Security problem with reassembly timeout packet exposing data?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

While debugging a problem with my ipchains rules, I think I've uncovered
a bug in the fragment reassembly timeout code that exposes random
strings from kernel memory.  The last 20 bytes of the fragment
reassembly timeout packet don't appear to be initialized and hence carry
random pieces of kernel data to the outside world.

I ran into the problem because I wasn't allowing fragments through the
ipchains rules, and a machine was trying to deliver mail with packets
that had been fragmented.  After waiting 30 seconds, the kernel would
send back a "ip reassembly time exceeded" packet that contained the data
from the first fragment.  However, some suspicious looking stuff was
showing up at the end of the packets.  Here are the last 76 bytes from
three such reassembly timeout packets.  The machine is also a webserver
so the strings that are showing up at the end are quite reasonably parts
of other packets sent to other clients:

0x01e0   0d0a 4d65 7373 6167 652d 4944 3a20 3c39        ..Message-ID:.<9
0x01f0   3231 3245 3543 4546 4444 3544 3331 3141        212E5CEFDD5D311A
0x0200   3032 3430 3035 3038 4237 3243 3546 3330        02400508B72C5F30
0x0210   3142 4536 4542 3040 6769 6600 fa20 fe39        1BE6EB0@gif....9
0x0220   fa20 fe39 0100 0000 0000 0000                  ...9........

0x01e0   0d0a 4d65 7373 6167 652d 4944 3a20 3c39        ..Message-ID:.<9
0x01f0   3231 3245 3543 4546 4444 3544 3331 3141        212E5CEFDD5D311A
0x0200   3032 3430 3035 3038 4237 3243 3546 3330        02400508B72C5F30
0x0210   3142 4536 4542 3040 2044 7269 7669 6e67        1BE6EB0@.Driving
0x0220   2044 6972 6563 7469 6f6e 7300                  .Directions.

0x01e0   0d0a 4d65 7373 6167 652d 4944 3a20 3c39        ..Message-ID:.<9
0x01f0   3231 3245 3543 4546 4444 3544 3331 3141        212E5CEFDD5D311A
0x0200   3032 3430 3035 3038 4237 3243 3546 3330        02400508B72C5F30
0x0210   3142 4536 4542 3040 6474 3d39 3236 3826        1BE6EB0@dt=9268&
0x0220   6c6b 3d68 7474 7025 3341 2f2f                  lk=http%3A//

I'm using Redhat 6.2, which reports itself as:
 kernel: Linux version 2.2.14-5.0smp (root@porky.devel.redhat.com) (gcc
version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)) #1 SMP Tue Mar
7 21:01:40 EST 2000 

An attacker could send lots of first-fragment packets to a machine and
hope to get back passwords or other sensitive information from the last
20 bytes of the timeout packets.  And since there is no log of this
event, the only way you could tell if this attack was occuring was if
you were actively snooping the net for such packets.

-Theron
-
: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org
[Index of Archives]     [Netdev]     [Ethernet Bridging]     [Linux 802.1Q VLAN]     [Linux Wireless]     [Kernel Newbies]     [Security]     [Linux for Hams]     [Netfilter]     [Git]     [Bugtraq]     [Yosemite News and Information]     [MIPS Linux]     [ARM Linux]     [Linux RAID]     [Linux PCI]     [Linux Admin]     [Samba]

  Powered by Linux