Re: [TCLUG:10490] IPChains exploit?

[Karl Morgan <ksm@dogbrain.com>]

Subject:      Linux 2.2.10 ipchains Advisory
X-To:         bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM

Linux ipchains Firewall Vulnerability
data protect GmbH - Advisory #2
July 27, 1999

Authors: Thomas Lopatic <tl@dataprotect.com>
         John McDonald  <jm@dataprotect.com>

Overview
--------

data protect has discovered a potential vulnerability in the Linux ipchains
firewall implementation. In certain situations, it is possible for an
attacker to bypass the packet filter when communicating with machines that
allow incoming packets to specific ports. This attack is a variation
of previously discussed fragmentation attacks, where the attacker uses
fragments to rewrite parts of the TCP or UDP protocol header. In this case
port information is rewritten in order to gain access to ports that should
be blocked by the firewall.

Included in this advisory is a patch to the 2.2.10 Linux kernel that corrects
this vulnerability, and a pointer to example code that demonstrates the
problem.

Problem Description
-------------------

The Linux ipchains firewall code has special provisions for IP fragments that
do not contain enough information for transport protocol header analysis.
Fragments that start at offset 0, and are not long enough to provide complete
transport header information are treated like fragments with an offset > 0
(> 1 in the TCP case). This is the relevant code from ip_fw.c:

.
.
.

Regards

					- Karl

On Wed, 24 Nov 1999, Bob Tanner wrote:

> My sales person from one of the commerical firewall providers says there is
> (was?) a publically announced exploit in Linux IPChains.
> 
> I am on both BUGTRAQ and the RedHat Security List and did not see it. Anyone
> know about this? Maybe it was just salesmen crap. :-)
> 
>