Date: Thu, 20 Jan 2000 21:16:47 -0600 From: Jeremy McMillan <aphor@ripco.com> To: freebsd-stable@freebsd.org Subject: Re: bugtraq posts: stream.c - new FreeBSD exploit? Message-ID: <3887CF9F.F0D234EB@ripco.com> References: <200001210034.RAA06762@harmony.village.org> <Your message of "Thu, 20 Jan 2000 17:32:03 MST." <4.2.2.20000120172607.0198f1e0@localhost> <4.2.2.20000120172607.0198f1e0@localhost> <Pine.BSF.4.02A.10001201232520.26367-100000@shell.uniserve.ca> <3.0.5.32.20000120152818.01d7fa40@staff.sentex.ca> <Pine.BSF.4.02A.10001201232520.26367-100000@shell.uniserve.ca> <4.2.2.20000120175659.0167ce60@localhost>
next in thread | previous in thread | raw e-mail | index | archive | help
I really don't have enough experience with the source yet, but netstat is
setgid kmem, meaning there is a structure in kernelspace that lists open
connections. I started poking around there, and the includes led me right to
the /usr/src/sys/netinet directory where I did grep for TCP and STATE.
Is it referenced by &ips_table[hv]
I found this in /usr/src/sys/netinet/ip_state.c
---cut---
/*
* Check if a packet has a registered state.
*/
int fr_checkstate(ip, fin)
---cut---
And right to the chase....
---cut---
case IPPROTO_TCP :
{
register u_short dport = tcp->th_dport, sport =
tcp->th_sport;
hv += dport;
hv += sport;
hv %= IPSTATE_SIZE;
MUTEX_ENTER(&ipf_state);
for (isp = &ips_table[hv]; (is = *isp); isp = &is->is_next)
if ((is->is_p == pr) &&
fr_matchsrcdst(is, src, dst, fin, tcp,
sport, dport)) {
if (fr_tcpstate(is, fin, ip, tcp)) {
pass = is->is_pass;
#ifdef _KERNEL
MUTEX_EXIT(&ipf_state);
#else
if (tcp->th_flags & TCP_CLOSE) {
*isp = is->is_next;
isp = &ips_table[hv];
KFREE(is);
}
#endif
return pass;
}
}
MUTEX_EXIT(&ipf_state);
break;
}
---cut---
If this is it, and it isn't fast enough, then maybe we should pass all
incoming ACKs to a separate thread with his own buffer space?
Alternative, maintain a separate hash for TCP states to shorten the search?
fr_matchsrcdest(is, src, dst, fin, tcp, sp, dp) seems to be matching by port
number first.
Someone either start explaining or send me the exploit so I can figure this
out?
Brett Glass wrote:
>
> Oops.... I've answered my own question. IPFW's "established" keyword
> only checks the RST or ACK bits; it can't tell if a session is
> REALLY established or not. Only a firewall that can save state
> (such as IPFilters), or the kernel itself, can do this.
>
> It'd be neat if we could use IPFilters to do a temporary fix for
> this, because it'd nuke the problem on several OSes at once --
> including all of the BSDs. (They all just happen to come with IPFilters
> out of the box now.) This way, when the skript kiddies reading Bugtraq
> start trying this, there will be an immediate defense.
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-stable" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3887CF9F.F0D234EB>