IPFilter Firewall Race Condition Vulnerability
BID:1308
Info
IPFilter Firewall Race Condition Vulnerability
| Bugtraq ID: | 1308 |
| Class: | Race Condition Error |
| CVE: | |
| Remote: | Yes |
| Local: | No |
| Published: | May 26 2000 12:00AM |
| Updated: | May 26 2000 12:00AM |
| Credit: | Posted to BugTraq on May 26, 2000 by emf <[email protected]> |
| Vulnerable: |
Darren Reed IPFilter 3.4.3 Darren Reed IPFilter 3.3.15 |
| Not Vulnerable: | |
Discussion
IPFilter Firewall Race Condition Vulnerability
If IPFilter rulesets are constructed such that "return-rst" and "keep state" overlap, e.g.:
block return-rst in proto tcp from A to V
pass out proto tcp from V' to A' keep state
where A, A', V and V' are hostmasks that can include "any", and the attacker matches against A and A' and the victim matches against V and V', the attacker may exploit a race condition in the state table generation code that results from fr_addstate()'s fault of creating a new state entry for the outgoing RST packet generated by the "return-rst" rule. If a new SYN packet comes in before the state entry created by the RST expires, the state entry will allow the SYN packet to pass through the firewall, and the explicit permissiveness of a "pass out all keep state" or similar rules then allows the SYN-ACK and all successive ACK's to create new state entries. The attacker merely needs to ignore the RST's that are being sent to him and continue to attack the victim.
If IPFilter rulesets are constructed such that "return-rst" and "keep state" overlap, e.g.:
block return-rst in proto tcp from A to V
pass out proto tcp from V' to A' keep state
where A, A', V and V' are hostmasks that can include "any", and the attacker matches against A and A' and the victim matches against V and V', the attacker may exploit a race condition in the state table generation code that results from fr_addstate()'s fault of creating a new state entry for the outgoing RST packet generated by the "return-rst" rule. If a new SYN packet comes in before the state entry created by the RST expires, the state entry will allow the SYN packet to pass through the firewall, and the explicit permissiveness of a "pass out all keep state" or similar rules then allows the SYN-ACK and all successive ACK's to create new state entries. The attacker merely needs to ignore the RST's that are being sent to him and continue to attack the victim.
Exploit / POC
IPFilter Firewall Race Condition Vulnerability
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] .
Currently the SecurityFocus staff are not aware of any exploits for this issue. If you feel we are in error or are aware of more recent information, please mail us at: [email protected] .