From owner-freebsd-stable Thu Jan 20 19:15:12 2000 Delivered-To: freebsd-stable@freebsd.org Received: from notrecords.com (228-121.ppp.ripco.net [209.100.228.121]) by hub.freebsd.org (Postfix) with ESMTP id C32C914D72 for ; Thu, 20 Jan 2000 19:15:05 -0800 (PST) (envelope-from aphor@ripco.com) Received: from ripco.com (nell.notrecords.com [192.168.1.123]) by notrecords.com (8.9.3/8.9.3) with ESMTP id VAA47135 for ; Thu, 20 Jan 2000 21:17:02 -0600 (CST) (envelope-from aphor@ripco.com) Message-ID: <3887CF9F.F0D234EB@ripco.com> Date: Thu, 20 Jan 2000 21:16:47 -0600 From: Jeremy McMillan Reply-To: aphor@ripco.com Organization: Loose.. X-Mailer: Mozilla 4.7 [en] (X11; U; FreeBSD 3.4-STABLE i386) X-Accept-Language: en MIME-Version: 1.0 To: freebsd-stable@freebsd.org Subject: Re: bugtraq posts: stream.c - new FreeBSD exploit? References: <200001210034.RAA06762@harmony.village.org> <4.2.2.20000120172607.0198f1e0@localhost> <3.0.5.32.20000120152818.01d7fa40@staff.sentex.ca> <4.2.2.20000120175659.0167ce60@localhost> Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-stable@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG I really don't have enough experience with the source yet, but netstat is setgid kmem, meaning there is a structure in kernelspace that lists open connections. I started poking around there, and the includes led me right to the /usr/src/sys/netinet directory where I did grep for TCP and STATE. Is it referenced by &ips_table[hv] I found this in /usr/src/sys/netinet/ip_state.c ---cut--- /* * Check if a packet has a registered state. */ int fr_checkstate(ip, fin) ---cut--- And right to the chase.... ---cut--- case IPPROTO_TCP : { register u_short dport = tcp->th_dport, sport = tcp->th_sport; hv += dport; hv += sport; hv %= IPSTATE_SIZE; MUTEX_ENTER(&ipf_state); for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next) if ((is->is_p == pr) && fr_matchsrcdst(is, src, dst, fin, tcp, sport, dport)) { if (fr_tcpstate(is, fin, ip, tcp)) { pass = is->is_pass; #ifdef _KERNEL MUTEX_EXIT(&ipf_state); #else if (tcp->th_flags & TCP_CLOSE) { *isp = is->is_next; isp = &ips_table[hv]; KFREE(is); } #endif return pass; } } MUTEX_EXIT(&ipf_state); break; } ---cut--- If this is it, and it isn't fast enough, then maybe we should pass all incoming ACKs to a separate thread with his own buffer space? Alternative, maintain a separate hash for TCP states to shorten the search? fr_matchsrcdest(is, src, dst, fin, tcp, sp, dp) seems to be matching by port number first. Someone either start explaining or send me the exploit so I can figure this out? Brett Glass wrote: > > Oops.... I've answered my own question. IPFW's "established" keyword > only checks the RST or ACK bits; it can't tell if a session is > REALLY established or not. Only a firewall that can save state > (such as IPFilters), or the kernel itself, can do this. > > It'd be neat if we could use IPFilters to do a temporary fix for > this, because it'd nuke the problem on several OSes at once -- > including all of the BSDs. (They all just happen to come with IPFilters > out of the box now.) This way, when the skript kiddies reading Bugtraq > start trying this, there will be an immediate defense. > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-stable" in the body of the message