SecurityTracker.com
Keep Track of the Latest Vulnerabilities
with SecurityTracker!
    Home    |    View Topics    |    Search    |    Contact Us    |   

SecurityTracker
Archives


 
Sign Up
Sign Up for Your FREE Weekly SecurityTracker E-mail Alert Summary
Instant Alerts
Buy our Premium Vulnerability Notification Service to receive customized, instant alerts
Affiliates
Put SecurityTracker Vulnerability Alerts on Your Web Site -- It's Free!
Partners
Become a Partner and License Our Database or Notification Service
Report a Bug
Report a vulnerability that you have found to SecurityTracker
bugs
@
securitytracker.com





Category:   Application (Security)  >   IP Filter Vendors:   Reed, Darren
IP Filter Packet State Error May Let Remote Users Deny Service
SecurityTracker Alert ID:  1005888
SecurityTracker URL:  http://securitytracker.com/id/1005888
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Jan 6 2003
Impact:   Denial of service via network
Exploit Included:  Yes  
Version(s): 3.4.30, 3.4.29 (400)
Description:   A denial of service vulnerability was reported in the IP Filter firewall software. A remote user may be able to deny service to firewall users.

It is reported that a remote user can send a TCP packet with the ACK bit set and without a previous SYN packet. If the TCP packet contains a bad checksum value, IP Filter will reportedly add an "ESTABLISHED" session to the state table with a time-to-live value of 120 hours for this session. A remote user can exploit this to consume all available sessions and prevent the firewall from processing other new sessions.

A demonstration exploit transcript is provided in the Source Message.
Impact:   A remote user can cause the firewall's state table to fill up, preventing new connections.
Solution:   No solution was available at the time of this entry.
Vendor URL:  coombs.anu.edu.au/ipfilter/ip-filter.html (Links to External Site)
Cause:   State error
Underlying OS:   Linux (Any), UNIX (Any)

Message History:   This archive entry has one or more follow-up message(s) listed below.
(Vendor Responds) Re: IP Filter Packet State Error May Let Remote Users Deny Service   (Darren Reed <avalon@coombs.anu.edu.au>)
The vendor has responded to say that this is not an IP Filter bug, but that IP Filter will be improved to better handle the scenario described in the original report.


 Source Message Contents
Date:  Mon, 6 Jan 2003 11:15:40 +0800
Subject:  ipfilter denial of service problem


Below is an ipfilter security issue, and my previous mail to author
Darren was bounced back, so I think maybe I should mail it to this
mailing list.

Overview
--
Anytime ipfilter see a packet with ACK bit set without the previous SYN,
it will marked it as TCPS_ESTABLISHED in it's state table, and for
ipfilter will soon notice the RESET packet send back by the system
application, it will then change it's ttl in state table to 1 minute,OK,
it's good.

But If an attact send packet with ACK bit set and bad checksum, ipfilter
will happily add an "ESTABLISHED" session into it's state table which
will wait 120 hours to timeout instead of the normal 1 minutes! 

So using this way an evil guy can easily  destroy  the network
connection of any system with ipfilter installed in a few minutes!


proof of concept
--
[yiming@security.zz.ha.cn]#hping -s ip.of.spoofedandtrusted.box -A
ip.of.target.box  -p 22 -c 1 -b

you will immediately see a a long wait ttl of 120 hours, like this

security.zz.ha.cn,1235  server,22     4/0  tcp       1        40
119:59:48

Affected Versions:
--
I've test the following version of ipfilter

IP Filter: v3.4.30 

IP Filter: v3.4.29 (400)


a chinese vesion of these security issue is at

http://security.zz.ha.cn 

Best wishes!
 
-- 
我要更好的生活 



Yiming Gong 
Senior System Administrator 
China Netcom
yiming@security.zz.ha.cn 
http://security.zz.ha.cn 
0086-371-7934907


Go to the Top of This SecurityTracker Archive Page



Home   |    View Topics   |    Search   |    Contact Us

Copyright 2013, SecurityGlobal.net LLC