Bug 100428

Summary: VUL-0: CVE-2005-2457: kernel: wrong return value in ip_conntrack_core
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Marcus Meissner <meissner>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P5 - None CC: krahmer, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: All   
Whiteboard: CVSSv2:NVD:CVE-2005-2457:5.0:(AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: mail as attachment
Patch for 9.3

Description Ludwig Nussel 2005-08-03 08:29:39 UTC 
We received the following report via vendor-sec.
This issue is not public yet, please keep any information about it inside SUSE.

We don't have ip_conntrack_pptp but since it's triggered by a bug in ip_conntrack_core we should include that part of the patch IMHO.

Date: Wed, 03 Aug 2005 09:56:18 +0200
From: Stephan Scholz <sscholz@astaro.com>
To: vendor-sec@lst.de
Cc: Markus Hennig <mhennig@astaro.com>, Gert Hansen <ghansen@astaro.com>,
	Holger Eitzenberger <heitzenberger@astaro.com>,
	Harald Welte <laforge@gnumonks.org>
Subject: [vendor-sec] Netfilter / PPTP conntrack helper kernel oops

Subject:

  Netfilter / PPTP conntrack helper kernel oops

Released:

  03 August 2005

Effects:

  By creating several Call Requests within the same PPTP connection,
  the PPTP conntrack helper ip_conntrack_pptp can lead to a kernel oops.
  TCP port 1723 must be open either through or to the firewall,
  and the ip_conntrack_pptp helper needs to be loaded.
  Note that the PPTP conntrack helper is not part of the vanilla kernel
  but available via netfilter patch-o-matic.

  The error is in ip_conntrack_core.c in function ip_conntrack_expect_related()
  and ip_conntrack_pptp.c in function exp_gre(). ip_conntrack_expect_related()
  falsely returns an error, which causes the GRE conntrack entry to be freed.
  This leads to a kernel oops. Even though the error is in ip_conntrack_core,
  currently only the PPTP conntrack helper triggers this problem.

  The vulnerability can be exploited by using the PPTP Bruter tool,
  which is actually a password cracker against Microsoft PPTP servers
  but which triggers this problem unintentionally. The kernel can be crashed
  by using this tool either directly against the machine or against a machine behind it.
  The tool can be retrieved from the following location:
  http://www.thc.org/download.php?t=r&f=thc-pptp-bruter-0.1.4.tar.gz

Estimated Severity:

  High

Systems Affected:

  Linux kernels with ip_conntrack_pptp module loaded

Solution:

  1. Apply the patch below.

  or

  2. Remove the PPTP conntrack helper ip_conntrack_pptp kernel module

Contact:
  Harald Welte <laforge@gnumonks.org>
  Stephan Scholz <sscholz@astaro.com>



Patch for kernel 2.6
--------------------


Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c
===================================================================
--- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_core.c
+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c
@@ -1015,7 +1015,6 @@
                                struct ip_conntrack *related_to)
 {
        struct ip_conntrack_expect *old;
-       int ret = 0;

        WRITE_LOCK(&ip_conntrack_lock);
        /* Because of the write lock, no reader can walk the lists,
@@ -1090,7 +1089,6 @@
                 * related_to->expecting.
                 */
                unexpect_related(old);
-               ret = -EPERM;
        } else if (LIST_FIND(&ip_conntrack_expect_list, expect_clash,
                             struct ip_conntrack_expect *, &expect->tuple,
                             &expect->mask)) {
@@ -1107,7 +1105,7 @@

        CONNTRACK_STAT_INC(expect_create);

-       return ret;
+       return 0;
 }

 /* Change tuple in an existing expectation */
Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_pptp.c
===================================================================
--- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_pptp.c
+++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_pptp.c
@@ -237,7 +237,6 @@

                if (ip_conntrack_expect_related(exp, master) != 0) {
                        ip_ct_gre_keymap_destroy(exp);
-                       ip_conntrack_expect_put(exp);
                        DEBUGP("cannot expect_related()\n");
                        return 1;
                }





Patch for kernel 2.4
--------------------


--- linux-2.4/net/ipv4/netfilter/ip_conntrack_core.c
+++ linux-2.4.conntrack_pptp/net/ipv4/netfilter/ip_conntrack_core.c
@@ -939,7 +939,6 @@
                                struct ip_conntrack_expect *expect)
 {
        struct ip_conntrack_expect *old, *new;
-       int ret = 0;

        WRITE_LOCK(&ip_conntrack_lock);
        /* Because of the write lock, no reader can walk the lists,
@@ -1021,7 +1020,6 @@
                 * related_to->expecting.
                 */
                unexpect_related(old);
-               ret = -EPERM;
        } else if (LIST_FIND(&ip_conntrack_expect_list, expect_clash,
                             struct ip_conntrack_expect *, &expect->tuple,
                             &expect->mask)) {
@@ -1061,7 +1059,7 @@

        WRITE_UNLOCK(&ip_conntrack_lock);

-       return ret;
+       return 0;
 }

 /* Change tuple in an existing expectation */
_______________________________________________
Vendor Security mailing list
Vendor Security@lst.de
https://www.lst.de/cgi-bin/mailman/listinfo/vendor-sec
Comment 1 Ludwig Nussel 2005-08-03 08:30:40 UTC 
Created attachment 44578 [details]
mail as attachment
Comment 2 Marcus Meissner 2005-08-15 14:26:31 UTC 
olaf says it is fine. we should however test connection tracking afterwards.
Comment 3 Olaf Kirch 2005-08-16 09:54:08 UTC 
Is this public already? Can we publish the fix?
Comment 4 Olaf Kirch 2005-08-16 09:59:52 UTC 
Kernels 2.6.11 and later seem unaffected by this.
Comment 5 Olaf Kirch 2005-08-16 10:00:21 UTC 
Created attachment 46143 [details]
Patch for 9.3
Comment 6 Olaf Kirch 2005-08-16 10:01:18 UTC 
sorry, the above should have read Patch for sles9
Comment 7 Olaf Kirch 2005-08-16 11:29:12 UTC 
Patch submitted to SLES9 SP2, SP3
Comment 8 Marcus Meissner 2005-08-17 13:14:12 UTC 
not public however. but leave it in, it is stale already.
Comment 9 Marcus Meissner 2005-08-18 09:47:30 UTC 
only really affected ip_pptp, which we do not ship. 
 
From: Stephan Scholz <sscholz@astaro.com> 
That's right, it is not an issue with the vanilla kernel. 
Even though there was a bug in the conntrack core, this only lead 
to problems in combination with the pptp conntrack helper. 
Other components or helpers were not affected, so it's basically patch-o-matic 
+only.
Comment 10 Marcus Meissner 2005-08-19 08:37:22 UTC 
-> tracking
Comment 11 Marcus Meissner 2005-08-19 08:56:41 UTC 
all applied.
Comment 12 Marcus Meissner 2005-09-01 14:40:33 UTC 
released.
Comment 13 Marcus Meissner 2006-03-16 07:42:47 UTC 
*** Bug 157903 has been marked as a duplicate of this bug. ***