Linux IPChains Fragment Overlap Vulnerability

There is a vulnerability in the linux firewall implementation in kernels 2.2.0 and above (IPChains). The vulnerability allows for an attacker to possibly send data to a blocked port. When a fragment is sent to a non-filtered port on a firewall with the IP_MF bit set and an offset of 0 with a full tcp header inside, it's possible to overlap the tcp port information. It is done by sending another fragment with an offset of 0, the IP_MF bit set and a length of 4 with the destination port number information. What happens is the following: when fragment A is sent to the firewall, it's passed onto the target host assuming it's going to the allowed port in the tcp header included in the fragment. The second fragment is sent along it's way as well, only to overlap the port information in the first while inside the reassembly chain. To finish off the attack, a fragment is sent with a normal offset (relative to the initial fragment) and an unset IP_MF bit. There are two conditions which need to be met to make this vulnerability exploitable: the linux kernel doing the firewalling needs to be configured so that defragmentation does not occur before passing through the filters and the firewall must allow non-first fragments to pass through.

The first two fragments sent may need to be reversed depending on the defragmentation implementation of the target host operating system.


Privacy Statement
Copyright 2010, SecurityFocus