby (dj@outpost24.com) wrote:
> The patch fucked something up, sorry for my language. Is there anyone 
> else on
> this list who has the patch installed?

Patch is fine.  I've used it and ssh quite a bit.  It only touches small
bit of multicast specific code which isn't used at all during ssh session.

thanks,
-chris

Re: Linux kernel IGMP vulnerabilities, PATCH IS BROKEN!

[Phil Oester]

On Wed, Dec 15, 2004 at 10:34:07AM -0800, Chris Wright wrote:
> * David Jacoby (dj@outpost24.com) wrote:
> > The patch fucked something up, sorry for my language. Is there anyone 
> > else on
> > this list who has the patch installed?
> 
> Patch is fine.  I've used it and ssh quite a bit.  It only touches small
> bit of multicast specific code which isn't used at all during ssh session.

Yes, user is moving from unpatched 2.4.24 -> patched 2.6.9, and likely has
a pty config issue...

Phil

Re: Linux kernel IGMP vulnerabilities, PATCH IS BROKEN!

[David S. Miller]

On Wed, 15 Dec 2004 12:56:59 +0100
David Jacoby <dj@outpost24.com> wrote:

> Well it is, i booted on the old kernel and SSH worked perfect and then 
> on the new kernel with the patch i cant SSH, i dont even
> get an password prompt. I tried to ssh to more than one host aswell, i 
> also removed the key in .known_hosts but it still doesnt work.
> 
> Have you installed the patch?

I'm personally running it everywhere here, and ssh works fine.

There is no way that patch can change SSH behavior, you changed
something else when you updated your kernel.

Re: Linux kernel IGMP vulnerabilities

[Lukasz Trabinski]

In article <20041215.180839.93043538.yoshfuji@linux-ipv6.org> you wrote:
> In article <41BFF931.6030205@outpost24.com> (at Wed, 15 Dec 2004 09:43:29 +0100), David Jacoby <dj@outpost24.com> says:
> 
>> Any advice about how people can patch this security issue?
> 
> http://linux.bkbits.net:8080/linux-2.6/cset@41bf39b1RGfvOMInGewwDyzfcuL2OQ

When we can expect officall realase of 2.4.X and 2.6.X with this patch?

-- 
*[ ŁT ]*

Re: Linux kernel IGMP vulnerabilities, PATCH IS BROKEN!

[Willy Tarreau]

On Wed, Dec 15, 2004 at 11:40:17AM -0800, David S. Miller wrote:
 
> There is no way that patch can change SSH behavior, you changed
> something else when you updated your kernel.

He changed from 2.4.24 to 2.6.9, quite a few megabytes of patch indeed :-)

Willy

Re: Linux kernel IGMP vulnerabilities

[Marcelo Tosatti]

On Thu, Dec 16, 2004 at 01:08:09AM +0100, Lukasz Trabinski wrote:
> In article <20041215.180839.93043538.yoshfuji@linux-ipv6.org> you wrote:
> > In article <41BFF931.6030205@outpost24.com> (at Wed, 15 Dec 2004 09:43:29 +0100), David Jacoby <dj@outpost24.com> says:
> > 
> >> Any advice about how people can patch this security issue?
> > 
> > http://linux.bkbits.net:8080/linux-2.6/cset@41bf39b1RGfvOMInGewwDyzfcuL2OQ
> 
> When we can expect officall realase of 2.4.X and 2.6.X with this patch?

2.4.29 final should be released about end of January.

Re: Linux kernel IGMP vulnerabilities, PATCH IS BROKEN!

[Bill Davidsen]

David Jacoby wrote:
> Marc-Christian Petersen wrote:
> 
>> On Wednesday 15 December 2004 12:49, David Jacoby wrote:
>>
>>  
>>
>>> Anyone else tried to apply this patch? The patch does work but not
>>> properly.
>>> I guess the machie is secure against the DoS attack but after i
>>> installed the patch
>>> i cant use SSH.When i tryed to SSH i didnt get any password prompt.
>>> user@autopsia:~$ ssh user@192.168.0.1
>>> Permission denied, please try again.
>>> Permission denied, please try again.
>>> Permission denied (publickey,password,keyboard-interactive).
>>> The patch will crash SSH :|
>>>   
>>
>>
>> without looking at the patch, I think this isn't the causer of the 
>> patch at all.
>>
>> ciao, Marc
>>
>>  
>>
> Well it is, i booted on the old kernel and SSH worked perfect and then 
> on the new kernel with the patch i cant SSH, i dont even
> get an password prompt. I tried to ssh to more than one host aswell, i 
> also removed the key in .known_hosts but it still doesnt work.

Are you claiming that the unpatched 2.6 kernel works and the patched 
didn't? Or that 2.6 doesn't work right in general on your system because 
of configuration issues? Unless the same 2.6 kernel works without the 
patch how can you even tell what is failing?

-- 
    -bill davidsen (davidsen@tmr.com)
"The secret to procrastination is to put things off until the
  last possible moment - but no longer"  -me

Re: Linux kernel IGMP vulnerabilities, PATCH IS BROKEN!

[David Jacoby]

Bill Davidsen wrote:

> David Jacoby wrote:
>
>> Marc-Christian Petersen wrote:
>>
>>> On Wednesday 15 December 2004 12:49, David Jacoby wrote:
>>>
>>>  
>>>
>>>> Anyone else tried to apply this patch? The patch does work but not
>>>> properly.
>>>> I guess the machie is secure against the DoS attack but after i
>>>> installed the patch
>>>> i cant use SSH.When i tryed to SSH i didnt get any password prompt.
>>>> user@autopsia:~$ ssh user@192.168.0.1
>>>> Permission denied, please try again.
>>>> Permission denied, please try again.
>>>> Permission denied (publickey,password,keyboard-interactive).
>>>> The patch will crash SSH :|
>>>>   
>>>
>>>
>>>
>>> without looking at the patch, I think this isn't the causer of the 
>>> patch at all.
>>>
>>> ciao, Marc
>>>
>>>  
>>>
>> Well it is, i booted on the old kernel and SSH worked perfect and 
>> then on the new kernel with the patch i cant SSH, i dont even
>> get an password prompt. I tried to ssh to more than one host aswell, 
>> i also removed the key in .known_hosts but it still doesnt work.
>
>
> Are you claiming that the unpatched 2.6 kernel works and the patched 
> didn't? Or that 2.6 doesn't work right in general on your system 
> because of configuration issues? Unless the same 2.6 kernel works 
> without the patch how can you even tell what is failing?
>
Well im sorry if i caused some mess ;), but it actually seems that the 
patch worked. I have no idea what when wrong the first time but
after further testing it worked. I would say that the problem was behind 
the keyboard and not in the patch.

Thanx for all your replies and that you tried to help but it seems that 
the patch is fine ;)

-- 
Outpost24 AB

David Jacoby
Research & Development

Office: +46-455-612310
Mobile: +46-455-612311
(www.outpost24.com) (dj@outpost24.com)