I was sitting in my iptables class the other day, and was watctching our instructor write one of the basic firewall rules that is written every time. It is to allow all traffic in and out on the loopback.
This got me thinking - they were doing no other checks on source/dest ip at all. Pretty much every other firewall how-to I've seen does the same thing, allow loopback regardless.
Now, imagine that we took a linux box, and instead of having the loopback address being 127.0.0.1, make it something else, like 7.7.7.7 (sorry DoD). Then, add a route to 127.0.0.1, with the gateway being the remote host/router you're trying to attack.
The idea is that if you send a packet to 127.0.0.1, it will not go to the lo interface, but instead out to the host you are trying to attack. When the host relieves the packet, it would, theoretically "route" the packet to the loopback interface.
Wow, we can send a packet to the loopback address. What's the point? Say you're running a web server, and also have mysqld running on it. The smart thing to do is make mysql only listen on 127.0.0.1, so that outside users cannot access it. If we can send a packet to the host, and have it route to 127.0.0.1, we could potentially access it from the outside.
The problems:
1) This "attack" could be thwarted by a properly configured firewall.
2) You could only "attack" a host on the same subnet, since there is no way a packet destined for 127.0.0.1 would traverse a router.
3) The big one: the linux ipv4 routing implementation has sanity checks that reject (and logs) all packets with a source or destination in the 127/8 subnet block. They are "martian" packets. Check in the kernel, in net/ipv4/route.c
I'm going to have to do some more research on this topic, but I'd guess that no (modern) kernel's IP implementation would be fooled by this. I've been having problems testing, because the routing engine isn't sending packets to 127/8 addresses out over the wire. I was working on hacking the kernel to allow this for the attacker machine, but I got tired of looking though lot's of C code that I can't really understand.
Oh well, better luck next time.
On another, semi-related not:
Every address in the 127/8 block is a loopback address. You can set services to listen on 127.0.0.2, and you have to connect to them at that ip. With this, you can set services to listen on different loopback ip's, but the same port. Handy for things like running multiple we apps on the same box.
Subscribe to:
Post Comments (Atom)
Nice work. :-)
ReplyDeleteNow, if you figured out how to hack the kernel to allow for the attack to take place, that would be really, really nice. :-)
P.S. Looked through the code you mentioned, found a bunch of references to martian packets
Well, I was working on it some, but got compile errors, and I didn't feel like working through them.
ReplyDeleteMost of the errors were a result of me not knowing C syntax, and it being late/me being tired. I'm going to continue working on it and see what I can get.
As I understand, martian packets are packets that come in on an interface they shouldn't be heard on. Packets with a source of 255.255.255.255 or a dest of 0.0.0.0, or packets which go to/from loopback.
If I'm reading correctly, localhost traffic essentially short-circuits all routing. It also short-circuits the physical interface if a 127/8 address is assigned to a real interface.