Re: netfilter bypassed by nessus using UDP packets with source port 53

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Cedric Blancher wrote: 
Le mercredi 30 mars 2005 à 16:45 +0200, grumpy a écrit :

I'm using netfilter/iptables on my Debian woody box (kernel 2.6.11-5),
and when I want to audit the security of this box with nessus, it tells me :
"It is possible to by-pass the rules of the remote firewall by sending
UDP packets with a source port equal to 53.
An attacker may use this flaw to inject UDP packets to the remote hosts,
in spite of the presence of a firewall.


[...]

It's quite annoying !


Have you checked if this alert is true, and not some false positive ? I
don't think so. 

You are right, I do not know how to check this (by the way If you know
any documentation that would help, I would be glad to read it).

I mean, if Nessus sends an UDP packet (any port), it
will get an ICMP port unreachable. That's typically the normal behaviour
of an unfiltered box. So Nessus thinks "OK, if there's a firewall
between me and this box, then this packet went through".


In that case nessus would think the packets it sent to port 1-65635
(except 22 and 3000) went through as well. Wouldn't it ?



Speaking of your ruleset, what's the point of :


-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP 


Linux treats SYN/FIN packets as SYN ones, just as it should be on any
RFC compliant stack.


nessus told me something like that :
"the remote host does not discard TCP SYN packet which have FIN flag
set. This can allow an attacker to defeat your firewall rules set"

According to you, this is a false positive, thanks for your correction :)


You ICMP rule is also quite bizarre. First, we can get your timestamp
looking at your SYN/ACK TCP options when querying port 22 or 3000.


Yes, that's right, I have not thought about it.

Second, your rule implicitly accepts any ICMP paquets, even with INVALID
state... 

I have not thought about it either ...

Why not instead having something like this :

-A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
-A INPUT -i eth0 -p icmp -m icmp --icmp-type 8

ICMP errors will be handled by RELATED state and ping will be accepted
(info and netmask requests are not answered by Linux).


Since, it is impossible to prevent somebody to get the timestamp (if I
am not mistaken), I think I will try this :)

(If you would know, I tried to prevent someone to get the timestamp
after nessus told me something like : "the remote host replies to icmp
timestamp requests, it allow an attacker to know about the time set one
the machine and defeat all you time based authentication system")

thanks a lot for all these information

regards
grumpy



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux