From owner-svn-src-head@freebsd.org Fri Mar 22 07:39:29 2019 Return-Path: Delivered-To: svn-src-head@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 820EA155D92D; Fri, 22 Mar 2019 07:39:29 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits) client-signature RSA-PSS (4096 bits) client-digest SHA256) (Client CN "mxrelay.nyi.freebsd.org", Issuer "Let's Encrypt Authority X3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 216056EAA3; Fri, 22 Mar 2019 07:39:29 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org (repo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id EE93A1D414; Fri, 22 Mar 2019 07:39:28 +0000 (UTC) (envelope-from kp@FreeBSD.org) Received: from repo.freebsd.org ([127.0.1.37]) by repo.freebsd.org (8.15.2/8.15.2) with ESMTP id x2M7dSqA039532; Fri, 22 Mar 2019 07:39:28 GMT (envelope-from kp@FreeBSD.org) Received: (from kp@localhost) by repo.freebsd.org (8.15.2/8.15.2/Submit) id x2M7dSX8039530; Fri, 22 Mar 2019 07:39:28 GMT (envelope-from kp@FreeBSD.org) Message-Id: <201903220739.x2M7dSX8039530@repo.freebsd.org> X-Authentication-Warning: repo.freebsd.org: kp set sender to kp@FreeBSD.org using -f From: Kristof Provost Date: Fri, 22 Mar 2019 07:39:28 +0000 (UTC) To: src-committers@freebsd.org, svn-src-all@freebsd.org, svn-src-head@freebsd.org Subject: svn commit: r345409 - head/tests/sys/netpfil/pf X-SVN-Group: head X-SVN-Commit-Author: kp X-SVN-Commit-Paths: head/tests/sys/netpfil/pf X-SVN-Commit-Revision: 345409 X-SVN-Commit-Repository: base MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-Rspamd-Queue-Id: 216056EAA3 X-Spamd-Bar: -- Authentication-Results: mx1.freebsd.org X-Spamd-Result: default: False [-2.97 / 15.00]; local_wl_from(0.00)[FreeBSD.org]; NEURAL_HAM_MEDIUM(-1.00)[-0.999,0]; NEURAL_HAM_SHORT(-0.97)[-0.971,0]; ASN(0.00)[asn:11403, ipnet:2610:1c1:1::/48, country:US]; NEURAL_HAM_LONG(-1.00)[-1.000,0] X-BeenThere: svn-src-head@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: SVN commit messages for the src tree for head/-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 22 Mar 2019 07:39:29 -0000 Author: kp Date: Fri Mar 22 07:39:28 2019 New Revision: 345409 URL: https://svnweb.freebsd.org/changeset/base/345409 Log: pf tests: Test CVE-2019-5598 Verify that pf correctly drops inconsistent ICMP packets (i.e. where the IP src/dst do not match the IP src/dst in the ICMP packet. Added: head/tests/sys/netpfil/pf/CVE-2019-5598.py (contents, props changed) head/tests/sys/netpfil/pf/icmp.sh (contents, props changed) Modified: head/tests/sys/netpfil/pf/Makefile Added: head/tests/sys/netpfil/pf/CVE-2019-5598.py ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/tests/sys/netpfil/pf/CVE-2019-5598.py Fri Mar 22 07:39:28 2019 (r345409) @@ -0,0 +1,130 @@ +#!/usr/local/bin/python2.7 + +import argparse +import scapy.all as sp +import sys +from sniffer import Sniffer + +def check_icmp_error(args, packet): + ip = packet.getlayer(sp.IP) + if not ip: + return False + if ip.dst != args.to[0]: + return False + + icmp = packet.getlayer(sp.ICMP) + if not icmp: + return False + if icmp.type != 3 or icmp.code != 3: + return False + + return True + +def main(): + parser = argparse.ArgumentParser("CVE-2019-icmp.py", + description="CVE-2019-icmp test tool") + parser.add_argument('--sendif', nargs=1, + required=True, + help='The interface through which the packet will be sent') + parser.add_argument('--recvif', nargs=1, + required=True, + help='The interface on which to check for the packet') + parser.add_argument('--src', nargs=1, + required=True, + help='The source IP address') + parser.add_argument('--to', nargs=1, + required=True, + help='The destination IP address') + + args = parser.parse_args() + + # Send the allowed packet to establish state + udp = sp.Ether() / \ + sp.IP(src=args.src[0], dst=args.to[0]) / \ + sp.UDP(dport=53, sport=1234) + sp.sendp(udp, iface=args.sendif[0], verbose=False) + + # Start sniffing on recvif + sniffer = Sniffer(args, check_icmp_error) + + # Send the bad error packet + icmp_reachable = sp.Ether() / \ + sp.IP(src=args.src[0], dst=args.to[0]) / \ + sp.ICMP(type=3, code=3) / \ + sp.IP(src="4.3.2.1", dst="1.2.3.4") / \ + sp.UDP(dport=53, sport=1234) + sp.sendp(icmp_reachable, iface=args.sendif[0], verbose=False) + + sniffer.join() + if sniffer.foundCorrectPacket: + sys.exit(1) + + sys.exit(0) + +if __name__ == '__main__': + main() +#!/usr/local/bin/python2.7 + +import argparse +import scapy.all as sp +import sys +from sniffer import Sniffer + +def check_icmp_error(args, packet): + ip = packet.getlayer(sp.IP) + if not ip: + return False + if ip.dst != args.to[0]: + return False + + icmp = packet.getlayer(sp.ICMP) + if not icmp: + return False + if icmp.type != 3 or icmp.code != 3: + return False + + return True + +def main(): + parser = argparse.ArgumentParser("CVE-2019-icmp.py", + description="CVE-2019-icmp test tool") + parser.add_argument('--sendif', nargs=1, + required=True, + help='The interface through which the packet will be sent') + parser.add_argument('--recvif', nargs=1, + required=True, + help='The interface on which to check for the packet') + parser.add_argument('--src', nargs=1, + required=True, + help='The source IP address') + parser.add_argument('--to', nargs=1, + required=True, + help='The destination IP address') + + args = parser.parse_args() + + # Send the allowed packet to establish state + udp = sp.Ether() / \ + sp.IP(src=args.src[0], dst=args.to[0]) / \ + sp.UDP(dport=53, sport=1234) + sp.sendp(udp, iface=args.sendif[0], verbose=False) + + # Start sniffing on recvif + sniffer = Sniffer(args, check_icmp_error) + + # Send the bad error packet + icmp_reachable = sp.Ether() / \ + sp.IP(src=args.src[0], dst=args.to[0]) / \ + sp.ICMP(type=3, code=3) / \ + sp.IP(src=args.src[0], dst=args.to[0]) / \ + sp.UDP(dport=53, sport=1234) + sp.sendp(icmp_reachable, iface=args.sendif[0], verbose=False) + + sniffer.join() + if sniffer.foundCorrectPacket: + sys.exit(1) + + sys.exit(0) + +if __name__ == '__main__': + main() Modified: head/tests/sys/netpfil/pf/Makefile ============================================================================== --- head/tests/sys/netpfil/pf/Makefile Fri Mar 22 06:36:40 2019 (r345408) +++ head/tests/sys/netpfil/pf/Makefile Fri Mar 22 07:39:28 2019 (r345409) @@ -16,15 +16,18 @@ ATF_TESTS_SH+= anchor \ route_to \ synproxy \ set_skip \ - pfsync + pfsync \ + icmp ${PACKAGE}FILES+= utils.subr \ echo_inetd.conf \ sniffer.py \ pft_ping.py \ - CVE-2019-5597.py + CVE-2019-5597.py \ + CVE-2019-5598.py ${PACKAGE}FILESMODE_pft_ping.py= 0555 ${PACKAGE}FILESMODE_CVE-2019-5597.py= 0555 +${PACKAGE}FILESMODE_CVE-2019-5598.py= 0555 .include Added: head/tests/sys/netpfil/pf/icmp.sh ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ head/tests/sys/netpfil/pf/icmp.sh Fri Mar 22 07:39:28 2019 (r345409) @@ -0,0 +1,99 @@ +# $FreeBSD$ + +. $(atf_get_srcdir)/utils.subr + +atf_test_case "cve_2019_5598" "cleanup" +cve_2019_5598_head() +{ + atf_set descr 'Test CVE-2019-5598' + atf_set require.user root + atf_set require.progs scapy +} + +cve_2019_5598_body() +{ + pft_init + + epair_in=$(vnet_mkepair) + epair_out=$(vnet_mkepair) + ifconfig ${epair_in}a 192.0.2.1/24 up + ifconfig ${epair_out}a up + + vnet_mkjail alcatraz ${epair_in}b ${epair_out}b + jexec alcatraz ifconfig ${epair_in}b 192.0.2.2/24 up + jexec alcatraz ifconfig ${epair_out}b 198.51.100.2/24 up + jexec alcatraz sysctl net.inet.ip.forwarding=1 + jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05 + jexec alcatraz route add default 198.51.100.3 + route add -net 198.51.100.0/24 192.0.2.2 + + jexec alcatraz pfctl -e + pft_set_rules alcatraz "block all" \ + "pass in proto udp to 198.51.100.3 port 53" \ + "pass out proto udp to 198.51.100.3 port 53" + + atf_check -s exit:0 $(atf_get_srcdir)/CVE-2019-icmp.py \ + --sendif ${epair_in}a \ + --recvif ${epair_out}a \ + --src 192.0.2.1 \ + --to 198.51.100.3 +} + +cve_2019_5598_cleanup() +{ + pft_cleanup +} + +atf_init_test_cases() +{ + atf_add_test_case "cve_2019_5598" +} +# $FreeBSD$ + +. $(atf_get_srcdir)/utils.subr + +atf_test_case "cve_2019_5598" "cleanup" +cve_2019_5598_head() +{ + atf_set descr 'Test CVE-2019-5598' + atf_set require.user root + atf_set require.progs scapy +} + +cve_2019_5598_body() +{ + pft_init + + epair_in=$(vnet_mkepair) + epair_out=$(vnet_mkepair) + ifconfig ${epair_in}a 192.0.2.1/24 up + ifconfig ${epair_out}a up + + vnet_mkjail alcatraz ${epair_in}b ${epair_out}b + jexec alcatraz ifconfig ${epair_in}b 192.0.2.2/24 up + jexec alcatraz ifconfig ${epair_out}b 198.51.100.2/24 up + jexec alcatraz sysctl net.inet.ip.forwarding=1 + jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05 + route add -net 198.51.100.0/24 192.0.2.2 + + jexec alcatraz pfctl -e + pft_set_rules alcatraz "block all" \ + "pass in proto udp to 198.51.100.3 port 53" \ + "pass out proto udp to 198.51.100.3 port 53" + + atf_check -s exit:0 $(atf_get_srcdir)/CVE-2019-icmp.py \ + --sendif ${epair_in}a \ + --recvif ${epair_out}a \ + --src 192.0.2.1 \ + --to 198.51.100.3 +} + +cve_2019_5598_cleanup() +{ + pft_cleanup +} + +atf_init_test_cases() +{ + atf_add_test_case "cve_2019_5598" +}