------Original Message------ From: [EMAIL PROTECTED] Sent: April 24, 2001 12:13:09 PM GMT Subject: IPTables Security Flaw with Linux 2.4 Kernel and IPTables By Rick Johnson Like everyone else, my longing for improved Linux firewalling was almost unbearable. Thankfully, the 2.4 kernels made IPTables a reality. For those who haven't experienced the world of IPTables, you are really missing out. Tempest Security Technologies (http://www.tempest.com/br) reported a Security flaw in Linux 2.4 IPTables using FTP PORT (http://www.tempest.com.br/advisories/01-2001.html), breaking our euphoria. The following paraphrases their advisory. The attack connects to the FTP server (passing through the firewall) and uses the PORT commands with arbitrary IP and port parameters; the normal parameters should be the client's IP and a random port. Most firewall setups using IPTables include the following rule to allow established and related connections to pass through: iptables -A FORWARD -m state --state ESTABLISHED, RELATED -j ACCEPT The "related" state includes connections such as the FTP data transfer connections, both active and passive modes. If related connections and FTP are allowed through the firewall, then the system is most likely vulnerable. An attacker can establish an FTP connection passing through a Linux 2.4.x IPTables firewall with the state options allowing "related" connections, and then insert entries into the firewall's RELATED ruleset table allowing the FTP Server to connect to any host and port protected by the firewalls rules, including the firewall itself. Linux 2.4.x includes NetFilter, a raw framework for filtering and mangling packets. IPTables, used for firewalling, is set inside the NetFilter framework. This setting includes a new connection-tracking feature, known to some as "stateful inspection". It can maintain four possible states: ESTABLISHED, NEW, RELATED, and INVALID. We are interested in the RELATED state, which includes the FTP DATA connections, active (PORT command), and passive (PASV command). The module ip_conntrack_ftp analyzes FTP connections that pass through the firewall, looks for PORT and PASV commands, and includes entries for those connections in the firewall's connection table. The manner in which the PORT command is interpreted and processed exposes a security flaw. Essentially, you can pass any IP/port in an FTP PORT command, and the module will not validate these parameters, adding an entry to the RELATED ruleset allowing connections from the FTP server, any source port, to the specified destination IP and port. In most cases, people make stringent security rules and have lax firewall rules regarding RELATED connections, allowing the attacker to connect to anywhere. This exploit can be used, for example, to connect the FTP server to any TCP port on the firewall, or any other node protected by the firewall. Even though rules normally deny this type of traffic, it would pass through the firewall because of the rule allowing RELATED. The attacker does not even need a valid log in to the FTP server as the module interprets the PORT command independently of any authentication procedures (USER and PASS). An attacker positioned behind your firewall (i.e., "protected") can exploit this security flaw. For example, if your firewall protects an FTP Server and the attacker has compromised it by other means, then this connection can be used to access the other protected networks. Alternatively, if your attacker is behind your firewall as a client and connects to an FTP server on the Internet, then he can use it to allow this FTP server to connect to other protected networks. The NetFilter development team has been notified and quickly developed a patch to fix the issue. Patches are available from: http://netfilter.samba.org/security-fix/ http://netfilter.gnumonks.org/security-fix/ http://netfilter.filewatcher.org/security-fix/ Even with this exploit, IPTables propels Linux firewalling into the realm of serious security and is well worth the time to learn. About the author(s) ------------------- Rick Johnson is currently involved in a number of projects, none of which he can discuss at this time. Aren't non-disclosure agreements wonderful? When not involved with those, he heads the development team for PMFirewall, an Ipchains Firewall and Masquerading Configuration Utility for Linux. Rick can be contacted via email at [EMAIL PROTECTED] or on the web at http://www.pointman.org. ________________________________________________________________________________ ADDITIONAL RESOURCES Installing a firewall, Part 1 Get the details of a secure Trustix 1.1 installation http://www.itworld.com/jump/linsec_nl/www.itworld.com/Sec/2211/LWD111010fwinstall1/ Installing a firewall, Part 2 Tips for configuring secure, lean mail and network services http://www.itworld.com/jump/linsec_nl/www.itworld.com/App/325/LWD001017fwinstall2/ Installing a firewall, Part 3 The authors tweak Trustix to create a secure firewall and server http://www.itworld.com/jump/linsec_nl/www.itworld.com/Sec/2211/LWD001024fwinstall3/ Means of improved IP security close at hand http://www.itworld.com/jump/linsec_nl/www.itworld.com/Sec/2199/CWD010416STO59610/ ------------------------------------------------ An alpha version of a web based tool to manage your subscription with this mailing list is at http://lists.linux-india.org/cgi-bin/mj_wwwusr
