Date: Mon, 8 Dec 2008 13:56:22 GMT From: Thorsten Schroeder <ths-fbsdpr@dev.io> To: freebsd-gnats-submit@FreeBSD.org Subject: kern/129499: IPv6 sockets break jail Message-ID: <200812081356.mB8DuMOu092099@www.freebsd.org> Resent-Message-ID: <200812081400.mB8E081J045206@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 129499 >Category: kern >Synopsis: IPv6 sockets break jail >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Mon Dec 08 14:00:07 UTC 2008 >Closed-Date: >Last-Modified: >Originator: Thorsten Schroeder >Release: RELENG_7 >Organization: >Environment: FreeBSD anti.xxx 7.1-PRERELEASE FreeBSD 7.1-PRERELEASE #2: Mon Dec 8 10:50:17 CET 2008 root@anti.xxx:/usr/obj/usr/src/sys/ANTI i386 >Description: A listening udp6 or tcp6 network socket, openend from within a jail environment also binds to * on the host environment. This happens even if no inet6 address is assigned to a real network interface. The loopback lo0 network interface has an inet6 address assigned by default, so the behaviour can be easily reproduced by connecting to the localhost using an ipv6 client on the host environment. To reproduce this issue, just enable the sshd using default configuration within the jail environment. The sshd will also bind to tcp6/*.22 on the host environment (if no other service is bound to tcp6/*.22 or the service on host environment is restartet afterwards). sockstat on the host system: root sshd 45219 4 tcp6 *:22 *:* [...] jail #2 process on the host system: # pgrep -lfj 2 45219 /usr/sbin/sshd [...] connecting to localhost from the host environment using ssh will end up being connected to the jail, not to the host environment: OpenSSH_5.1p1 FreeBSD-20080901, OpenSSL 0.9.8e 23 Feb 2007 debug1: Reading configuration data /etc/ssh/ssh_config debug1: Connecting to localhost.xxx [127.0.0.1] port 22. debug1: connect to address 127.0.0.1 port 22: Connection refused debug1: Connecting to localhost.xxx [::1] port 22. debug1: Connection established. [...] -> connected and authenticated in jail environment. The same for syslogd without syslogd_flags="-4" (default) Impact: An attacker or malicious jail user is able to high-jack inet6 services of the host environment. Network clients such as netcat or ssh are ipv6-capable and try to connect using ipv6 first or as fallback, if the ipv4 service is not available. If an ipv6 capable network service is started from within the jail _before_ the same socket is opened for listening on the host environment, a network client will connect to the inet6 network socket of the jail environment, even if the ipv6 address/hostname of the host environment is used. >How-To-Repeat: Reproduce this issue by using netcat: In the jail environment: # echo AAAA | nc -v -6 -l 6666 -- / -- In the host environment: # sockstat | grep 6666 root nc 45327 3 tcp6 *:6666 *:* # nc -v -6 localhost 6666 Connection to localhost 6666 port [tcp/*] succeeded! AAAA # >Fix: >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?200812081356.mB8DuMOu092099>