* Re: Ambiguities in TCP/IP - firewall bypassing (fwd)
@ 2002-10-19 11:38 Pekka Savola
2002-10-20 4:35 ` Andi Kleen
0 siblings, 1 reply; 3+ messages in thread
From: Pekka Savola @ 2002-10-19 11:38 UTC (permalink / raw)
To: netdev
See the thread on bugtraq.
Linux 2.4.19 initiates TCP handshake with SYN and RST bits set. SYN with
_RST_ seems like a total nonsense (SYN with FIN might even be useful for
stuff like T/TCP) but I guess the spec didn't take any stance on that..
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
---------- Forwarded message ----------
Date: Sat, 19 Oct 2002 01:03:47 +0200
From: Florian Weimer <Weimer@CERT.Uni-Stuttgart.DE>
To: Paul Starzetz <paul@starzetz.de>
Subject: Re: Ambiguities in TCP/IP - firewall bypassing
Paul Starzetz <paul@starzetz.de> writes:
> * Linux 2.4.19
>
> The examination of the source code of the TCP engine reveals that a
> TCP connection can be opened by any combination of the TCP flags
> having the SYN bit set and the ACK bit reset. For example we can open
> a TCP connection by sending an obviously bogus SYN,RST packet:
>
> 14:25:43.888897 192.168.1.184.12345 > 192.168.1.111.9999: SR
> 420:420(0) win 512 (DF) [tos 0x18]
> 14:25:43.889143 192.168.1.111.9999 > 192.168.1.184.12345: S
> 2168208394:2168208394(0) ack 421 win 5840 <mss 1460> (DF)
As a result of this bug, it's quite complicated (if not impossible in
some configurations) to properly filter connection attempts to Linux
hosts on Cisco IOS routers.
If your access list is a whitelist with a "permit tcp any any
established" statement somewhere, it's very likely that you can bypass
the filter just by setting the RST in the initial SYN packet, as
described above. The router will forward the packet, and the Linux
host will happily initiate the three-way handshake.
"established" in Cisco parlance does not mean "SYN unset", but "ACK or
RST set". This means that the impact for non-Linux hosts (which do
not react to SYN-RST packets according to Paul's survey) is less
severe if your filters run IOS.
--
Florian Weimer Weimer@CERT.Uni-Stuttgart.DE
University of Stuttgart http://CERT.Uni-Stuttgart.DE/people/fw/
RUS-CERT fax +49-711-685-5898
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Ambiguities in TCP/IP - firewall bypassing (fwd)
2002-10-19 11:38 Ambiguities in TCP/IP - firewall bypassing (fwd) Pekka Savola
@ 2002-10-20 4:35 ` Andi Kleen
2002-10-30 17:16 ` Pekka Savola
0 siblings, 1 reply; 3+ messages in thread
From: Andi Kleen @ 2002-10-20 4:35 UTC (permalink / raw)
To: Pekka Savola; +Cc: netdev
On Sat, Oct 19, 2002 at 02:38:56PM +0300, Pekka Savola wrote:
> See the thread on bugtraq.
>
> Linux 2.4.19 initiates TCP handshake with SYN and RST bits set. SYN with
> _RST_ seems like a total nonsense (SYN with FIN might even be useful for
> stuff like T/TCP) but I guess the spec didn't take any stance on that..
Here is a patch to fix it for 2.4.19.
--- linux/net/ipv4/tcp_input.c-o 2002-10-15 17:24:53.000000000 +0200
+++ linux/net/ipv4/tcp_input.c 2002-10-20 06:34:05.000000000 +0200
@@ -3664,6 +3664,9 @@
goto discard;
case TCP_LISTEN:
+ if(th->rst)
+ goto discard;
+
if(th->ack)
return 1;
-Andi
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: Ambiguities in TCP/IP - firewall bypassing (fwd)
2002-10-20 4:35 ` Andi Kleen
@ 2002-10-30 17:16 ` Pekka Savola
0 siblings, 0 replies; 3+ messages in thread
From: Pekka Savola @ 2002-10-30 17:16 UTC (permalink / raw)
To: Andi Kleen; +Cc: netdev
Thanks.
Needless to say I belive this is a big problem.
That's because about all firewalls/packet filters except Linux (possibly
due to the fact that there is no "established" except in full stateful
matching) -- checked Cisco, Juniper, BSD ipfw -- seem to treat
"established" as "ack|rst", and SYN+RST passes through them like a hot
knife in the butter.
On Sun, 20 Oct 2002, Andi Kleen wrote:
> On Sat, Oct 19, 2002 at 02:38:56PM +0300, Pekka Savola wrote:
> > See the thread on bugtraq.
> >
> > Linux 2.4.19 initiates TCP handshake with SYN and RST bits set. SYN with
> > _RST_ seems like a total nonsense (SYN with FIN might even be useful for
> > stuff like T/TCP) but I guess the spec didn't take any stance on that..
>
> Here is a patch to fix it for 2.4.19.
>
>
> --- linux/net/ipv4/tcp_input.c-o 2002-10-15 17:24:53.000000000 +0200
> +++ linux/net/ipv4/tcp_input.c 2002-10-20 06:34:05.000000000 +0200
> @@ -3664,6 +3664,9 @@
> goto discard;
>
> case TCP_LISTEN:
> + if(th->rst)
> + goto discard;
> +
> if(th->ack)
> return 1;
>
>
>
> -Andi
>
>
--
Pekka Savola "Tell me of difficulties surmounted,
Netcore Oy not those you stumble over and fall"
Systems. Networks. Security. -- Robert Jordan: A Crown of Swords
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2002-10-30 17:16 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2002-10-19 11:38 Ambiguities in TCP/IP - firewall bypassing (fwd) Pekka Savola
2002-10-20 4:35 ` Andi Kleen
2002-10-30 17:16 ` Pekka Savola
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).