Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
From: James Morris (jmorris_at_intercode.com.au)
Date: Tue Dec 03 2002 - 05:01:11 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Hash: SHA1

                      Netfilter Core Team Security Advisory

      Local Netfilter / IPTables IP Queue PID Wrap Flaw


      December 3, 2002.


      Under limited circumstances, an unprivileged local user may be able
      to read a limited amount of arbitrary IPv4 or IPv6 traffic.

    Estimated Severity:


    Remotely Exploitable:

    Systems Affected:

      Linux 2.4 kernels up to and including 2.4.19, and Linux 2.5 kernels
      up to and including 2.5.31, where Netfilter / IPTables is enabled,
      and where either of the experimental IP queuing modules (ip_queue,
      ip6_queue) are in use.


      Upgrade to Linux kernels 2.4.20 (stable), and 2.5.32 (development).


      Under Linux 2.4 and 2.5, an experimental IP packet queuing feature is
      available as part of Netfilter / IPTables. This consists of kernel
      modules and a userspace library which allow userspace mediation and
      modification of IPv4 and IPv6 packets.

      A userspace mediation process must normally be privileged (requiring
      NET_ADMIN capability) to process packets from the kernel. To commence
      mediating packets, a userspace process typically sends a Netlink message
      to the associated kernel module, specifying queuing parameters. The
      kernel module captures the Unix process ID (PID) of the process to ensure
      reliable queuing and delivery of packets.

      If the privileged mediation process exits, an unprivileged process
      re-using the same PID may be able to receive a limited amount of
      network traffic.

      This would only occur if no network traffic was queued between the exit
      of the privileged process and the establishment of the unprivileged
      process, as the kernel module will reset the queuing session upon
      transmission error to userspace.

      The kernel module will only transmit a limited number of packets to
      the userspace process without acknowledgment. As all transmissions
      from userspace to the kernel module require NET_ADMIN capability,
      the unprivileged process will not be able to acknowledge packets.
      Thus, the maximum number of packets that the unprivileged process
      can read is limited to the queue length (default 1024 packets).
      The unprivileged process can also only read packets which have been
      selected for queuing via IPTables by a privileged process.

      This flaw is theorized to be difficult and somewhat invasive to exploit,
      probably requiring a combined use of DoS attacks. It was discovered by
      the author of the code, and no exploits are known to exist.

      Fixing the flaw involved implementing a reliable mechanism for detecting
      when the Netlink control socket of a privileged mediation process is
      closed, and resetting the kernel queuing session state upon such events.

      The fix was implemented by the Netfilter Core Team, with contributions
      from Jamal Hadi Salim and Alexey Kuznetsov.


    Version: GnuPG v1.0.6 (GNU/Linux)
    Comment: For info see http://www.gnupg.org

    -----END PGP SIGNATURE-----