Re: [RAZOR] Linux kernel IP masquerading vulnerability (_actual_ patch)

From: Michal Zalewski (lcamtufat_private)
Date: Wed Aug 01 2001 - 07:26:00 PDT

Next message: Josh Smith: "Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate"

Previous message: MARTAK,PAVEL (HP-Czechia,ex1): "FW: Entrust - getAccess"
Next in thread: Darren Reed: "Re: [RAZOR] Linux kernel IP masquerading vulnerability (_actual_"
Reply: Darren Reed: "Re: [RAZOR] Linux kernel IP masquerading vulnerability (_actual_"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Tue, 31 Jul 2001, Darren Reed wrote:

> Now, IF I understand the exploit correctly then there are _serious_
> problems in that proxy's validation of messages.  First and foremost
> it is _NOT_ checking to make sure it is a complete PRIVMSG as is found
> within the IRC protocol.  If it were then the exploit would be more
> like:
> 
> 0x0a:foo PRIVMSG bar :^ADCC params^A0x0d0x0a
>
> And that's ignoring things like it should have seen the client send a
> "NICK" command, maybe "PASS" as well as "USER", etc, and even expect
> back responses FROM the IRC server indicating that the client had been
> able to successfully register BEFORE allowing any DCC proxying.

This does not really give that much. As discussed in our advisory, it is
possible to generate 'good loking' USER and NICK sequence, and 'good
looking' IRC server response. Two things here - first of all, most of web
browsers ignore first line sent by remote host - the banner - and accept
it even if it does not start with valid ftp protocol numeric code. Also,
response fragmentation (newlines in the middle of TCP packets, and so on),
can be used to make HTTP client think it sees FTP messages and the
firewall to think it sees IRC conversation. Sample conversation might 
look like that:

> ":server 255 user :Hello\r\n331 Username OK"
  (ignored by web browser)

< "USER user +iw user user\r\nNICK user\r\n"
  (as a result of ftp://USER%20user%20...@server:6667/...) 

> ":server 255 user :You are welcome\r\n210 Something"
  (client will usually join this together with remaining
   331 Username OK from previous message; firewall would
   probably parse it as-is, as IRC message)

...and so on, and so on.

Not to mention using Java applets for this purpose. Very tight protocol
validation makes the attack somewhat more complicated, but does not solve
the question of sender's intentions =)

-- 
_____________________________________________________
Michal Zalewski [lcamtufat_private] [security]
[http://lcamtuf.coredump.cx] <=-=> bash$ :(){ :|:&};:
=-=> Did you know that clones never use mirrors? <=-=

Next message: Josh Smith: "Slackware 8.0, 7.1 Vulnerability: /usr/bin/locate"
Previous message: MARTAK,PAVEL (HP-Czechia,ex1): "FW: Entrust - getAccess"
Next in thread: Darren Reed: "Re: [RAZOR] Linux kernel IP masquerading vulnerability (_actual_"
Reply: Darren Reed: "Re: [RAZOR] Linux kernel IP masquerading vulnerability (_actual_"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed Aug 01 2001 - 08:38:50 PDT