From owner-freebsd-security Wed May 27 03:39:44 1998 Return-Path: Received: (from majordom@localhost) by hub.freebsd.org (8.8.8/8.8.8) id DAA28231 for freebsd-security-outgoing; Wed, 27 May 1998 03:39:44 -0700 (PDT) (envelope-from owner-freebsd-security@FreeBSD.ORG) Received: from verdi.nethelp.no (verdi.nethelp.no [158.36.41.162]) by hub.freebsd.org (8.8.8/8.8.8) with SMTP id DAA28210 for ; Wed, 27 May 1998 03:39:34 -0700 (PDT) (envelope-from sthaug@nethelp.no) From: sthaug@nethelp.no Received: (qmail 9795 invoked by uid 1001); 27 May 1998 10:39:30 +0000 (GMT) To: bag@sinbin.demos.su Cc: andrew@squiz.co.nz, sysadmin@mfn.org, freebsd-security@FreeBSD.ORG Subject: Re: Possible DoS opportunity via ping implementation error? In-Reply-To: Your message of "Wed, 27 May 1998 11:48:19 +0400 (MSD)" References: <199805270748.LAA23285@sinbin.demos.su> X-Mailer: Mew version 1.05+ on Emacs 19.34.2 Mime-Version: 1.0 Content-Type: Text/Plain; charset=us-ascii Date: Wed, 27 May 1998 12:39:30 +0200 Message-ID: <9793.896265570@verdi.nethelp.no> Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk > > >I had a very interesting day today! I found out that FBSD (2.2.5R) > > >machines will > > >always respond to a broadcasted echo request. For example: > > > > This contradicts the CERT Advisory below which states that FreeBSD does not > > have the problem. > > > > Either the CERT report is wrong, a problem has been introduced since, or > > it's specific to the way you've set up your boxes. > > CERT report is wrong > i check -current (Apr 23) and found that it respond to broadcast ping, > default net.inet.icmp.bmcastecho=1, but it alsow respond to broadcast > after sysctl -w net.inet.icmp.bmcastecho=0 > the good news is that in both case it not respond from aliases :) The problematic code is the following, from the icmp_input() routine in sys/netinet/ip_icmp.c: case ICMP_ECHO: if (!icmpbmcastecho && (m->m_flags & (M_MCAST | M_BCAST)) != 0 && IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { icmpstat.icps_bmcastecho++; break; } icp->icmp_type = ICMP_ECHOREPLY; goto reflect; The icmpbmcastecho variable is set according to net.inet.icmp.bmcastecho. I guess setting net.inet.icmp.bmcastecho=0 is *meant* to turn off both multicast and broadcast echo, however, this line && IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { only tests on whether the destination address is a multicast address (ie. class D), when in reality it also needs to test whether it's one of the acceptable broadcast addresses for this host (ie. all ones, for every interface: all ones in host part, all zeros in host part, etc). Such a test is done by the in_broadcast() routine in sys/netinet/in.c. I found it just as logical to simply remove the whole test, but I'll let somebody else decide on whether this is the correct fix. I also changed the initialization of the icmpbmcastecho variable, so it now defaults to off (no multicast/broadcast echo). The following patch is against 2.2-980506-SNAP (ip_icmp.c,v 1.22.2.2), but should work equally well against FreeBSD-current. Late breaking news: I just checked -current on ftp.cdrom.com, and it now has the IN_MULTICAST test removed. Still initializes icmpbmcastecho to 1, though. I think it *should* default to 0 (off). Steinar Haug, Nethelp consulting, sthaug@nethelp.no ---------------------------------------------------------------------- *** ip_icmp.c.orig Mon Aug 25 18:33:02 1997 --- ip_icmp.c Wed May 27 12:20:55 1998 *************** *** 71,77 **** SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW, &icmpmaskrepl, 0, ""); ! static int icmpbmcastecho = 1; SYSCTL_INT(_net_inet_icmp, OID_AUTO, bmcastecho, CTLFLAG_RW, &icmpbmcastecho, 0, ""); --- 71,77 ---- SYSCTL_INT(_net_inet_icmp, ICMPCTL_MASKREPL, maskrepl, CTLFLAG_RW, &icmpmaskrepl, 0, ""); ! static int icmpbmcastecho = 0; SYSCTL_INT(_net_inet_icmp, OID_AUTO, bmcastecho, CTLFLAG_RW, &icmpbmcastecho, 0, ""); *************** *** 377,384 **** case ICMP_ECHO: if (!icmpbmcastecho ! && (m->m_flags & (M_MCAST | M_BCAST)) != 0 ! && IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { icmpstat.icps_bmcastecho++; break; } --- 377,383 ---- case ICMP_ECHO: if (!icmpbmcastecho ! && (m->m_flags & (M_MCAST | M_BCAST)) != 0) { icmpstat.icps_bmcastecho++; break; } *************** *** 387,394 **** case ICMP_TSTAMP: if (!icmpbmcastecho ! && (m->m_flags & (M_MCAST | M_BCAST)) != 0 ! && IN_MULTICAST(ntohl(ip->ip_dst.s_addr))) { icmpstat.icps_bmcasttstamp++; break; } --- 386,392 ---- case ICMP_TSTAMP: if (!icmpbmcastecho ! && (m->m_flags & (M_MCAST | M_BCAST)) != 0) { icmpstat.icps_bmcasttstamp++; break; } To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe security" in the body of the message