ecepass - proof of concept code for FreeBSD ipfw bypass (fwd)

From: Buliwyf McGraw (buliwyf@libertad.univalle.edu.co)
Date: 01/29/01


Date: Mon, 29 Jan 2001 11:18:44 -0500 (COT)
From: Buliwyf McGraw <buliwyf@libertad.univalle.edu.co>
To: freebsd-security@FreeBSD.ORG



 Very interesting...

---------- Forwarded message ----------
Date: Thu, 25 Jan 2001 15:04:30 +0200
From: Roelof Temmingh <roelof@SENSEPOST.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: ecepass - proof of concept code for FreeBSD ipfw bypass

An all ZA production...;)

FreeBSD ipfw+ECE proof of concept code
--------------------------------------

Code written by:
Plathond (jacques4i@yahoo.com) for Sensepost (http://www.sensepost.com,
info@sensepost.com)

More info on the problem:
http://packetstorm.securify.com/advisories/freebsd/FreeBSD-SA-01:08.ipfw

Original problem found by:
Aragon Gouveia <aragon@phat.za.net>

How it works:
-------------
Using FreeBSD divert rule, all outgoing traffic (or as specified in
ipfw rule) will be diverted to the ecepass process - the ECE flag will
be added. Traffic directed to hosts behind ipfw-based firewall will be
passed, rendering the firewall useless if it makes use of the "allow
all from any to any established" rule. Tried & tested...

How to use:
-----------
1. Make sure your kernel is compiled with the following options:
 options IPDIVERT
 options IPFIREWALL

2. gcc -o ecepass ecepass.c

3. ./ecepass &

4. ipfw add 5 divert 7000 tcp from any to any

5. All TCP traffic will now have the ECE flag added to it.

PS1: obviously you need to make sure that the last ipfw rule allows
     traffic e.g.:
     00001 divert 7000 tcp from any to any
     65535 allow ip from any to any

PS2: as the exploit uses "ipfw divert" it only works on FreeBSD.
     Ironic eh?

spidermark: sensepostdata ece

Regards,
Roelof.

------------------------------------------------------
Roelof W Temmingh SensePost IT security
roelof@sensepost.com +27 83 448 6996
                http://www.sensepost.com



To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message




Relevant Pages

  • IPFW + NATD rules
    ... I'm a junior in FreeBSD, ... I've a FreeBSD 6.1-stable box as a gate+firewall, and I want to divert ... incoming requests to my web-server, ... the External interface via DMZ interface to my We-server. ...
    (freebsd-stable)
  • Re: netisr 0 : %100 and other netisr threads are waiting
    ... I am trying to use suricata on FreeBSD 10 amd64. ... When i diverted traffic to suricata, swi: netisr 0 thread gets %100 cpu. ... And Even I remove the divert rule, ...
    (freebsd-net)
  • 2 internet connections
    ... I wanted to know if the following setup could work under FreeBSD, ... Someone told me to try a setup like this: ... ipfw add divert 8668 ip from any not to any me tun0 in ...
    (freebsd-isp)
  • 2 internet connections
    ... I wanted to know if the following setup could work under FreeBSD, ... Someone told me to try a setup like this: ... ipfw add divert 8668 ip from any not to any me tun0 in ...
    (freebsd-questions)
  • Re: benchmarking a process
    ... Andrew Moran wrote: ... > This isn't specific to freebsd I suppose.. ... network sniffer or IPFW rule to monitor the traffic is likely to give a more ...
    (freebsd-questions)