Below is an ipfilter security issue, and my previous mail to author
Darren was bounced back, so I think maybe I should mail it to this
mailing list.
Overview
--
Anytime ipfilter see a packet with ACK bit set without the previous SYN,
it will marked it as TCPS_ESTABLISHED in it's state table, and for
ipfilter will soon notice the RESET packet send back by the system
application, it will then change it's ttl in state table to 1 minute,OK,
it's good.
But If an attact send packet with ACK bit set and bad checksum, ipfilter
will happily add an "ESTABLISHED" session into it's state table which
will wait 120 hours to timeout instead of the normal 1 minutes!
So using this way an evil guy can easily destroy the network
connection of any system with ipfilter installed in a few minutes!
proof of concept
--
[yiming (at) security.zz.ha (dot) cn [email concealed]]#hping -s ip.of.spoofedandtrusted.box -A
ip.of.target.box -p 22 -c 1 -b
you will immediately see a a long wait ttl of 120 hours, like this
Darren was bounced back, so I think maybe I should mail it to this
mailing list.
Overview
--
Anytime ipfilter see a packet with ACK bit set without the previous SYN,
it will marked it as TCPS_ESTABLISHED in it's state table, and for
ipfilter will soon notice the RESET packet send back by the system
application, it will then change it's ttl in state table to 1 minute,OK,
it's good.
But If an attact send packet with ACK bit set and bad checksum, ipfilter
will happily add an "ESTABLISHED" session into it's state table which
will wait 120 hours to timeout instead of the normal 1 minutes!
So using this way an evil guy can easily destroy the network
connection of any system with ipfilter installed in a few minutes!
proof of concept
--
[yiming (at) security.zz.ha (dot) cn [email concealed]]#hping -s ip.of.spoofedandtrusted.box -A
ip.of.target.box -p 22 -c 1 -b
you will immediately see a a long wait ttl of 120 hours, like this
security.zz.ha.cn,1235 server,22 4/0 tcp 1 40
119:59:48
Affected Versions:
--
I've test the following version of ipfilter
IP Filter: v3.4.30
IP Filter: v3.4.29 (400)
a chinese vesion of these security issue is at
http://security.zz.ha.cn
Best wishes!
--
ÎÒÒª¸üºÃµÄÉú»î
Yiming Gong
Senior System Administrator
China Netcom
yiming (at) security.zz.ha (dot) cn [email concealed]
http://security.zz.ha.cn
0086-371-7934907
[ reply ]