[Subject Prev][Subject Next][Thread Prev][Thread Next][Subject Index][Thread Index]
IPTables -- Security flaw

To: linux-delhi@xxxxxxxxxxxxxxxxxxxxx
Subject: IPTables -- Security flaw
From: Vivek Karwal <vivek.karwal@xxxxxxxx>
Date: Wed, 25 Apr 2001 10:01:36 +0530 (IST)
------Original Message------
From: Linux_Security@xxxxxxxxxxxxxxx
Sent: April 24, 2001 12:13:09 PM GMT
Subject: IPTables


Security Flaw with Linux 2.4 Kernel and IPTables
By Rick Johnson

Like everyone else, my longing for improved Linux firewalling was
almost unbearable. Thankfully, the 2.4 kernels made IPTables a reality.
For those who haven't experienced the world of IPTables, you are really
missing out. Tempest Security Technologies (http://www.tempest.com/br)
reported a Security flaw in Linux 2.4 IPTables using FTP PORT
(http://www.tempest.com.br/advisories/01-2001.html), breaking our
euphoria. The following paraphrases their advisory.

The attack connects to the FTP server (passing through the firewall)
and uses the PORT commands with arbitrary IP and port parameters; the
normal parameters should be the client's IP and a random port. Most
firewall setups using IPTables include the following rule to allow
established and related connections to pass through:

iptables -A FORWARD -m state --state ESTABLISHED, RELATED -j ACCEPT

The "related" state includes connections such as the FTP data transfer
connections, both active and passive modes. If related connections and
FTP are allowed through the firewall, then the system is most likely
vulnerable. An attacker can establish an FTP connection passing through
a Linux 2.4.x IPTables firewall with the state options
allowing "related" connections, and then insert entries into the
firewall's RELATED ruleset table allowing the FTP Server to connect to
any host and port protected by the firewalls rules, including the
firewall itself.

Linux 2.4.x includes NetFilter, a raw framework for filtering and
mangling packets. IPTables, used for firewalling, is set inside the
NetFilter framework. This setting includes a new connection-tracking
feature, known to some as "stateful inspection". It can maintain four
possible states: ESTABLISHED, NEW, RELATED, and INVALID. We are
interested in the RELATED state, which includes the FTP DATA
connections, active (PORT command), and passive (PASV command).

The module ip_conntrack_ftp analyzes FTP connections that pass through
the firewall, looks for PORT and PASV commands, and includes entries
for those connections in the firewall's connection table. The manner in
which the PORT command is interpreted and processed exposes a security
flaw. Essentially, you can pass any IP/port in an FTP PORT command, and
the module will not validate these parameters, adding an entry to the
RELATED ruleset allowing connections from the FTP server, any source
port, to the specified destination IP and port. In most cases, people
make stringent security rules and have lax firewall rules regarding
RELATED connections, allowing the attacker to connect to anywhere.

This exploit can be used, for example, to connect the FTP server to any
TCP port on the firewall, or any other node protected by the firewall.
Even though rules normally deny this type of traffic, it would pass
through the firewall because of the rule allowing RELATED. The attacker
does not even need a valid log in to the FTP server as the module
interprets the PORT command independently of any authentication
procedures (USER and PASS).

An attacker positioned behind your firewall (i.e., "protected") can
exploit this security flaw. For example, if your firewall protects an
FTP Server and the attacker has compromised it by other means, then
this connection can be used to access the other protected networks.
Alternatively, if your attacker is behind your firewall as a client and
connects to an FTP server on the Internet, then he can use it to allow
this FTP server to connect to other protected networks.

The NetFilter development team has been notified and quickly developed
a patch to fix the issue. Patches are available from:

http://netfilter.samba.org/security-fix/
http://netfilter.gnumonks.org/security-fix/
http://netfilter.filewatcher.org/security-fix/

Even with this exploit, IPTables propels Linux firewalling into the
realm of serious security and is well worth the time to learn.

About the author(s)
-------------------
Rick Johnson is currently involved in a number of projects, none of
which he can discuss at this time. Aren't non-disclosure agreements
wonderful? When not involved with those, he heads the development team
for PMFirewall, an Ipchains Firewall and Masquerading Configuration
Utility for Linux. Rick can be contacted via email at rick@xxxxxxxxxxxx
or on the web at http://www.pointman.org.
________________________________________________________________________________

ADDITIONAL RESOURCES

Installing a firewall, Part 1
Get the details of a secure Trustix 1.1 installation
http://www.itworld.com/jump/linsec_nl/www.itworld.com/Sec/2211/LWD111010fwinstall1/

Installing a firewall, Part 2
Tips for configuring secure, lean mail and network services
http://www.itworld.com/jump/linsec_nl/www.itworld.com/App/325/LWD001017fwinstall2/

Installing a firewall, Part 3
The authors tweak Trustix to create a secure firewall and server
http://www.itworld.com/jump/linsec_nl/www.itworld.com/Sec/2211/LWD001024fwinstall3/

Means of improved IP security close at hand
http://www.itworld.com/jump/linsec_nl/www.itworld.com/Sec/2199/CWD010416STO59610/
Prev by Subject: an interesting link
Next by Subject: Joining a domain Samba
Previous by thread: Re: GRUB
Next by thread: (fwd) FreeBSD Security Advisory FreeBSD-SA-01:37.slrn
Index(es):
- Subject
- Thread