[326] in linux-security and linux-alert archive
IP firewalling bugs
daemon@ATHENA.MIT.EDU (System Administrator)
Wed Aug 23 11:08:52 1995
From: root@iifeak.swan.ac.uk (System Administrator)
To: bugtraq@crimelab.com
Date: Wed, 23 Aug 1995 10:24:58 +0100 (BST)
Cc: linux-security@tarsier.cv.nrao.edu
A variety of systems based on the Ugen firewall code (FreeBSD/Linux probably
NetBSD) are vulnerable to the following reported attack:
Send an IP fragment 0 acceptable to the firewall
Send an IP fragment at offset 8 to rewrite most of the header
and all the data
For Linux at least the IP header should not be vulnerable to overwriting
because of the way the fragment merging is done. The following is a provisonal
not very tested fix (I only found out about the bug 30 minutes ago). Linux
is only vulnerable to tcp/udp header overwriting so host level blocking is
unaffected.
Because the Ugen firewall is virtually PD a variety of low end
routers seem to use it and may also be affected.
I will be issuing a tested fix to Linus for 1.2.14 once he returns from sunning
himself.
[This fix is of course GPL'd and Linux but the BSD fix should be similar and
obvious]
--- ip_fw.c Thu Jun 29 17:18:52 1995
+++ /tmp/ip_fw.c Wed Aug 23 10:11:22 1995
@@ -209,6 +209,30 @@
*/
frag1 = ((ntohs(ip->frag_off) & IP_OFFSET) == 0);
+
+ /*
+ * Stop any lead fragment attacks (eg sending the IP header
+ * and then overwriting it with a new fragment). The fragmenter
+ * works correctly to stop the rest of this attack.
+ */
+
+ if(frag1)
+ {
+ switch(ip->protocol)
+ {
+ case IPPROTO_UDP:
+ if(ip->ihl<<2+sizeof(struct udphdr)
+ >ntohs(ip->tot_len))
+ return 0;
+ break;
+ case IPPROTO_TCP:
+ if(ip->ihl<<2+sizeof(struct udphdr)
+ >ntohs(ip->tot_len))
+ return 0;
+ break;
+ }
+ }
+
if (!frag1 && (opt != 1) && (ip->protocol == IPPROTO_TCP ||
ip->protocol == IPPROTO_UDP))
return(1);
