Re: pf nat-to doesn't match a crafted packet

[Peter J. Philipp]

On Tue, Aug 29, 2023 at 09:45:24AM +1000, David Gwynne wrote:
> How are you injecting the crafted packet into the stack?

Via BPF.  It is a spoofing program that I made 23 years ago.  While that's
not really a great achievement it found at least 5 or so panic conditions
on OpenBSD throughout its existance, for which I'm sure everyone is grateful
for.  I am willing to share it (I have shared it in the past), but now only
for @openbsd.org addresses, I keep hacking on it time and time again,
but it only does IPv4 unless it reads the entire frame which I've never tried
I don't think.  Anyhow regarding the panics they pop up whenever I get
"creative" with packets, which keeps me away from what I really wanted to
achieve.

So in private conversation I had with Alexandr, I noticed that in the OpenBSD
pf firewall there is this statement in the pf.conf manpage (which is a lie).

           ICMP responses are not permitted unless they either match an
             existing request, or unless no state or keep state (sloppy) is
             specified.


Because in net/pf.c this line appears:

   5584                 if (ret >= 0)
   5585                         return (ret);

And well.. what is returned is negative which falls through to this:

   6357
   6358         return (PF_PASS);


15 year old bug and 10 year old bugs respectively.

Best Regards,
-peter

> On Tue, 29 Aug 2023, 01:14 , <p...@delphinusdns.org> wrote:
> 
> > >Synopsis:      pf nat-to doesn't match a crafted packet
> > >Category:      system
> > >Environment:
> >         System      : OpenBSD 7.3
> >         Details     : OpenBSD 7.3 (GENERIC.MP) #2080: Sat Mar 25 14:20:25
> > MDT 2023
> >                          dera...@arm64.openbsd.org:
> > /usr/src/sys/arch/arm64/compile/GENERIC.MP
> >
> >         Architecture: OpenBSD.arm64
> >         Machine     : arm64
> > >Description:
> >         I was testing a seemingly valid Internet packet going out my
> > gateway
> > but the pf firewall doesn't match nat-to to this one for some reason.  I'm
> > possibly overlooking something but every other packet exiting my gateway is
> > nat'ed.  What causes this?  How can this be exploited?
> >
> > >How-To-Repeat:
> > Here is the tcpdump from the host 1 hop behind the NAT router:
> >
> > 16:59:08.438082 192.168.177.13 > 49.12.42.182: icmp: host 7.198.187.211
> > unreachable [icmp cksum ok] for 11.69.44.241.52699 > 7.198.187.211.55672:
> > udp 51351 [tos 0x9c] (ttl 147, id 17124, len 51419, optlen=40 NOP RR{39}=
> > RR{#106.155.117.54 233.26.79.111 129.127.249.242 60.117.146.16
> > 179.39.29.224 213.65.49.78 0.16.45.109 252.168.188.0 123.108.138.224}) (ttl
> > 64, id 65443, len 96)
> >   0000: 4500 0060 ffa3 0000 4001 ad81 c0a8 b10d  E..`....@.......
> >   0010: 310c 2ab6 0301 55aa 0000 0000 4f9c c8db  1.*...U.....O...
> >   0020: 42e4 0000 9311 c756 0b45 2cf1 07c6 bbd3  B......V.E,.....
> >   0030: 0107 2704 6a9b 7536 e91a 4f6f 817f f9f2  ..'.j.u6..Oo....
> >   0040: 3c75 9210 b327 1de0 d541 314e 0010 2d6d  <u...'...A1N..-m
> >   0050: fca8 bc00 7b6c 8ae0 cddb d978 0000 0000  ....{l.....x....
> >
> > and here is the tcpdump on the pppoe interface:
> >
> > 16:59:08.440403 192.168.177.13 > 49.12.42.182: icmp: host 7.198.187.211
> > unreacha
> > ble [icmp cksum ok] (ttl 63, id 65443, len 96)
> >
> > Here is the relevant anchor rules I have:
> >
> >        match out on $ext_if inet from <rfc1918> to any nat-to ($ext_if)
> >
> > and:
> >
> >         table <rfc1918> const { 10/8, 172.16/12, 192.168/16 }
> >
> > Why did pf not translate this?  ... that's kinda kinky.
> >
> > >Fix:
> > Not known.
> >
> >
> > dmesg:
> > OpenBSD 7.3 (GENERIC.MP) #2080: Sat Mar 25 14:20:25 MDT 2023
> >     dera...@arm64.openbsd.org:/usr/src/sys/arch/arm64/compile/GENERIC.MP
> > real mem  = 8432840704 (8042MB)
> > avail mem = 8139239424 (7762MB)
> > random: good seed from bootblocks
> > mainbus0 at root: ACPI
> > psci0 at mainbus0: PSCI 1.1, SMCCC 1.2
> > cpu0 at mainbus0 mpidr 0: ARM Cortex-A72 r0p3
> > cpu0: 48KB 64b/line 3-way L1 PIPT I-cache, 32KB 64b/line 2-way L1 D-cache
> > cpu0: 1024KB 64b/line 16-way L2 cache
> > cpu0: CRC32,ASID16
> > cpu1 at mainbus0 mpidr 1: ARM Cortex-A72 r0p3
> > cpu1: 48KB 64b/line 3-way L1 PIPT I-cache, 32KB 64b/line 2-way L1 D-cache
> > cpu1: 1024KB 64b/line 16-way L2 cache
> > cpu1: CRC32,ASID16
> > cpu2 at mainbus0 mpidr 2: ARM Cortex-A72 r0p3
> > cpu2: 48KB 64b/line 3-way L1 PIPT I-cache, 32KB 64b/line 2-way L1 D-cache
> > cpu2: 1024KB 64b/line 16-way L2 cache
> > cpu2: CRC32,ASID16
> > cpu3 at mainbus0 mpidr 3: ARM Cortex-A72 r0p3
> > cpu3: 48KB 64b/line 3-way L1 PIPT I-cache, 32KB 64b/line 2-way L1 D-cache
> > cpu3: 1024KB 64b/line 16-way L2 cache
> > cpu3: CRC32,ASID16
> > efi0 at mainbus0: UEFI 2.7
> > efi0: https://github.com/pftf/RPi4 rev 0x10000
> > smbios0 at efi0: SMBIOS 3.3.0
> > smbios0: vendor https://github.com/pftf/RPi4 version "UEFI Firmware
> > v1.21" date 11/13/2020
> > smbios0: Raspberry Pi Foundation Raspberry Pi 4 Model B
> > apm0 at mainbus0
> > ampintc0 at mainbus0 nirq 256, ncpu 4 ipi: 0, 1, 2: "interrupt-controller"
> > agtimer0 at mainbus0: 54000 kHz
> > acpi0 at mainbus0: ACPI 6.3
> > acpi0: sleep states
> > acpi0: tables DSDT FACP CSRT DBG2 GTDT IORT APIC PPTT BGRT
> > acpi0: wakeup devices
> > acpiiort0 at acpi0
> > "BCM2849" at acpi0 not configured
> > "BCM2835" at acpi0 not configured
> > "BCM2854" at acpi0 not configured
> > "ACPI0004" at acpi0 not configured
> > xhci0 at acpi0 XHC0 addr 0x600000000/0x1000 irq 175, xHCI 1.0
> > usb0 at xhci0: USB revision 3.0
> > uhub0 at usb0 configuration 1 interface 0 "Generic xHCI root hub" rev
> > 3.00/1.00 addr 1
> > "ACPI0007" at acpi0 not configured
> > "ACPI0007" at acpi0 not configured
> > "ACPI0007" at acpi0 not configured
> > "ACPI0007" at acpi0 not configured
> > "ACPI0004" at acpi0 not configured
> > "BCM2848" at acpi0 not configured
> > "BCM2850" at acpi0 not configured
> > "BCM2856" at acpi0 not configured
> > "BCM2845" at acpi0 not configured
> > "BCM2841" at acpi0 not configured
> > "BCM2841" at acpi0 not configured
> > "BCM2838" at acpi0 not configured
> > "BCM2839" at acpi0 not configured
> > "BCM2844" at acpi0 not configured
> > pluart0 at acpi0 URT0 addr 0xfe201000/0x1000 irq 153
> > "BCM2836" at acpi0 not configured
> > "BCM2EA6" at acpi0 not configured
> > "MSFT8000" at acpi0 not configured
> > sdhc0 at acpi0 SDC1 addr 0xfe300000/0x100 irq 158
> > sdhc0: base clock frequency unknown
> > "BCM2855" at acpi0 not configured
> > bse0 at acpi0 ETH0 addr 0xfd580000/0x10000 irq 189: address
> > dc:a6:32:cc:db:a7
> > brgphy0 at bse0 phy 1: BCM54210E 10/100/1000baseT PHY, rev. 2
> > "PNP0C06" at acpi0 not configured
> > acpitz0 at acpi0: critical temperature is 90 degC
> > simplefb0 at mainbus0: 640x480, 32bpp
> > wsdisplay0 at simplefb0 mux 1: console (std, vt100 emulation)
> > wsdisplay0: screen 1-5 added (std, vt100 emulation)
> > uhub1 at uhub0 port 1 configuration 1 interface 0 "VIA Labs USB2.0 Hub"
> > rev 2.10/4.21 addr 2
> > uhidev0 at uhub1 port 4 configuration 1 interface 0 "APC Back-UPS ES 700G
> > FW:871.O4 .I USB FW:O4" rev 1.10/1.06 addr 3
> > uhidev0: iclass 3/0, 146 report ids
> > upd0 at uhidev0
> > uhid0 at uhidev0 reportid 1: input=0, output=0, feature=1
> > uhid1 at uhidev0 reportid 2: input=0, output=0, feature=1
> > uhid2 at uhidev0 reportid 3: input=0, output=0, feature=1
> > uhid3 at uhidev0 reportid 4: input=0, output=0, feature=1
> > uhid4 at uhidev0 reportid 5: input=0, output=0, feature=1
> > uhid5 at uhidev0 reportid 6: input=1, output=0, feature=1
> > uhid6 at uhidev0 reportid 7: input=0, output=0, feature=2
> > uhid7 at uhidev0 reportid 8: input=0, output=0, feature=2
> > uhid8 at uhidev0 reportid 9: input=0, output=0, feature=2
> > uhid9 at uhidev0 reportid 10: input=0, output=0, feature=1
> > uhid10 at uhidev0 reportid 11: input=0, output=0, feature=1
> > uhid11 at uhidev0 reportid 12: input=3, output=0, feature=3
> > uhid12 at uhidev0 reportid 13: input=0, output=0, feature=1
> > uhid13 at uhidev0 reportid 14: input=0, output=0, feature=1
> > uhid14 at uhidev0 reportid 15: input=0, output=0, feature=1
> > uhid15 at uhidev0 reportid 16: input=0, output=0, feature=1
> > uhid16 at uhidev0 reportid 17: input=0, output=0, feature=1
> > uhid17 at uhidev0 reportid 18: input=0, output=0, feature=1
> > uhid18 at uhidev0 reportid 23: input=0, output=0, feature=2
> > uhid19 at uhidev0 reportid 24: input=0, output=0, feature=1
> > uhid20 at uhidev0 reportid 28: input=0, output=0, feature=3
> > uhid21 at uhidev0 reportid 32: input=0, output=0, feature=2
> > uhid22 at uhidev0 reportid 34: input=0, output=0, feature=1
> > uhid23 at uhidev0 reportid 35: input=0, output=0, feature=2
> > uhid24 at uhidev0 reportid 36: input=0, output=0, feature=2
> > uhid25 at uhidev0 reportid 37: input=0, output=0, feature=2
> > uhid26 at uhidev0 reportid 38: input=0, output=0, feature=2
> > uhid27 at uhidev0 reportid 39: input=0, output=0, feature=1
> > uhid28 at uhidev0 reportid 40: input=0, output=0, feature=4
> > uhid29 at uhidev0 reportid 48: input=0, output=0, feature=2
> > uhid30 at uhidev0 reportid 49: input=0, output=0, feature=2
> > uhid31 at uhidev0 reportid 50: input=0, output=0, feature=2
> > uhid32 at uhidev0 reportid 51: input=0, output=0, feature=2
> > uhid33 at uhidev0 reportid 52: input=0, output=0, feature=1
> > uhid34 at uhidev0 reportid 53: input=0, output=0, feature=1
> > uhid35 at uhidev0 reportid 54: input=0, output=0, feature=1
> > uhid36 at uhidev0 reportid 64: input=0, output=0, feature=1
> > uhid37 at uhidev0 reportid 65: input=0, output=0, feature=2
> > uhid38 at uhidev0 reportid 80: input=0, output=0, feature=1
> > uhid39 at uhidev0 reportid 81: input=0, output=0, feature=1
> > uhid40 at uhidev0 reportid 96: input=0, output=0, feature=2
> > uhid41 at uhidev0 reportid 97: input=0, output=0, feature=1
> > uhid42 at uhidev0 reportid 98: input=0, output=0, feature=4
> > uhid43 at uhidev0 reportid 120: input=0, output=0, feature=1
> > uhid44 at uhidev0 reportid 121: input=0, output=0, feature=1
> > uhid45 at uhidev0 reportid 122: input=0, output=0, feature=4
> > uhid46 at uhidev0 reportid 123: input=0, output=0, feature=2
> > uhid47 at uhidev0 reportid 124: input=0, output=0, feature=1
> > uhid48 at uhidev0 reportid 125: input=0, output=0, feature=1
> > uhid49 at uhidev0 reportid 126: input=0, output=0, feature=1
> > uhid50 at uhidev0 reportid 127: input=0, output=0, feature=1
> > uhid51 at uhidev0 reportid 140: input=0, output=0, feature=1
> > uhid52 at uhidev0 reportid 141: input=0, output=0, feature=1
> > uhid53 at uhidev0 reportid 142: input=0, output=0, feature=1
> > uhid54 at uhidev0 reportid 143: input=0, output=0, feature=1
> > uhid55 at uhidev0 reportid 144: input=0, output=0, feature=1
> > uhid56 at uhidev0 reportid 145: input=0, output=0, feature=2
> > uhid57 at uhidev0 reportid 146: input=0, output=0, feature=2
> > umass0 at uhub0 port 3 configuration 1 interface 0 "Samsung Flash Drive
> > FIT" rev 3.10/11.00 addr 4
> > umass0: using SCSI over Bulk-Only
> > scsibus0 at umass0: 2 targets, initiator 0
> > sd0 at scsibus0 targ 1 lun 0: <Samsung, Flash Drive FIT, 1100> removable
> > serial.090c1000521110001360
> > sd0: 244752MB, 512 bytes/sector, 501253132 sectors
> > vscsi0 at root
> > scsibus1 at vscsi0: 256 targets
> > softraid0 at root
> > scsibus2 at softraid0: 256 targets
> > root on sd0a (081866428dff49a4.a) swap on sd0b dump on sd0b
> > WARNING: / was not properly unmounted
> > WARNING: bad clock chip time
> > WARNING: CHECK AND RESET THE DATE!
> > pppoe0: received unexpected PADO
> >
> >

-- 
Over thirty years experience on Unix-like Operating Systems starting with QNX.