Bugtraq mailing list archives
IP firewalling bugs
From: root () iifeak swan ac uk (System Administrator)
Date: Wed, 23 Aug 1995 10:24:58 +0100
A variety of systems based on the Ugen firewall code (FreeBSD/Linux probably
NetBSD) are vulnerable to the following reported attack:
Send an IP fragment 0 acceptable to the firewall
Send an IP fragment at offset 8 to rewrite most of the header
and all the data
For Linux at least the IP header should not be vulnerable to overwriting
because of the way the fragment merging is done. The following is a provisonal
not very tested fix (I only found out about the bug 30 minutes ago). Linux
is only vulnerable to tcp/udp header overwriting so host level blocking is
unaffected.
Because the Ugen firewall is virtually PD a variety of low end
routers seem to use it and may also be affected.
I will be issuing a tested fix to Linus for 1.2.14 once he returns from sunning
himself.
[This fix is of course GPL'd and Linux but the BSD fix should be similar and
obvious]
--- ip_fw.c Thu Jun 29 17:18:52 1995
+++ /tmp/ip_fw.c Wed Aug 23 10:11:22 1995
@@ -209,6 +209,30 @@
*/
frag1 = ((ntohs(ip->frag_off) & IP_OFFSET) == 0);
+
+ /*
+ * Stop any lead fragment attacks (eg sending the IP header
+ * and then overwriting it with a new fragment). The fragmenter
+ * works correctly to stop the rest of this attack.
+ */
+
+ if(frag1)
+ {
+ switch(ip->protocol)
+ {
+ case IPPROTO_UDP:
+ if(ip->ihl<<2+sizeof(struct udphdr)
+ >ntohs(ip->tot_len))
+ return 0;
+ break;
+ case IPPROTO_TCP:
+ if(ip->ihl<<2+sizeof(struct udphdr)
+ >ntohs(ip->tot_len))
+ return 0;
+ break;
+ }
+ }
+
if (!frag1 && (opt != 1) && (ip->protocol == IPPROTO_TCP ||
ip->protocol == IPPROTO_UDP))
return(1);
Current thread:
- IP firewalling bugs System Administrator (Aug 23)
- DO NOT USE THAT PATCH (Re: IP firewalling bugs) Darren Reed (Aug 23)