gabriel rosenkoetter on Thu, 30 Jan 2003 13:50:31 -0500


[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] firewall risk


On Thu, Jan 30, 2003 at 11:57:05AM -0500, Jeff Abrahamson wrote:
> So I could listen to know ports whatsoever and be compromised? How
> would that work?

Even if you have no daemon listening, I can send packets (to *any*
port) that your kernel's IP stack has to do *something* with.

If my payload's right and your kernel version's right, I can win
that fight with ease, and there's nothing any software running at
user level can do about it. Even if you're running a local firewall
on that system, you're still screwed.

This isn't the same as a DDoS (you're vulnerable to that dependent
on the size of your pipe to the Internet and your upstream service
provider's filtering; filtering packets at your firewall cannot help
that situation if your bandwidth is saturated), it's a bug in kernel
networking code that lead to a compromise, probably through a buffer
overflow in that kernel's IP stack.

These bugs have been LONG fixed in the Linux networking code. That
doesn't mean there aren't more we don't know about yet, but the ones
we know about are certainly fixed in the latest rendition of 2.2 and
above kernels.

I don't have a specific example handy and I'm at work right now
without the time to do so, but I can probably go find one (plausibly
just theoretical, not an actual exploit, since I don't know that
any of the latter were ever released publicly) in the securityfocus.com
archives, if you'd like me to.

I *know* that it is possible to do this to NeXTStep 3.x, and that
there is no (nor will there ever be) a fix for that (NeXT Computer
being out of business and all), as they use a flawed 4.2 BSD IP
stack. I've seen it exploited. Which is why my NeXTs will never
receive traffic from the outside world except through TCP connections
they establish (until I get NetBSD running on them, I guess).

-- 
gabriel rosenkoetter
gr@eclipsed.net

Attachment: pgp0QWUs0Wv30.pgp
Description: PGP signature