LinuxSecurity.com
Share your story
The central voice for Linux and Open Source security news
Home News Topics Advisories HOWTOs Features Newsletters About Register

Welcome!
Sign up!
EnGarde Community
Login
Polls
What is the most important Linux security technology?
 
Advisories
Community
Linux Events
Linux User Groups
Link to Us
Security Center
Book Reviews
Security Dictionary
Security Tips
SELinux
White Papers
Featured Blogs
All About Linux
DanWalsh LiveJournal
Securitydistro
Latest Newsletters
Linux Security Week: April 7th, 2014
Linux Advisory Watch: April 4th, 2014
Subscribe
LinuxSecurity Newsletters
E-mail:
Choose Lists:
About our Newsletters
RSS Feeds
Get the LinuxSecurity news you want faster with RSS
Powered By

  
FreeBSD-SA-96:14:Firewall filter leak with user level ipfw Print E-mail
User Rating:      How can I rate this item?
Posted by LinuxSecurity.com Team   
FreeBSD A potential problem exists when users specify mask addresses to ipfw(8) using the address:mask syntax. Specifically, whenever the ':' syntax is used, the resulting mask is always 0xffffffff.
-----BEGIN PGP SIGNED MESSAGE-----

=============================================================================
FreeBSD-SA-96:14                                            Security Advisory
                                                                FreeBSD, Inc.

Topic:          Firewall filter leak with user level ipfw

Category:       core
Module:         ipfw
Announced:      1996-06-24
Affects:        FreeBSD -current Feb 24 1996 and later (ipfw.c rev 1.20)
                FreeBSD -stable Feb 26 1996 and later (ipfw.c rev 1.15.4.2)
Corrected:      Both FreeBSD -current and -stable as of Jun 23 1996
FreeBSD only:   yes

Patches:        ftp://freebsd.org/pub/CERT/patches/SA-96:14/

=============================================================================

I.   Background

     FreeBSD is shipped with packet filtering code. This is implemented
     by kernel level modules and user level programs. The user level
     program ipfw, used to control the packet filtering code in the
     kernel, has a bug in the way packet filter rules are interpreted.


II.  Problem Description

     A potential problem exists when users specify mask addresses to
     ipfw(8) using the address:mask syntax.  Specifically, whenever the ':'
     syntax is used, the resulting mask is always 0xffffffff.


III. Impact

     Whenever the address:mask syntax is used, the actual packet filtering
     will differ from the expected filtering thus allowing or denying
     more packets through the filter than intended.


IV. Workaround

     There is a simple workaround for this problem: Do not use the
     address:mask syntax. In stead, use the address/mask syntax. The
     implementation of the latter way of specifying masks does not suffer
     from the mentioned bug.

V. Solution

     Apply one of the patches below, depending on your version of
     FreeBSD. The patch is against /usr/src/sbin/ipfw/ipfw.c

     The following patch applies to -stable:


Index: ipfw.c
===================================================================
RCS file: /home/ncvs/src/sbin/ipfw/ipfw.c,v
retrieving revision 1.15.4.4
retrieving revision 1.15.4.5
diff -u -r1.15.4.4 -r1.15.4.5
- --- ipfw.c    1996/06/18 02:03:29     1.15.4.4
+++ ipfw.c      1996/06/23 20:51:37     1.15.4.5
@@ -15,7 +15,7 @@
  *
  * NEW command line interface for IP firewall facility
  *
- - * $Id: ipfw.c,v 1.15.4.4 1996/06/18 02:03:29 alex Exp $
+ * $Id: ipfw.c,v 1.15.4.5 1996/06/23 20:51:37 alex Exp $
  *
  */
 
@@ -200,7 +200,7 @@
        }
 
        if (chain->fw_flg & IP_FW_F_FRAG)
- -             printf("frag ");
+               printf(" frag ");
 
        if (chain->fw_ipopt || chain->fw_ipnopt) {
                int     _opt_printed = 0;
@@ -321,12 +321,22 @@
 
                if (!inet_aton(*av,ipno))
                        show_usage("ip number\n");
- -             if (md == ':' && !inet_aton(p,mask))
- -                     show_usage("ip number\n");
- -             else if (md == '/') 
- -                     mask->s_addr = htonl(0xffffffff << (32 - atoi(p)));
- -             else 
- -                     mask->s_addr = htonl(0xffffffff);
+               switch (md) {
+                       case ':':
+                               if (!inet_aton(p,mask))
+                                       show_usage("ip number\n");
+                               break;
+                       case '/':
+                               if (atoi(p) == 0) {
+                                       mask->s_addr = 0;
+                               } else {
+                                       mask->s_addr = htonl(0xffffffff << (32 -
atoi(p)));
+                               }
+                               break;
+                       default:
+                               mask->s_addr = htonl(0xffffffff);
+                               break;
+               }
                av++;
                ac--;
        }
@@ -611,10 +621,9 @@
                        break;
                case 'N':
                        do_resolv=1;
- -                     break;
- -             case '?':
- -             default:
- -                     show_usage(NULL);
+                       break;
+               default:
+                       show_usage(NULL);
        }
 
        ac -= optind;
@@ -645,7 +654,7 @@
        } else {
                show_usage(NULL);
        }
- -        return 0;
+       return 0;
 }
 
 int 


     This one applies to -current:


Index: ipfw.c
===================================================================
RCS file: /home/ncvs/src/sbin/ipfw/ipfw.c,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -r1.26 -r1.27
- --- ipfw.c    1996/06/18 01:46:34     1.26
+++ ipfw.c      1996/06/23 20:47:51     1.27
@@ -16,7 +16,7 @@
  *
  * NEW command line interface for IP firewall facility
  *
- - * $Id: ipfw.c,v 1.26 1996/06/18 01:46:34 alex Exp $
+ * $Id: ipfw.c,v 1.27 1996/06/23 20:47:51 alex Exp $
  *
  */
 
@@ -256,7 +256,7 @@
        }
 
        if (chain->fw_flg & IP_FW_F_FRAG)
- -             printf("frag ");
+               printf(" frag ");
 
        if (chain->fw_ipopt || chain->fw_ipnopt) {
                int     _opt_printed = 0;
@@ -408,12 +408,23 @@
 
                if (lookup_host(*av,ipno) != 0)
                        show_usage("ip number\n");
- -             if (md == ':' && !inet_aton(p,mask))
- -                     show_usage("ip number\n");
- -             else if (md == '/') 
- -                     mask->s_addr = htonl(0xffffffff << (32 - atoi(p)));
- -             else 
- -                     mask->s_addr = htonl(0xffffffff);
+               switch (md) {
+                       case ':':
+                               if (!inet_aton(p,mask))
+                                       show_usage("ip number\n");
+                               break;
+                       case '/':
+                               if (atoi(p) == 0) {
+                                       mask->s_addr = 0;
+                               } else {
+                                       mask->s_addr = htonl(0xffffffff << (32 -
atoi(p)));
+                               }
+                               break;
+                       default:
+                               mask->s_addr = htonl(0xffffffff);
+                               break;
+               }
+               ipno->s_addr &= mask->s_addr;
                av++;
                ac--;
        }
@@ -788,10 +799,9 @@
                        break;
                case 'N':
                        do_resolv=1;
- -                     break;
- -             case '?':
- -             default:
- -                     show_usage("Unrecognised switch");
+                       break;
+               default:
+                       show_usage("Unrecognised switch");
        }
 
        ac -= optind;
@@ -818,7 +828,7 @@
        } else {
                show_usage("Bad arguments");
        }
- -        return 0;
+       return 0;
 }
 
 int 
=============================================================================
FreeBSD, Inc.

Web Site:                       http://www.freebsd.org/
Confidential contacts:          security-officer@freebsd.org
PGP Key:                        ftp://freebsd.org/pub/CERT/public_key.asc
Security notifications:         security-notifications@freebsd.org
Security public discussion:     security@freebsd.org

Notice: Any patches in this document may not apply cleanly due to
        modifications caused by digital signature or mailer software.
        Please reference the URL listed at the top of this document
        for original copies of all patches if necessary.
=============================================================================



-----BEGIN PGP SIGNATURE-----
Version: 2.6.3ia
Charset: noconv

iQCVAwUBMc22kFUuHi5z0oilAQEOBwP/WCVQZdHqv3ITppwCee3qNbe49nbNM4gc
+s3DX4qMe4olAvpd2izhNzPJH3mrOXzKKJTrZOeouZFDUm099lS67xQnc7F343v8
iAJMtIZVlA58BmcQcSlmjqh9eqTgNyRIYpgYoefDKkgKE6eukWylariorUo+ppKe
Tnpol2BUTXo=
=Ut0+
-----END PGP SIGNATURE-----
 
< Prev   Next >
    
Partner

 

Latest Features
Peter Smith Releases Linux Network Security Online
Securing a Linux Web Server
Password guessing with Medusa 2.0
Password guessing as an attack vector
Squid and Digest Authentication
Squid and Basic Authentication
Demystifying the Chinese Hacking Industry: Earning 6 Million a Night
Free Online security course (LearnSIA) - A Call for Help
What You Need to Know About Linux Rootkits
Review: A Practical Guide to Fedora and Red Hat Enterprise Linux - Fifth Edition
Yesterday's Edition
Heartbleed: Security experts reality-check the 3 most hysterical fears
Open source trounces proprietary software for code defects, Coverity analysis finds
Partner Sponsor

Community | HOWTOs | Blogs | Features | Book Reviews | Networking
 Security Projects |  Latest News |  Newsletters |  SELinux |  Privacy |  Home
 Hardening |   About Us |   Advertise |   Legal Notice |   RSS |   Guardian Digital
(c)Copyright 2014 Guardian Digital, Inc. All rights reserved.