From owner-freebsd-hackers Mon Mar 16 13:13:26 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id NAA25091 for freebsd-hackers-outgoing; Mon, 16 Mar 1998 13:13:26 -0800 (PST) (envelope-from owner-freebsd-hackers@FreeBSD.ORG) Received: from whistle.com (s205m131.whistle.com [207.76.205.131]) by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id NAA25026 for ; Mon, 16 Mar 1998 13:13:06 -0800 (PST) (envelope-from archie@whistle.com) Received: (from smap@localhost) by whistle.com (8.7.5/8.6.12) id NAA01220 for ; Mon, 16 Mar 1998 13:12:35 -0800 (PST) Received: from bubba.whistle.com(207.76.205.7) by whistle.com via smap (V1.3) id sma001212; Mon Mar 16 13:12:32 1998 Received: (from archie@localhost) by bubba.whistle.com (8.8.7/8.6.12) id NAA26173 for freebsd-hackers@freebsd.org; Mon, 16 Mar 1998 13:12:32 -0800 (PST) From: Archie Cobbs Message-Id: <199803162112.NAA26173@bubba.whistle.com> Subject: DIVERT Sockets... (fwd) To: freebsd-hackers@FreeBSD.ORG Date: Mon, 16 Mar 1998 13:12:32 -0800 (PST) X-Mailer: ELM [version 2.4ME+ PL31 (25)] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-hackers@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.ORG Can someone who knows more about TCP + source routing than me take a look at the issue raised below? Thanks, -Archie ___________________________________________________________________________ Archie Cobbs * Whistle Communications, Inc. * http://www.whistle.com ---------- Forwarded message ---------- Date: Fri, 6 Mar 1998 01:01:51 -0600 (CST) From: tqbf@secnet.com To: freebsd-security@freebsd.org Subject: DIVERT Sockets... Hey there. I have a question, hopefully not a heads-up: IP "divert" processing in ip_input() causes IP option processing to be skipped (basically, "divert" sockets are just a "goto" in the IP processing code that say "process this packet as if it was ours"). I am wondering if y'all see the same problem I do here, which is that IPDIVERT doesn't reset ip_nhops to zero before "accepting" packets for input. Recall that "ip_nhops" specifies whether the current packet causes a source route to be recorded; if ip_nhops is nonzero, ip_srcroute will return a reversed recorded route from the last accepted source-routed packet. Each time a new valid packet is accepted, "ip_nhops" is supposed to be reset to zero. The TCP input code blindly calls ip_srcroute() when a connection is being established to see if the SYN connection-soliciting packet was source routed; if it was, it uses the recorded route for all future packets for this connection. Because of the IPDIVERT hack, it seems to me that anyone can send a source routed packet right before a diverted SYN packet, and that SYN packet will follow the reverse of the source route. On networks that don't drop source routed packets, this would allow remote attackers to hijack arbitrary connections remotely without direct network access to the path those connections take. I don't know enough about IPDIVERT to tell if this is the case; I am trying to wade through the code to see if divert sockets modifies IP output not to send source routed packets. ----------------------------------------------------------------------------- Thomas H. Ptacek Secure Networks, Inc. ----------------------------------------------------------------------------- http://www.enteract.com/~tqbf "mmm... sacrilicious" To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-hackers" in the body of the message