BSD TCP/IP广播连接检查漏洞

发布时间：2002-03-21
更新时间：2002-03-21
严重程度：低
威胁程度：其它
错误类型：设计错误
利用方式：服务器模式

BUGTRAQ ID：4309

受影响系统

FreeBSD FreeBSD 2.0
FreeBSD FreeBSD 2.0.5
FreeBSD FreeBSD 2.1
FreeBSD FreeBSD 2.1.5
FreeBSD FreeBSD 2.1.6.1
FreeBSD FreeBSD 2.1.6
FreeBSD FreeBSD 2.1.7.1
FreeBSD FreeBSD 2.2
FreeBSD FreeBSD 2.2.2
FreeBSD FreeBSD 2.2.3
FreeBSD FreeBSD 2.2.4
FreeBSD FreeBSD 2.2.5
FreeBSD FreeBSD 2.2.6
FreeBSD FreeBSD 2.2.8
FreeBSD FreeBSD 3.0
FreeBSD FreeBSD 3.1
FreeBSD FreeBSD 3.2
FreeBSD FreeBSD 3.3
FreeBSD FreeBSD 3.4
FreeBSD FreeBSD 3.5
FreeBSD FreeBSD 3.5.1
FreeBSD FreeBSD 4.0
FreeBSD FreeBSD 4.1
FreeBSD FreeBSD 4.1.1
FreeBSD FreeBSD 4.2
FreeBSD FreeBSD 4.3
FreeBSD FreeBSD 4.4
FreeBSD FreeBSD 4.5
FreeBSD FreeBSD 5.0
NetBSD NetBSD 1.0
NetBSD NetBSD 1.1
NetBSD NetBSD 1.2
NetBSD NetBSD 1.2.1
NetBSD NetBSD 1.3
NetBSD NetBSD 1.3.1
NetBSD NetBSD 1.3.2
NetBSD NetBSD 1.3.3
NetBSD NetBSD 1.4
NetBSD NetBSD 1.4.1 x86
NetBSD NetBSD 1.4.1 SPARC
NetBSD NetBSD 1.4.1 sh3
NetBSD NetBSD 1.4.1 arm32
NetBSD NetBSD 1.4.1 Alpha
NetBSD NetBSD 1.4.1
NetBSD NetBSD 1.4.2 x86
NetBSD NetBSD 1.4.2 SPARC
NetBSD NetBSD 1.4.2 arm32
NetBSD NetBSD 1.4.2 Alpha
NetBSD NetBSD 1.4.2
NetBSD NetBSD 1.4.3
NetBSD NetBSD 1.5 x86
NetBSD NetBSD 1.5 sh3
NetBSD NetBSD 1.5
NetBSD NetBSD 1.5.1
NetBSD NetBSD 1.5.2
OpenBSD OpenBSD 2.0
OpenBSD OpenBSD 2.1
OpenBSD OpenBSD 2.2
OpenBSD OpenBSD 2.3
OpenBSD OpenBSD 2.4
OpenBSD OpenBSD 2.5
OpenBSD OpenBSD 2.6
OpenBSD OpenBSD 2.7
OpenBSD OpenBSD 2.8
OpenBSD OpenBSD 2.9
OpenBSD OpenBSD 3.0

详细描述
在BSD系统下的TCP/IP实现中存在漏洞，包括FreeBSD, NetBSD 和OpenBSD多种系统台。

RFC1122规定TCP实现需要默默的丢弃地址为广播或者多播地址的进入SYN信息包，有漏洞的BSD实现会基于链路层丢弃该包，而不去检查目的IP地址。

测试代码
尚无

解决方案
Patch for NetBSD (tested):

Index: src/sys/netinet/tcp_input.c
===================================================================
RCS file: /export/netbsd/ncvs/syssrc/sys/netinet/tcp_input.c,v
retrieving revision 1.108.4.10
diff -u -r1.108.4.10 tcp_input.c
--- src/sys/netinet/tcp_input.c    24 Jan 2002 22:44:21 -0000    1.108.4.10
+++ src/sys/netinet/tcp_input.c    16 Mar 2002 23:14:14 -0000
@@ -677,7 +677,8 @@
         * Make sure destination address is not multicast.
         * Source address checked in ip_input().
         */
-        if (IN_MULTICAST(ip->ip_dst.s_addr)) {
+        if (IN_MULTICAST(ip->ip_dst.s_addr) ||
+            in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif)) {
            /* XXX stat */
            goto drop;
        }
@@ -2183,6 +2184,11 @@
     */
    if (tiflags & TH_RST)
        goto drop;
+
+    if (IN_MULTICAST(ip->ip_dst.s_addr) ||
+        in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif))
+        goto drop;
+
     {
    /*
     * need to recover version # field, which was overwritten on

Patch for OpenBSD (untested, problem not verified):

Index: src/sys/netinet/tcp_input.c
===================================================================
RCS file: /export/openbsd/ncvs/src/sys/netinet/tcp_input.c,v
retrieving revision 1.109
diff -u -r1.109 tcp_input.c
--- src/sys/netinet/tcp_input.c    15 Mar 2002 18:19:52 -0000    1.109
+++ src/sys/netinet/tcp_input.c    17 Mar 2002 01:08:35 -0000
@@ -1080,8 +1080,6 @@

        /*
         * RFC1122 4.2.3.10, p. 104: discard bcast/mcast SYN
-         * in_broadcast() should never return true on a received
-         * packet with M_BCAST not set.
         */
        if (m->m_flags & (M_BCAST|M_MCAST))
            goto drop;
@@ -1094,7 +1092,8 @@
            break;
#endif /* INET6 */
        case AF_INET:
-            if (IN_MULTICAST(ip->ip_dst.s_addr))
+            if (IN_MULTICAST(ip->ip_dst.s_addr) ||
+                in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif)) {
                goto drop;
            break;
        }
@@ -2139,7 +2138,8 @@
        break;
#endif /* INET6 */
    case AF_INET:
-        if (IN_MULTICAST(ip->ip_dst.s_addr))
+        if (IN_MULTICAST(ip->ip_dst.s_addr) ||
+            in_broadcast(ip->ip_dst, m->m_pkthdr.rcvif))
            goto drop;
    }
    if (tiflags & TH_ACK) {

相关信息
Crist J. Clark <cjclark@alum.mit.edu>
参考：http://online.securityfocus.com/archive/1/262733
http://www.freebsd.org/cgi/query-pr.cgi?pr=35022

最近严重漏洞

BSD TCP/IP广播连接检查漏洞