For those of you not on the netfilter announce list, this might be of
concern if you use Linux as a NAT gateway (specifically using the DNAT
target, which is often used for port forwards).
Basically, if there is an error generated by the NAT box against a DNAT
rule, the ICMP error may contain information you'd rather the external
world not know (about the final destination after NAT).
A patch to fix the bug is available from the netfilter web site.
--MonMotha
-------- Original Message --------
Subject: Security Advisory
Date: Wed, 8 May 2002 16:07:05 +0200
From: Harald Welte <[EMAIL PROTECTED]>
To: [email protected]
CC: Netfilter Mailinglist <[email protected]>, Netfilter
Development Mailinglist <[email protected]>
Hi!
Unfortunately there is a very unpopular announcement to be made on this
list: A netfilter security advisory.
Phillipe Biondi has been reporting this bug and preparing the advisory,
the [still preliminary] solution is by Rusty Russell and James Morris.
--
Live long and prosper
- Harald Welte / [EMAIL PROTECTED] http://www.gnumonks.org/
============================================================================
GCS/E/IT d- s-: a-- C+++ UL++++$ P+++ L++++$ E--- W- N++ o? K- w--- O- M+
V-- PS++ PE-- Y++ PGP++ t+ 5-- !X !R tv-- b+++ !DI !D G+ e* h--- r++ y+(*)
----------------------------------------------------------------------
Cartel Sécurité --- Security Advisory
Advisory Number: CARTSA-20020402
Subject: Linux Netfilter NAT/ICMP code information leak
Author: Philippe Biondi <[EMAIL PROTECTED]>
Discovered: 2002, April 2
Published: Not yet
----------------------------------------------------------------------
NOTE: Do not release in public before May 8, 2002.
Problem description
===================
The following bug exists in the netfilter NAT implementation: When the
first packet of a connection is hitting a NAT rule, and this packet
causes the NAT box itself to reply with an ICMP error message, the
inner IP packet inside the ICMP error message is not un-NAT'ed
correctly. This leads to the ability to discover which ports of a
host are NATed and where the packet will really go. This can also lead to
those ICMP error packets being dropped by stateful firewalls not
recognizing
the related connection.
Vulnerable versions
===================
All kernel patches from iptables package < ipables-1.2.6a are vulnerable.
All versions of kernel >= 2.4.4 and up to (at least) 2.4.19-pre6 use a
vulnerable version.
Vendor status
=============
The netfilter team has solved this bug with a patch that has been refused
for inclusion in the linux kernel. They are working on a new patch.
Solutions
=========
* Use the attached patch
* Upgrade your kernel using the patch at
http://www.netfilter.org/security/2002-04-02-icmp-dnat.html
(link active starting with May 8)
* Use a workarround until the final solution to this bug is implemented
and included in the linux kernel source
Workarounds
===========
Filter out untracked local packets:
iptables -A OUTPUT -m state -p icmp --state INVALID -j DROP
Example
=======
Let's take a machine (172.16.1.40) that DNAT port 666 to 172.16.3.26:22 :
iptables -t nat -A PREROUTING -p tcp --dport 666 -j DNAT --to
172.16.3.26:22
Then if a host sends a packet that will die on 172.16.1.40 :
hping -t 1 --syn -p 666 172.16.1.40
This is the icmp packet we'll get from 172.16.1.40 :
17:07:46.709230 172.16.1.40 > 172.16.1.28: icmp: time exceeded in-transit
0x0000 45c0 0044 eaa6 0000 ff01 75f1 ac10 0128 E..D......u....(
0x0010 ac10 0118
0b00 516d 0000 0000
4500 0028 ......Qm....E..(
0x0020 b0f3 0000 0106 ac8a ac10 0118 ac10 031a <-+ ................
0x0030 04bd 0016 3206 3ec0 0490 00b4 5002 0200 | ....2.>.....P...
0x0040 d6b2 00^0 | ....
| 172.16.3.26
+-- port 22
You can also try a patch to nmap that does that and much more :
http://www.cartel-info.fr/pbiondi/nmap/
# ./nmap -sS -P0 xxx.xxx.xxx.xxx -p 22,23,666,667 -t 9
Starting nmap V. 2.54BETA32 ( www.insecure.org/nmap/ )
Interesting ports on xxx.xxx.xxx.xxx:
Port State Service
22/tcp open ssh
23/tcp filtered telnet
666/tcp UNfiltered unknown DNAT to 192.168.8.10:22
667/tcp UNfiltered unknown DNAT to 192.168.26.10:22
Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds
----------------------------------------------------------------------
Copyright (c) Cartel Sécurité
This document is copyrighted. It can't be edited nor republished
without explicit consent of Cartel Sécurité.
For more informations, feel free to contact us.
http://securite.cartel-securite.fr/
----------------------------------------------------------------------
--
Philippe Biondi <biondi@ cartel-securite.fr> Cartel Sécurité
Security Consultant/R&D http://www.cartel-securite.fr
Phone: +33 1 44 06 97 94 Fax: +33 1 44 06 97 99
PGP KeyID:3D9A43E2 FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2
