Security problem with reassembly timeout packet exposing data?

From: Theron Tock (theron-linux@tock.com)
Date: Thu Nov 30 2000 - 00:33:53 EST


While debugging a problem with my ipchains rules, I think I've uncovered
a bug in the fragment reassembly timeout code that exposes random
strings from kernel memory. The last 20 bytes of the fragment
reassembly timeout packet don't appear to be initialized and hence carry
random pieces of kernel data to the outside world.

I ran into the problem because I wasn't allowing fragments through the
ipchains rules, and a machine was trying to deliver mail with packets
that had been fragmented. After waiting 30 seconds, the kernel would
send back a "ip reassembly time exceeded" packet that contained the data
from the first fragment. However, some suspicious looking stuff was
showing up at the end of the packets. Here are the last 76 bytes from
three such reassembly timeout packets. The machine is also a webserver
so the strings that are showing up at the end are quite reasonably parts
of other packets sent to other clients:

0x01e0 0d0a 4d65 7373 6167 652d 4944 3a20 3c39 ..Message-ID:.<9
0x01f0 3231 3245 3543 4546 4444 3544 3331 3141 212E5CEFDD5D311A
0x0200 3032 3430 3035 3038 4237 3243 3546 3330 02400508B72C5F30
0x0210 3142 4536 4542 3040 6769 6600 fa20 fe39 1BE6EB0@gif....9
0x0220 fa20 fe39 0100 0000 0000 0000 ...9........

0x01e0 0d0a 4d65 7373 6167 652d 4944 3a20 3c39 ..Message-ID:.<9
0x01f0 3231 3245 3543 4546 4444 3544 3331 3141 212E5CEFDD5D311A
0x0200 3032 3430 3035 3038 4237 3243 3546 3330 02400508B72C5F30
0x0210 3142 4536 4542 3040 2044 7269 7669 6e67 1BE6EB0@.Driving
0x0220 2044 6972 6563 7469 6f6e 7300 .Directions.

0x01e0 0d0a 4d65 7373 6167 652d 4944 3a20 3c39 ..Message-ID:.<9
0x01f0 3231 3245 3543 4546 4444 3544 3331 3141 212E5CEFDD5D311A
0x0200 3032 3430 3035 3038 4237 3243 3546 3330 02400508B72C5F30
0x0210 3142 4536 4542 3040 6474 3d39 3236 3826 1BE6EB0@dt=9268&
0x0220 6c6b 3d68 7474 7025 3341 2f2f lk=http%3A//

I'm using Redhat 6.2, which reports itself as:
 kernel: Linux version 2.2.14-5.0smp (root@porky.devel.redhat.com) (gcc
version egcs-2.91.66 19990314/Linux (egcs-1.1.2 release)) #1 SMP Tue Mar
7 21:01:40 EST 2000

An attacker could send lots of first-fragment packets to a machine and
hope to get back passwords or other sensitive information from the last
20 bytes of the timeout packets. And since there is no log of this
event, the only way you could tell if this attack was occuring was if
you were actively snooping the net for such packets.

-Theron
-
To unsubscribe from this list: send the line "unsubscribe linux-net" in
the body of a message to majordomo@vger.kernel.org



This archive was generated by hypermail 2b29 : Thu Nov 30 2000 - 21:00:29 EST