OSDL Bugzilla #2399: A user can remotely route a packet through eth0 on a Linux machine

OSDL Bugzilla #2399: A user can remotely route a packet through eth0 on a Linux machine

[Nivedita Singhvi]

Forwarding a bug report from Jared McLaren below.
Any thoughts?

thanks,
Nivedita


I couldn't Google up any information on this situation, so here goes...

Distribution:
Mandrake

Hardware Environment:
Gateway 450SX4 laptop

Software Environment:
Mandrake 10, kernel 2.6.3-4mdk

Problem Description:
While pen-testing a dual-homed Linux-based VPN appliance, I discovered the
device would route packets between its two interfaces without ip forwarding
enabled.  I could route packets directly to the external interface by setting
the internal interface as the gateway.  This device is based on a 2.4 kernel.  I
tested this on my Mandrake 10 (2.6.3-4mdk) laptop and found the same results
from the 2.6.x kernel.

For a test, I placed my wireless network card (eth1) in my laptop and assigned
it the IP address 10.10.255.254.  I bound SSH to 10.10.255.254 and restarted
SSH.  My wired ethernet card (eth0) was at IP address 172.20.13.162.  On a
remote desktop, I confirmed SSH was not available on 172.20.13.162.  On that
remote desktop I then added a route to 10.10.255.254 using gateway 172.20.13.162
and could then SSH to 10.10.255.254.  A 'cat' or /proc/sys/net/ipv4/ip_forward
on the Linux laptop was "0" so ip forwarding was not enabled.

The end result is that you can reach services bound to an interface on a Linux
machine that you may not be able to normally reach.  This was all performed in
the default kernel configuration.  This is only possible when one of the
interfaces resides on your network segment since it is used as a gateway.

Steps to reproduce:
	a) Use a dual-homed machine (eth0, eth1)
	b) bind a service to eth1
	c) from a different machine, add a route to the IP of eth0
	d) attach to the service on the IP of eth1

Re: OSDL Bugzilla #2399: A user can remotely route a packet through eth0 on a Linux machine

[David Stevens]

Routing is something done between different hosts. Hosts normally
will accept packets for any local  address, regardless of
which interface it was received on.

That's not a bug; that's how almost everything works.

                                +-DLS

Re: OSDL Bugzilla #2399: A user can remotely route a packet through eth0 on a Linux machine

[Nivedita Singhvi]

David Stevens wrote:
> Routing is something done between different hosts. Hosts normally
> will accept packets for any local  address, regardless of
> which interface it was received on.
> 
> That's not a bug; that's how almost everything works.

I think the only issue here is if an application that
binds to an interface should see packets coming in
from another - if that is what is happening here?.

thanks,
Nivedita

Re: OSDL Bugzilla #2399: A user can remotely route a packet through eth0 on a Linux machine

[Olaf Kirch]

On Tue, May 11, 2004 at 12:15:18PM -0700, Nivedita Singhvi wrote:
> I think the only issue here is if an application that
> binds to an interface should see packets coming in
> from another - if that is what is happening here?.

Well, to bind to an interface you need to use SO_BINDTODEVICE.

Everything else is just another address. You can even assign an address
to the dummy device and as long as you create static arp entries,
pinging that address from other hosts will work.

Olaf
-- 
Olaf Kirch     |  The Hardware Gods hate me.
okir@suse.de   |
---------------+