ixed in the CVS.
http://cvs.netfilter.org/cgi-bin/cvsweb/netfilter/userspace/extensions/libip6t_tcp.c.diff?r1=1.6&r2=1.7&f=u
Regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-/Zorp, NetFilter and IPv6
[EMAIL PROTECT
Hi,
2 misstyping bug in libip6t_tcp.c.
Regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-/Zorp, NetFilter and IPv6
[EMAIL PROTECTED] /-Member of the BUTE-MIS-SEARCHlab-->
--- netfilter.old/usersp
this the
p-o-m will be changed (and wil depend on the 2.4.19-patch).
regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-/Zorp, NetFilter and IPv6
[EMAIL PROTECTED] /-Member of the BUTE-MIS-SEARCHlab-->
ever adds the size of the extensions to the counters!
(It counts only the ipv6-header and the payload.)
Regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-/Zorp, NetFilter and IPv6
[EMAIL PROTECTED] /-Member of the
**
Any Linux system, which has a rule with protocol match (-p)!
*** Preparedness ***
Any script-kiddie, or a plain user with instructions.
Automated tool: possible
*** Result ***
Kernel crash
*** Required packet ***
- any IPv6 packet with options (fix: near the 1st patch)
- IPv6 packet with AH op
and I will check it as soon as I find some free
time.
(My final exams - for MSc - are more important in these days and Jozsef
is engaged in it, too.)
Regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-/Zorp, NetFilter
-ICMP RFC. I just sent a special packet with
TCP payload and I got back the payload. It was only a first check.
(In IPv6-ICMP the length-limit is ~1298 bytes, ...)
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-/Zorp, NetFilter and IPv6
[EMAIL PROTECTED] /-Member of the BUTE-MIS-SEARCHlab-->
elease).
Regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-/Zorp, NetFilter and IPv6
[EMAIL PROTECTED] /-Member of the BUTE-MIS-SEARCHlab-->
ends a 'PORT ip,ip,ip,ip,port,port'. The outer
Netfilter will translate the ips into an internal one, but the server
will reject with the modified IPs.
(It1s only an example, i know the ftp works in different way [but it can
be work with malicious ftp server and SNAT])
Regards,
hi,
- remove check of find_proto(), since do_command() can be called multiple times,
and match will be loaded after first call.
- remove the '-C' option (from help msgs)
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-/
s command.
(The example was the '-n' chain and the '-L' option...)
Regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-/Zorp, NetFilter and IPv6
[EMAIL PROTECTED] /-Member of the BUTE-MIS-SEARCHlab-->
).
The propblem description is not correct:
the pom fails when any of the used directories are on a different
filesystem and the patch performs changes over the userspace code.
regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
---
Hi,
> http://bugs.debian.org/117590
> http://bugs.debian.org/iptables
> Another Debian developer confirmed the tcp flags (--syn) not saved
> problem using iptables 1.2.6a.
Already fixed in CVS.
Regards,
kisza
--
Andras Kis-Szabo Security Development, Desi
)
- Hop-by-Hop
- Routing + Type0 Routing
- Fragmentation
- Destination options
- AH
- ESP
So, we can check all the fileds (or most of them).
Regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-/Zorp, NetFilter and IPv6
der) match
- route6 (routing header) match
Regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-/Zorp, NetFilter and IPv6
[EMAIL PROTECTED] /-Member of the
BUTE-MIS-SEARCHlab-->
diff -urN netfil
Hi,
Try this:
hoi:~# iptables -N -n
hoi:~# iptables -X -n
iptables v1.2.7: Illegal option `-n' with this command
Try `iptables -h' or 'iptables --help' for more information.
hoi:~# iptables -A -n -p tcp
hoi:~# iptables -L -n
Regards,
kisza
--
Andras Kis-
/addons/TestPackets
(1 truncated AH packet and 4 routing packets)
Regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-/ Zorp, NetFilter and IPv6
[EMAIL PROTECTED] /-->
diff -
Hi,
AH, ESP:
- added length check in the iteration phase
- added length check in the interpreter
frag:
- added length check in the iteration phase
Regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
t specify proto == TCP/UDP, no unknown flags or bad count */
> return (ip->proto == IPPROTO_TCP || ip->proto == IPPROTO_UDP)
> && !(ip->flags & IP6T_INV_PROTO)
Except that misspeled keyword the patch looks good (if worked with IPv4 it
will work with IP
'return 0' is OK, but can I set the hotdrop or not?
(w/o hotdrop=1, I simply discards the packet,
with it, I deny the whole sending mechanism, the userspace gets back an
'operation not permitted' msg.)
Regards,
kisza
--
Andras Kis-Szabo Security
t the -save, and there isn't at the '-L' to avoid
the spaces.
Regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-/ Zorp, NetFilter and IPv6
[EMAIL PROTECTED] /-->
PE=129 CODE=0 ID=49685 SEQ=512
Regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-/ Zorp, NetFilter and IPv6
[EMAIL PROTECTED] /-->
diff -urN netfilter/userspace/patch-o-matic/extra.old/l
' or 'iptables-restore --help' for more information.
> -cut
Patch attached (ipv4 and ipv6, too)
Regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-/
You should try this (as a workaround):
iptables -t nat -A PREROUTING -p tcp --dport 666 -m ttl --ttl-gt 4 -j DNAT --to
172.16.3.26:22
iptables -t nat -A PREROUTING -m ttl --ttl-lt 5 -j LOG --log-prefix "Evil
hax0r "
(So it is not hardcoded as in IPFilter ... )
Regards,
kisza
--
onenction)?
ip6tables -A INPUT -j LOG
The GRE and IPIP tunnels can be concerned, too!
(The SIT implementation cloned from them. I haven't got configured gre
and/or ipip tunnel :( )
Regards,
kisza
Harald: added 2 checks for the pointers inside the skb area.
(mac under- and ip
Hi,
> In line 422 of ip6_tables.c:
> protohdr = (u_int32_t *)ipv6 + IPV6_HDR_LEN;
> it should be rewroted to:
> protohdr = (u_int32_t *)((char *)ipv6 + IPV6_HDR_LEN);
The point is Yours! It's a real problem :(
Patch is included against 2.4.18.
Regards
kisza
--
:
how can I specify a signed and encrypted packet?
(Ex. SPIs AH=101 ESP=120. The packet is: IPv4-AH-ESP)
Regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-/ Zorp, NetFilter and IPv6
[EMAIL PROTECTED
[--fragmore|--fraglast] there are more fragments or this
is the last one
Regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-/ Zorp, NetFilter and IPv6
[EMAIL PROTECTED
Hi,
Fixes (of my faults):
- logical expressions
- skb ( :( )
- skb->cb dropped (not valid on output hook)
- fixed header-chain iteration
(All test passed with the example packets.)
Regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Au
der, ah and esp matches)
regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-/ Zorp, NetFilter and IPv6
[EMAIL PROTECTED] /-->
Hi,
there's a patch to the ipv6header match module.
(I handled the skb structure in a wrong way)
[in debug mode with the tcpreplay6 is a very usefull thing :)]
Regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-/
eader.
(I've got some tcpdump files which can be resend with this tool)
regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-/ Zorp, NetFilter and IPv6
[EMAIL PROTECTED] /-->
ibip6t_eui64.c (the eui64 match 4 ipv6 will be corrupted)
Regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-/ Zorp, NetFilter and IPv6
[EMAIL PROTECTED] /-->
signature.asc
Description: This is a digitally signed message part
, please test them, if You've got a lot of free time!
:)
2.
Extensions-HOWTO update for these matches
(And added a status filed to the ipv6 extensions)
3.
The CVS still borken, somehow the library did not renamed with the match
( agr -> eui64)
Regards,
kisza
--
Andras K
:
how can I specify a signed and encrypted packet?
(Ex. SPIs AH=101 ESP=120. The packet is: IPv4-AH-ESP)
Regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-/ Zorp, NetFilter and IPv6
[EMAIL PROTECTED
length of the Hop-by-Hop option
--spi number(hex) SPI
--seq number(hex) Sequence nr
Regards & thx,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-/ Zorp, NetFilt
IP6T_ICMP6_ECHOREPLY rejection options!
(The library code remained consistat, it does not support this 2 types, yet)
regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-/Zorp, NetFilter and IPv6
[EMAIL PROTECTED] /-Member of the BUTE-MIS
Andras Kis-Szabo ... (2002. március 03.)
Hi!
> IPv6-LOG target is submitted into 2.4.14, but not added to the Makefile.
> In this case the kernel-modul is compiled, but the library isn't.
> The patch adds the LOG into the SLIBs.
The 'mac mu
Hi,
- ip6tables-save and -restore updates (sync)
- ip6tables-save and -restore man pages
regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-/Zorp, NetFilter and IPv6
[EMAIL PROTECTED] /-Member of the BUTE-MIS
d comments (remained codes from the ancient times)
- options for the pkt counters added
ip6tables.8
- corrections to the new command
regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-/Zorp, NetFilter and IPv6
[EMAIL PROT
Hi,
IPv6-LOG target is submitted into 2.4.14, but not added to the Makefile.
In this case the kernel-modul is compiled, but the library isn't.
The patch adds the LOG into the SLIBs.
regards,
kisza
--
Andras Kis-Szabo Security Development, Design and
Hi,
- Hungarian FAQ update (sync)
- SGML fix to FAQ
regards,
kisza
--
Andras Kis-Szabo Security Development, Design and Audit
-/Zorp, NetFilter and IPv6
[EMAIL PROTECTED] /-Member of the BUTE-MIS-SEARCHlab-->
--- netfilter/
t;< NF_IP6_PRE_ROUTING) | (1 << NF_IP6_LOCAL_IN)
+ | (1 << NF_IP_FORWARD))) {
+ printk("ip6t_mac: only valid for PRE_ROUTINGi, LOCAL_IN or
+FORWARD.\n");
return 0;
}
@@ -60,3 +61,5 @@
module_init(init);
module_exi
{ 0 } } }, { { { 0 } } }, { { { 0 }
} }, "", "", { 0 }, { 0 }, 0, 0, 0 },
+ { { { { 0 }, { 0 }, { 0 }, { 0 }, "", "", { 0 }, { 0 }, 0,
0, 0 },
-{ { { { { { 0 } } }, { { { 0 } } }, { { { 0 } } }, { { { 0 } } },
"", "", { 0 }, { 0 }, 0, 0, 0 },
+
entries is generated.
Yes, the aligning was performed with a wrong method.
In do_replace() and ip6t_register_table() functions used correctly.
(The IPv4 part is correct, too. - missed syncronization? :) )
Thanks for the detailed bug report and patch!
Regards,
kisza
--
Andras Kis-S
45 matches
Mail list logo
