Security
Tracing behind the firewall
A new tool, 0trace, that can sometimes peek through a firewall and provide information about the hosts and addresses living behind it was recently released. The tool itself is in a rough, proof-of-concept form, but it can provide interesting results that are likely unexpected by the network administrator. A bit of a look at how 0trace accomplishes this feat requires a bit of firewall background as well.
Many firewalls use Network Address Translation (NAT) to multiplex multiple internal computers over one external, routable, IP address. When an internal host makes a connection to the outside world, the NAT device rewrites the addresses in the packets so that the external host believes it is talking to the firewall itself rather than the actual host (which is typically in the private, unroutable IP space). In order to do that, the NAT device records information about the connection: the IP addresses for the internal and external hosts as well as port information. It is this established connection table that 0trace exploits in order to do its work.
The basic scheme is much the same as traceroute in that 0trace sends packets with increasing time-to-live (TTL) values and listens to the ICMP "time exceeded" responses to determine the hosts that the packet has traversed. The difference is that 0trace uses an established connection to piggyback its probes on. Because many NAT implementations do not closely examine packets that are associated with an established connection, those responses, even from internal hosts, are forwarded along.
Users of traceroute are familiar with the '*' character that gets printed when there is no response from one of the hops; tracing a route these days typically ends in a series of hops without a response resulting in several rows of '* * *'. These are often systems that are behind firewalls which filter out the probe packets that traceroute sends because they are not associated with a connection that it knows about. The example in the announcement shows 0trace output from a scan of www.ebay.com with several internal IP addresses past the point where the traceroute output stops.
In order to run 0trace, one must first establish a connection with the host of interest. Using telnet to port 80 is one way to go about that; once the connection is established, the 0trace shell script is run. That script sets up a tcpdump to grab the traffic to and from the supplied IP address and then waits. The user must generate some traffic at this point and typing 'GET / HTTP/1.0' (followed by one return) is a good way to do that. 0trace analyzes the TCP packet dump to retrieve the sequence and ack numbers from the conversation; the shell script then passes those off to the 0trace C program (sendprobe). Using proper sequence/ack numbers from the established connection further disguises the 0trace traffic as a legitimate part of the conversation.
This technique is not new and the author, Michal Zalewski, credits a number of other people in the announcement and ensuing thread, but this is likely the first public implementation. The implementation is very dependent on the exact format of tcpdump output and is rather fragile because of that, but it is an interesting proof-of-concept. Zalewski invites interested people to improve upon it. Using it against hosts without their permission might be considered illegal in some jurisdictions; one should exercise care before using it. It does show a weakness in current NAT implementations that will likely need to be addressed.
New vulnerabilities
avahi: denial of service
| Package(s): | avahi | CVE #(s): | CVE-2006-6870 | ||||||||||||
| Created: | January 5, 2007 | Updated: | January 15, 2007 | ||||||||||||
| Description: | A flaw was discovered in Avahi's handling of compressed DNS packets. If a specially crafted reply were received over the network, the Avahi daemon would go into an infinite loop, causing a denial of service. | ||||||||||||||
| Alerts: |
| ||||||||||||||
drupal: code injection
| Package(s): | drupal | CVE #(s): | |||||
| Created: | January 10, 2007 | Updated: | January 10, 2007 | ||||
| Description: | A failure to properly sanitize arguments allows an attacker to inject code into a Drupal system (advisory). There is also a denial of service vulnerability exploitable by users with the ability to post content on the site (advisory). | ||||||
| Alerts: |
| ||||||
fetchmail: password disclosure and DOS
| Package(s): | fetchmail | CVE #(s): | CVE-2006-5867 CVE-2006-5974 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 10, 2007 | Updated: | March 16, 2007 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | Fetchmail suffers from a password disclosure vulnerability due to a failure to use secure protocols (advisory) and a denial of service vulnerability (advisory). | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
geoip: path traversal
| Package(s): | geoip | CVE #(s): | CVE-2007-0159 | ||||||||
| Created: | January 10, 2007 | Updated: | January 24, 2007 | ||||||||
| Description: | Geoip fails to do sanity checking on returned filenames, opening up a path traversal vulnerability. | ||||||||||
| Alerts: |
| ||||||||||
kernel: multiple vulnerabilities
| Package(s): | kernel | CVE #(s): | CVE-2006-5749 CVE-2006-4814 CVE-2006-6106 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 5, 2007 | Updated: | January 8, 2009 | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Description: | A security issue has been reported in Linux kernel due to an error in
drivers/isdn/i4l/isdn_ppp.c as the "isdn_ppp_ccp_reset_alloc_state()"
function never initializes an event timer before scheduling it with the
"add_timer()" function.
The mincore function in the kernel does not properly lock access to user space, which has unspecified impact and attack vectors, possibly related to a deadlock. Another vulnerability has been reported in Linux kernel caused by a boundary error within the handling of incoming CAPI messages in net/bluetooth/cmtp/capi.c. This can be exploited to overwrite certain Kernel data structures. | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
krb5: uninitialized pointers
| Package(s): | krb5 | CVE #(s): | CVE-2006-6143 CVE-2006-3084 | ||||||||||||||||||||||||||||||||||||
| Created: | January 10, 2007 | Updated: | July 7, 2010 | ||||||||||||||||||||||||||||||||||||
| Description: | The kdamind daemon can, in some situations, perform operations on uninitialized pointers. This bug could conceivably open up the system to a code execution attack by an unauthenticated remote attacker, but it appears to be difficult to exploit. See this advisory for details. | ||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||
openoffice.org: integer overflows
| Package(s): | openoffice.org | CVE #(s): | CVE-2006-5870 | ||||||||||||||||||||||||||||
| Created: | January 4, 2007 | Updated: | January 13, 2007 | ||||||||||||||||||||||||||||
| Description: | The OpenOffice.org WMF file processor has several integer overflow bugs. Maliciously crafted WMF files can be used to cause OpenOffice.org to execute arbitrary code when the files are opened by a user. | ||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||
proftpd: denial of service
| Package(s): | proftpd | CVE #(s): | CVE-2005-4816 | ||||
| Created: | January 10, 2007 | Updated: | January 10, 2007 | ||||
| Description: | The proftpd FTP server is vulnerable to a denial of service attack when Radius authentication is in use. | ||||||
| Alerts: |
| ||||||
wordpress: SQL injection
| Package(s): | wordpress | CVE #(s): | |||||
| Created: | January 10, 2007 | Updated: | January 10, 2007 | ||||
| Description: | Stefan Esser discovered an SQL injection vulnerability in wordpress exploitable through the use of different character sets. | ||||||
| Alerts: |
| ||||||
X.org: integer overflows
| Package(s): | xorg, xorg-server | CVE #(s): | CVE-2006-6101 CVE-2006-6102 CVE-2006-6103 | ||||||||||||||||||||||||||||||||||||||||||||
| Created: | January 10, 2007 | Updated: | March 8, 2007 | ||||||||||||||||||||||||||||||||||||||||||||
| Description: | A number of integer overflows have turned up in the X.org server. Some of these overflows involve calls to alloca(), and thus make corruption of the stack relatively easy. This vulnerability is exploitable by anybody who can make a connection to the server, meaning that it is a local root exploit in most settings. See this advisory for details. | ||||||||||||||||||||||||||||||||||||||||||||||
| Alerts: |
| ||||||||||||||||||||||||||||||||||||||||||||||
Page editor: Jonathan Corbet
Next page:
Kernel development>>