[UNIX] Remote Memory Reading Through TCP/ICMP

From: support@securiteam.com
Date: 01/23/02 

From: support@securiteam.com
To: list@securiteam.com
Date: Wed, 23 Jan 2002 21:07:14 +0100 (CET)

The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion

When was the last time you checked your server's security?
How about a monthly report?
http://www.AutomatedScanning.com - Know that you're safe.
- - - - - - - - -

  Remote Memory Reading Through TCP/ICMP
------------------------------------------------------------------------

SUMMARY

A security vulnerability in Linux allows remote attackers to cause the
remote OS to return chucks of "userland" memory (unrestricted memory).
This would pose an information leak, possibly allowing gaining of
sensitive information.

DETAILS

Systems affected:
Linux
Solaris

It is possible to read parts of a remote machines memory. To be specific,
it would have to be memory recently freed/swapped to disk. Consider this
for example:

int main(int argc, char **argv[], char **envp[])
{
  char *ptr=0; /* We take a rather large chunk of memory and fill it with
A's */
  int val, i;

  while(1) {
    sleep(1);
    val = 30000000; // ~ 30 M
    ptr = (char *)malloc(val);

    memset(ptr, 0x41, val-1);
    free(ptr);
  }
}

Then we modify nmap (Around line 687) so it only transmits the first
fragment out of a fragmented scan. This will illicit an ICMP TTL Exceeded
message. Due to Linux including a lot more of the packet than most other
OS's, we have around 20 bytes to read. From memory, Solaris includes extra
on ICMP messages.

Let us look at a sniffer trace from snort:
  (Ignore the time stamps, as the machine this was originally done had a
date in 1994...)

12/11-00:34:34.290903 127.0.0.1 -> 127.0.0.1 ICMP TTL:255 TOS:0xC0
ID:29812 TTL EXCEEDED
00 00 00 00 45 00 00 24 A2 15 20 00 3E 06 BC BC ....E..$.. .>...
7F 00 00 01 7F 00 00 01 E1 C1 01 91 FB 73 6B E2 .............sk.
00 00 00 00 50 02 08 00 41 41 41 41 41 41 41 41 ....P...AAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAA

12/11-01:02:30.170720 127.0.0.1 -> 127.0.0.1 ICMP TTL:255 TOS:0xC0
ID:31185 TTL EXCEEDED
00 00 00 00 45 00 00 24 32 25 20 00 3B 06 2F AD ....E..$2% .;./.
7F 00 00 01 7F 00 00 01 AA 1E 01 11 50 FE C6 45 ............P..E
00 00 00 00 50 02 08 00 41 41 41 41 41 41 41 41 ....P...AAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAA

Also - to prove this is not Snort's fault we also included a tcpdump log.

01:06:02.640246 lo < 127.0.0.1 > 127.0.0.1: icmp: ip reassembly time
exceeded [tos 0xc0]
                         45c0 0054 7b85 0000 ff01 4161 7f00 0001
                         7f00 0001 0b01 77a3 0000 0000 4500 0024
                         d3e5 2000 3306 95ec 7f00 0001 7f00 0001
                         c027 055a 5fa5 73a5 0000 0000 5002 0800
                         4141 4141 4141 4141 4141 4141 4141 4141
 
Usages:
The ramifications from this could be great. Any user memory content might
get included in such TCP/ICMP packets. Privileged memory would not be
(unless handled improperly) available.

Fix:
--- linux-work/net/ipv4/icmp.c-o Tue Jan 15 11:05:17 2002
+++ linux-work/net/ipv4/icmp.c Sun Jan 20 23:31:29 2002
@@ -495,7 +495,7 @@
  icmp_param.data.icmph.checksum=0;
  icmp_param.csum=0;
  icmp_param.skb=skb_in;
- icmp_param.offset=skb_in->nh.raw - skb_in->data;
+ icmp_param.offset=skb_in->data - skb_in->nh.raw;
  icmp_out_count(icmp_param.data.icmph.type);
  icmp_socket->sk->protinfo.af_inet.tos = tos;
  ipc.addr = iph->saddr;
--- linux-work/net/ipv6/icmp.c-o Thu Sep 20 23:12:56 2001
+++ linux-work/net/ipv6/icmp.c Sun Jan 20 23:40:03 2002
@@ -361,7 +361,7 @@
  msg.icmph.icmp6_pointer = htonl(info);
 
  msg.skb = skb;
- msg.offset = skb->nh.raw - skb->data;
+ msg.offset = skb->data - skb->nh.raw;
  msg.csum = 0;
  msg.daddr = &hdr->saddr;

ADDITIONAL INFORMATION

The information has been provided by <mailto:andrewg@tasmail.com> Andrew
Griffiths.

========================================

This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.

Relevant Pages