Bug 61016 (CVE-2004-0816)

Summary: VUL-0: CVE-2004-0816: kernel: ipt_log ICMP remote DoS in kernel 2.6 / CAN-2004-0816
Product: [Novell Products] SUSE Security Incidents Reporter: Ludwig Nussel <lnussel>
Component: IncidentsAssignee: Marcus Meissner <meissner>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Critical    
Priority: P3 - Medium CC: meissner, rf, security-team
Version: unspecified   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: CVE-2004-0816: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---
Attachments: original report with sample code?
oops.jpg
oops2.jpg
Proposed patch
Updated patch

Description Ludwig Nussel 2004-09-24 18:00:33 UTC 
We received the following _unconfirmed_ report via security@suse.de.  
This issue is not public yet AFAIK, please keep any information  
about it inside SUSE.  
  
Richard Hart is talking about a complete system freeze when certain  
ICMP (v4) packets are received (kernel-default-2.6.5-7.108). In his  
first mail he attached a C program that is supposed to trigger the  
bug. It was corrupted though. I'll fix it and attach it to this bug.  
  
Date: Thu, 23 Sep 2004 07:11:46 -0700  
From: Richard Hart <rhart@aloha.net>  
To: Ludwig Nussel <ludwig.nussel@suse.de>  
Subject: Re: [security@suse.de] CRITICAL  SuSEfirewall2 Security Bug  
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.6) Gecko/20040114  
X-Spam-Level:   
  
Ludwig Nussel wrote:  
> Richard Hart wrote:  
>   
>>I will make this my final attempt to notify SuSE Linux AG before posting  
>>this flaw to "full disclosure" and other mailing lists.  
>>  
>>I have made two bug reports  
>>  
>> (Ticket [20040729990000118])  
>> (Ticket [20040920990000230])  
>>  
>>The first was over 8 weeks ago and second was two days ago. Perhaps I  
>>should have gone straight to the secuity team to begin with.  
>   
>   
> Yes, security@suse.de is a shortcut for reporting security issues.  
> Nevertheless the fact that a security related feedback ticket  
> remains unanswered for such a long time is unacceptable. I'll see  
> what I can do to prevent something like this to happen in the  
> future. Thanks for bringing this problem to our attention.  
>   
>   
>>I know that the first bug report was not clear and I was uncertain at  
>>the time what the cause was and where it was. I am certain now that  
>>SuSEfirewall2 is part of the problem. I am not sure if it is how the  
>>kernel handles the drop or not. I am not a programer, nor do I  
>>understand how the firewall handles its responses  to "bad" packets.  
>>  
>>There is a flaw the SuSE Professional 9.1  SuSEfirewall2 that will cause  
>>a complete freeze of the box when a certain malformed ICMP packet is  
>>sent to the firewall. The thing that I find most interesting is that  
>>this attack was written to attack Windows boxes. If the firewall is  
>>turned off the packet in question will have no effect on the box. When  
>>the firewall is turned on, an imediate freeze is caused which requires a  
>>hard power down and and then a cold boot.  
>   
>   
> It's most likely not a bug in SuSEfirewall2 but in the Kernel  
> itself. What kernel are you running? Did you apply all (security)  
> updates available via YaST Online Update? There was a flaw related  
> to ICMP in the original SUSE 9.1 kernel that got fixed already.  
>   
>   
>>I discovered that the firewall was vulnerable while testing out the  
>>firewall rule sets. I was using various online port scanners to check  
>>for open ports. Generally speaking I try to keep my computer as  
>>stealthed out as possible. I -DROP as many ICMP packet types as possible  
>>to hide my box. Since I am not running any services that should be  
>>accessed from the internet, I -DROP everything I can. I came across a  
>>vulnerabilty scanner and ran it just for fun. To my surprise by bos  
>>froze solid. After further testing I isolated the specific attack that  
>>caused the freeze.  
>   
>   
> SuSEfirewall does not drop all ICMP messages per default on purpose.  
> Many ICMP messages play a crucial role in keeping the traffic  
> flowing in the internet so dopping all of them is not considered  
> good behaviour.  
>   
>   
>>I suppose that I could have broken something when making changes to  
>>SuSEfirewall2 or the config files. If you would like to see my files let  
>>me know.  
>   
>   
> We need to at least know the kernel version you are running. Also  
> helpful for further analyzing the problem would probably be  
> /etc/sysconfig/SuSEfirewall2 as well as the output of the 'hwinfo'  
> program.  
>   
>   
>>If you are not able to replicate this let me know.  
>>If you able to replicate this let me know.  
>>  
>>I am not anxious to send this info out to the public since I am running  
>>9.1, but in the spirit of encouraging you to fix this I will release the  
>>info. I am disappointed that I never got any kind of response regarding  
>>either of my bug reports. I know that you must be busy but this seems to  
>>me like a major DoS flaw that needs to be addressed.  
>   
>   
> I am deeply sorry that our feedback system doesn't work as well as  
> it should. You are of course free to report any security bugs you  
> discovered to the public. We would be grateful if you could delay  
> the publication to give us a chance to fix the problem though.  
>   
> cu  
> Ludwig  
>   
  
Aloha Ludwig  
  
Thank you for the quick response. I was starting to think that there was  
no one home at SuSE.  
  
I have applied _all_ security updates and patches to my system. I keep  
it current and usually check for updates 2 or 3 times weekly. I do use  
the Yast Online Update to do my patching. I did notice the ICMP related  
kernel update and was surprised that it didn't cover this issue.  
  
The kernel that I currently am running is kernel-default 2.6.5-7.108.  
It is as shipped, I have not made any changes to it.  
  
I am also sending you /sbin/SuSEfirewall2 since I have made a few small  
tweaks to it. Nothing major, but perhaps something to cause this  
problem. While I do understand that dropping all ICMP is not good  
behavior, not all boxes that are connected to the internet are meant to  
be visible to the outside network. I have only set my firewall to be as  
invisible as I can be.  
  
  
It was never my intention to go public with this flaw, I just started to  
feel like I had to light a fire go get some action. I will gladly wait  
to make an announcement, or even just let you guys make it. As long as I  
know that you are working on it I am fine sitting tight. If it is my own  
error that has caused this problem could you please let me know?  
  
Richard
Comment 1 Marcus Meissner 2004-09-24 18:31:19 UTC 
Created attachment 23931 [details]
original report with sample code?
Comment 2 Andreas Kleen 2004-09-24 19:10:01 UTC 
This program just sends a single stand ICMP unreachable for a TCP connection.
It's hard to imagine it should cause any problems. TCP should even reject it most
of the time because it has a fixed sequence number and TCP only allows icmps
which fit the current window.
Comment 3 Ludwig Nussel 2004-09-24 19:29:26 UTC 
no, this guy is right. with SuSEfirwall2 enabled the kernel crashes. I was 
able to get a panic on x86_64. Unfortunately the serial console doesn't work 
for some reason on this host (laptop). The backtrace was ipt_LOG and then 
memcpy. On a i386 laptop the machine instantly rebootes or locks up without 
panic when using the nuke program. 
 
steps to reproduce: 
# 
cp /var/adm/fillup-templates/sysconfig.SuSEfirewall2 /etc/sysconfig/SuSEfirewall2 
# SuSEfirewall2 
 
then nuke the host
Comment 4 Andreas Kleen 2004-09-24 19:31:14 UTC 
Ok, then ipt_LOG is buggy. That's possible.

Please log the oops somehow and I can look into it.
Comment 5 Ludwig Nussel 2004-09-24 19:51:49 UTC 
Unfortunately the serial device does not seem to work at all and netconsole 
doesn't work either so I have to type it by hand: 
 
__memcpy+11 
skb_copy_bits+91 
:ipt_LOG:dump_packet+1052
Comment 6 Marcus Meissner 2004-09-24 20:27:14 UTC 
Created attachment 23938 [details]
oops.jpg

(on amd64 laptop)
Comment 7 Olaf Kirch 2004-09-24 20:34:00 UTC 
FWIW, I ran the exploit against a 2.6.8 kernel on x86_64, and no crash 
occurred.
Comment 8 Andreas Kleen 2004-09-24 20:34:09 UTC 
Do you have the beginning of the oops too?
Comment 9 Andreas Kleen 2004-09-24 20:36:09 UTC 
The new subject is wrong, this isn't ipt6_LOG, but ipt_LOG
Comment 10 Olaf Kirch 2004-09-24 20:39:38 UTC 
I see 
 
divide error 0000 [1]
Comment 11 Marcus Meissner 2004-09-24 20:44:37 UTC 
Created attachment 23940 [details]
oops2.jpg

full oops
Comment 12 Olaf Kirch 2004-09-24 20:52:25 UTC 
FWIW, the simplest way to reproduce is this: 
 
hammer:~ # echo 1 > /proc/sys/kernel/sysrq 
hammer:~ # klogconsole -r0 -l8 
hammer:~ # iptables -A INPUT -j LOG --log-level warning \ 
		--log-tcp-options --log-ip-options -p icmp 
 
and running the exploit against the victim host
Comment 13 Olaf Kirch 2004-09-24 20:54:14 UTC 
Stupid old thinko - we've had the same sort of problems in other areas 
of netfilter before 
 
	      optsize = tcph.doff * 4 - sizeof(struct tcphdr); 
              if (skb_copy_bits(skb, iphoff+iph.ihl*4 + sizeof(tcph), 
                                 opt, optsize) < 0) { 
                       printk("TRUNCATED"); 
                       return; 
              } 
 
... and optsize goes negative if tcph.doff is 0.
Comment 14 Olaf Kirch 2004-09-24 21:03:57 UTC 
Created attachment 23941 [details]
Proposed patch

Proposed patch. ip6t_LOG had the same problem.

In 2.6.8, ipt_LOG is unaffected because it checks that
4 * doff > sizeof(tcphdr). The 2.6.8 ip6t_LOG module has this
bug though.
Comment 15 Andreas Kleen 2004-09-24 21:04:59 UTC 
No, that's not it. There is a if before it


		if ((info->logflags & IPT_LOG_TCPOPT)
		    && th->doff * 4 > sizeof(struct tcphdr)) {
Comment 16 Andreas Kleen 2004-09-24 21:06:41 UTC 
But the crash was in ipt_LOG

(for lnussel's description, Marcus' version doesn't make much sense)

And the test case also sends ipv4, not ipv6.
Comment 17 Marcus Meissner 2004-09-24 21:09:43 UTC 
... fixed summary line...
Comment 18 Olaf Kirch 2004-09-24 21:16:27 UTC 
Andi: yes, but in our 2.6.5 kernel the if() line reads like this: 
 
if ((info->logflags & IP6T_LOG_TCPOPT) 
 && tcph->doff * 4 != sizeof(struct tcphdr)) { 
 
Note the !=, not >. That was changed some time between 2.6.5 and 2.6.8. 
And that's why 2.6.5 crashes, and 2.6.8 doesn't. 
 
And of course the crash is in ipt_LOG. I didn't say it wasn't. All I'm saying 
is that the same sort of attack would be successful against ip6t_LOG as well.
Comment 19 Andreas Kleen 2004-09-24 21:19:16 UTC 
Ah right I looked in the wrong kernel source.
Comment 20 Andreas Kleen 2004-09-24 21:28:01 UTC 
BTW the ip options printing in SLES9SP1 has the same bug

	if ((info->logflags & IPT_LOG_IPOPT)
	    && iph.ihl * 4 != sizeof(struct iphdr)) {
		unsigned char opt[4 * 15 - sizeof(struct iphdr)];
		unsigned int i, optsize;

		optsize = iph.ihl * 4 - sizeof(struct iphdr);
		if (skb_copy_bits(skb, iphoff+sizeof(iph), opt, optsize) < 0) {
			printk("TRUNCATED");
			return;
		}


But I don't think it's exploitable because those short packets will
be rejected very early, probably before any netfilter hooks
Comment 21 Marcus Meissner 2004-09-24 21:35:50 UTC 
please use a "safe" approach in the ip6t case, aka check for the size if you 
are unsure. better safe than sorry.
Comment 22 Olaf Kirch 2004-09-24 21:38:05 UTC 
Andi: possibly exploitable if you build something like 
	sane IP header 
	ICMP port unreach 
	broken IP header 
 
Marcus: I don't understand your comment. What do you mean by safe approach? 
Do you see any problem with my patch?
Comment 23 Andreas Kleen 2004-09-24 21:41:58 UTC 
Olaf, true.

I would suggest a full careful audit of ipt_LOG, there may be more dragons there.
Scary that firewall code has so bad code quality ...
Comment 24 Olaf Kirch 2004-09-24 21:47:24 UTC 
Marcus - can someone from your team do this audit, please? It may be 
a good idea to diff 2.6.5 against 2.6.8 and see which changes may have 
been security relevant. It looks as if this issue was fixed quietly by 
DaveM or Linus. 
 
It may also be a good idea to inform vendor-sec. 
 
I wonder how long this exploit has been circulating already... somehow it 
doesn't feel as if the reporter is the author of the exploit.
Comment 25 Olaf Kirch 2004-09-24 21:51:10 UTC 
Created attachment 23949 [details]
Updated patch

This patch adds a check for bad iph.ihl
Comment 26 Olaf Kirch 2004-09-24 22:17:21 UTC 
These bugs are present in SLES8 as well. Hooray...
Comment 27 Kurt Garloff 2004-09-24 22:48:00 UTC 
Hmm, we have a SLES8 update kernel in the queue. 
If this is already public and we do want to fix it as soon as possible, it 
might be an option to stop its release. 
OTOH, I understood there will be another security update soon anyway, so 
we can as well roll it in there.
Comment 28 Marcus Meissner 2004-09-24 22:55:01 UTC 
The current sles8 kernel update will not be touched anymore. 
 
We will roll it into the next one, which will be coming anyway.
Comment 29 Olaf Kirch 2004-09-24 22:55:42 UTC 
I committed the patch to SLES8 HEAD, SLES9 SP1 and GA branches, and verified  
that the exploit is no longer effective against a patched kernel.  
  
kernel-source-26 HEAD remains unpatched for now until Marcus tells me to  
go ahead. So it looks like we already have a first candidate for a kernel  
security update after releasing 9.2 :)  
  
I'm assigning this to security-team for further tracking. 
 
Re: Kurt's comment - I don't think this is public yet. The kernel maintainers 
fixed it quietly.
Comment 30 Sebastian Krahmer 2004-09-27 18:05:18 UTC 
Theres similar code in ip_tables.c (2.6.0 checked):

static int
tcp_match(const struct sk_buff *skb,
          const struct net_device *in,
          const struct net_device *out,
          const void *matchinfo,
          int offset,
          int *hotdrop)
{
...
        if (tcpinfo->option &&
            !tcp_find_option(tcpinfo->option, skb, tcph.doff*4 - sizeof(tcph),
                             tcpinfo->invflags & IPT_TCP_INV_OPTION,
                             hotdrop))

...
}

Seems the tcp header isnt validated before.
Comment 31 Olaf Kirch 2004-09-27 18:12:10 UTC 
That is old news - I found this bug in June or so, and it's been fixed in 
mainline for a while. 2.6.8 current has this: 
 
		if (th->doff * 4 < sizeof(_tcph)) { 
                        *hotdrop = 1; 
                        return 0; 
                } 
                if (!tcp_find_option(tcpinfo->option, skb, 
                                     th->doff*4 - sizeof(_tcph), 
                                     tcpinfo->invflags & IPT_TCP_INV_OPTION, 
                                     hotdrop)) 
                        return 0; 
 
Please make sure you look at the current Suse kernel source code. 2.6.0 
is definitely way outdated.
Comment 32 Ludwig Nussel 2004-09-27 21:14:54 UTC 
CAN-2004-0816
Comment 33 Marcus Meissner 2004-09-29 19:30:11 UTC 
The important parts of the patch were in 2.6.8, vendor-sec considers this 
issue public. 
 
Only 9.1 and SLES 9 kernels are affected. 
 
(2.4 kernels are not affected.)
Comment 34 Carl-Daniel Hailfinger 2004-09-30 00:27:07 UTC 
comment#26 states 2.4 kernels (SLES8) are affected.
Comment 35 Marcus Meissner 2004-09-30 14:05:53 UTC 
We have verified that it does not affect 2.4 kernels.
Comment 36 Marcus Meissner 2004-10-21 16:16:17 UTC 
kernels and advisories released.
Comment 37 Thomas Biege 2009-10-13 19:51:19 UTC 
CVE-2004-0816: CVSS v2 Base Score: 5.0 (AV:N/AC:L/Au:N/C:N/I:N/A:P)