[19528] in bugtraq
Re: Loopback and multi-homed routing flaw in TCP/IP stack.
daemon@ATHENA.MIT.EDU (Woody)
Tue Mar 6 22:34:08 2001
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Message-ID: <3AA584A2.F8D3E37D@thebunker.net>
Date: Wed, 7 Mar 2001 00:45:22 +0000
Reply-To: Woody <woody@THEBUNKER.NET>
From: Woody <woody@THEBUNKER.NET>
X-To: Darren Reed <avalon@coombs.anu.edu.au>
To: BUGTRAQ@SECURITYFOCUS.COM
Darren Reed wrote:
>
> In some mail from Woody, sie said:
> >
> > Subject: Loopback and multi-homed routing flaw in TCP/IP stack.
> > Author: Woody <woody@thebunker.net>
> >
> > We believe there to be a serious security flaw in the TCP/IP stack of
> > several Unix-like operating systems. Whilst being "known" behavior on
> > technical mailing lists, we feel that the implications of this
> > "feature" are unexpected. Furthermore, not all platforms behave in the
> > same way, which will obviously lead to invalid expectations.
> >
> > PLEASE NOTE: We have received a lot of replies to this advisory from
> > developers who have missed the point. Before you reply, please
> > read the advisory at least twice, to ensure you understand its
> > implications, and scope.
>
[snip]
> The other part of your advisory is the argument that IP addresses on
> an interface should not be reachable, by default, through others because
> people bind things to particular interfaces for security reasons and
> that people would be surprised to find out it's not like that. Well,
> any admin who's setup something like that and gone on to not test his
> configuration is being careless. The expectation of implied filtering
> of packets is an illusion created by that person for themselves. I've
> not read anywhere that the behaviour is documented to be such. Your
> claim that this is wrong is just your opinion and typically security
> advisories are based on factual security flaws, not opinions. The
> security problem here is in people not testing "security" they think
> they have put in place.
Yes, `people not testing "security" they think they have put in place'
is a valid point, to an extent. However, when people test their systems,
they test the things that they deem to be within the realms of
possibility.
A machine which has routing turned off, is not _expected_ to route, so
it
is not tested for.
This is the point of this advisory, which is commonly
missed.
Woody
