Re: [Full-Disclosure] Linux 2.0 remote info leak from too big icmp citation

From: Andrew Griffiths (andrewg_at_d2.net.au)
Date: 06/09/03

  • Next message: Byrne Ghavalas: "[Full-Disclosure] Security Vulnerability Reporting and Response Process" 
    To: Philippe Biondi <biondi@cartel-securite.fr>
Date: Mon, 09 Jun 2003 18:41:31 +1000

    http://www.securityfocus.com/archive/1/251418/2002-01-15/2002-01-21/0

    Looks like another way of triggering the bug, IMO.

    Philippe Biondi wrote:
    > ----------------------------------------------------------------------
    > Cartel Sécurité --- Security Advisory
    >
    > Advisory Number: CARTSA-20030314
    > Subject: Linux 2.0 remote info leak from too big icmp citation
    > Author: Philippe Biondi <biondi@cartel-securite.fr>
    > Discovered: March 14, 2003
    > Published: June 9, 2003
    > CERT reference: VU#471084 (http://www.kb.cert.org/vuls/id/471084)
    > ----------------------------------------------------------------------
    >
    > You can use this URL to link this document :
    > http://www.cartel-securite.fr/pbiondi/adv/CARTSA-20030314-icmpleak.txt
    >
    >
    > Problem description
    > ===================
    >
    > There is a bug in the way linux 2.0 kernel IP stack computes the size of an
    > ICMP citation for almost every ICMP errors. This leads to too much data being
    > sent on the network, coming from anywhere in the memory.
    >
    > This is a very important leak. Experiments show that even passwords can
    > be stolen. Moreover, you can do this from anywere on the internet, as soon
    > as you can send IP packets to the vulnerable host (except special firewalling).
    >
    > The typical case is when you use a linux 2.0 box (or, more probably,
    > any appliance that uses it) as a masquerading gateway for internet and
    > DMZ. In this configuration, the gateway can be used to leak potentially
    > all your traffic from your LAN, even your POP passwords for
    > the mail server in the DMZ.
    >
    >
    > Vulnerable products
    > ===================
    >
    > Any 2.0 linux kernel before 2.0.39 (2.0.39 included)
    > Watchguard Firebox II
    >
    > Any appliance (firewall, proxy, etc.) that uses linux 2.0 <= 2.0.39
    >
    >
    > A tester can be found here (no guarantee though) :
    > http://www.cartel-securite.fr/pbiondi/python/icmpleaktest.py
    >
    > Vulnerable:
    > # ./icmpleaktest.py 192.168.11.2
    > Packet sent. Answer should take 31s. Interrupt with C-c
    > Got '\x95\x03\x1a\x10Ji\xfb\xba\xd0\xc5Q\x14\x877\xbd\x8a;\xb3^\x7f'
    >
    > Not vulnerable:
    > # ./icmpleaktest.py 172.16.1.40
    > Packet sent. Answer should take 31s. Interrupt with C-c
    > Got ''
    >
    >
    > Vendor status
    > =============
    >
    > Linux 2.0.40 should be out soon.

    I was under the impression they would have fixed it earlier. That said,
    I wouldn't be surprised.

    > Watchguard said updated releases will follow.
    >
    > These vendors said they are not vulnerable :
    > * Netscreen
    > * Symantec
    > * Novell
    > * Clavister
    > * Ingrian
    > * StoneSoft
    > * Sun
    >
    >
    > Solutions
    > =========
    >
    > * patch at http://www.cartel-securite.fr/pbiondi/patches/icmpleak.patch
    > (No guarantee)
    > * exchange your old appliance by a brand new linux 2.4/netfilter
    >
    >
    > Workarounds
    > ===========
    >
    > No good workarrounds. But you can at least carefully try these :
    > * truncate ICMP errors at the RFC limit,
    > * filter out icmp errors
    >
    >
    > Example
    > =======
    >
    > We can send an IP packet with the MF flag :
    >
    > 15:41:05 192.168.0.12.80 > 192.168.0.10.80: udp 4 (frag 52007:12@0+)
    > 0x0000 4500 0020 cb27 2000 4011 0e3f c0a8 000c E....'..@..?....
    > 0x0010 c0a8 000a 0050 0050 000c cd1e 5858 5858 .....P.P....XXXX
    >
    > we wait 30s for the reassembly to timeout :
    >
    > 15:41:35 192.168.0.10 > 192.168.0.12: icmp: ip reassembly time exceeded [tos 0xc0]
    > 0x0000 45c0 0050 dcca 0000 4001 1bbc c0a8 000a E..P....@.......
    > 0x0010 c0a8 000c 0b01 aa24 0000 0000 4500 0020 .......$....E...
    > 0x0020 cb27 2000 4011 0e3f c0a8 000c c0a8 000a .'..@..?........
    > 0x0030 0050 0050 000c cd1e 5858 5858 .P.P....XXXX
    > 0050 0050 .P.P
    > 0x0040 000c cd1e 5858 5858 207b 2d68 0000 0000 ....XXXX.{-h....
    >
    >
    > Bytes at offsets 0x3c to 0x4f are bonus.
    > It works with every ICMP errors except the port unreachable error.
    > It is possible to increase the size of data leaked by adding IP options.
    >
    >
    > Examples of bonus bytes :
    >
    > 98 EA CD 03 10 58 CD 03 31 32 33 34 AA FF 55 00 .....X..1234..U.
    > 98 86 0C 03 98 EC CD 03 10 58 CD 03 00 00 00 00 .........X......
    > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    > 58 EE CD 03 98 86 0C 03 98 EE CD 03 10 58 CD 03 X............X..
    > 69 6E 66 6F 72 6D 61 74 69 6F 6E 00 4D 49 4E 46 information.MINF
    > 00 00 00 00 00 00 00 00 AA FF 55 00 90 88 CC 03 ..........U.....
    > 00 50 00 50 00 0C CD 1E 58 58 58 58 00 00 00 00 .P.P....XXXX....
    > 2E 30 2E 25 75 2E 69 6E 2D 61 64 64 72 2E 61 72 .0.%u.in-addr.ar
    > 90 12 CC 03 00 00 00 00 98 C0 B5 02 00 00 00 00 ................
    > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    > 43 5F 4D 4F 4E 45 54 41 52 59 00 4C 43 5F 43 4F C_MONETARY.LC_CO
    > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    > 90 E2 CA 03 00 00 00 00 98 A0 CC 03 00 00 00 00 ................
    > 00 50 00 50 00 0C CD 1E 58 58 58 58 00 00 00 00 .P.P....XXXX....
    > 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
    > 00 00 00 00 18 5F FF 00 00 00 00 00 14 00 00 00 ....._..........
    > 73 69 6E 6C 00 2E 67 6E 75 2E 77 61 72 6E 69 6E sinl..gnu.warnin
    > 70 9E 09 40 60 9E 09 40 E0 9A 08 40 A0 9F 08 40 p..@`..@...@...@
    > 68 01 00 00 41 46 00 00 67 01 00 00 41 4C 00 00 h...AF..g...AL..
    > FF FF FF FF FF FF FF FF E2 00 00 00 4A 00 00 00 ............J...
    > 61 67 65 2D 72 65 74 75 72 6E 00 53 49 00 53 4F age-return.SI.SO
    > 61 73 68 00 7A 65 72 6F 00 6F 6E 65 00 74 77 6F ash.zero.one.two
    > 0D 00 00 00 01 00 00 00 0E 00 00 00 01 00 00 00 ................
    > 01 00 00 00 2D 00 00 00 01 00 00 00 2E 00 00 00 ....-...........
    > 4C 00 00 00 01 00 00 00 4D 00 00 00 01 00 00 00 L.......M.......
    > 01 00 00 00 6C 00 00 00 01 00 00 00 6D 00 00 00 ....l.......m...
    > 4C 43 5F 41 4C 4C 00 4C 43 5F 4D 45 53 53 41 47 LC_ALL.LC_MESSAG
    >
    >
    > ----------------------------------------------------------------------
    > Copyright (c) Cartel Sécurité
    > This document is copyrighted. It can't be edited nor republished
    > without explicit consent of Cartel Sécurité.
    > For more informations, feel free to contact us.
    > http://www.cartel-securite.fr/
    > ----------------------------------------------------------------------
    >

    Sincerely,
    Andrew Griffiths 

    -- 
<Kahless> geez, u climb the highest mountain, netstumble the highest 
mast, but
you suck one ***........
<Clonefish> No thanks
<Kahless> hey, it wasn't an invitation........
<RokLobsta> or you help luigi build his house, guiseppe to get his business
going and you save the town from a meteor, but you *** one goat....
<Kahless> that's the one
<Clonefish> Mmmmkay.....
<swarm> um
<swarm> next topic plz
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
  • Next message: Byrne Ghavalas: "[Full-Disclosure] Security Vulnerability Reporting and Response Process"