"Hacking" out of a stateless firewall

So, when I was playing around in the kernel working on my previous entry, I found /proc/sys/net/ipv4/ip_local_port_range. The default value in my Adios sandbox VM is "32768 61000".

This is the range of ports that the kernel's TCP/IP stack will chose for the SOURCE port for new outgoing connections. That's alright, but it'd be cool if I could do something useful with it. Well, it became cool with the firewall rule my instructor wrote in my iptables class tonight.

iptables -I INPUT -i eth1 -p tcp --dport 22 -j ACCEPT #Accept incoming with a dest port of 22 - tcp
iptables -I OUTPUT -o eth1 -p tcp --sport 22 -j ACCEPT #Accept outgoing with a src port of 22 - tcp

Well, this is all well and good, a basic, stateless firewall to allow SSH clients to connect to the server.

But, it got me thinking...if I could compromise that host, then set ip_local_port_range to just port 22, I could get out, to any host/service I wanted.

So, what to do....start up a couple of VM's and try, of course!

Turns out, it actually worked. I set ip_local_port_range to "22 23" to use port 22. Screenshots to follow.


When could this be exploited? If you had a server in a DMZ. The goal of the DMZ is to isolate it from the rest of the network (workstations and internal servers). If you were using stateless filtering on the firewall from the DMZ into the enterprise network, this method could bypass that firewall. The rule you put in place to allow internal users to connect to the server, and for the server to respond, becomes the attack vector. This doesn't have to be SSH, but any port open in both directions so the clients can connect to the server - HTTP, SMTP, IMAP, POP, doesn't matter.

Note: I know, if the firewall is on the host it's useless, just disable the firewall. But if the firewall were on another machine that you can't/haven't compromised, the it comes into play. No enterprise DMZ firewall is running on their web server....I'd hope...


So, what can be done to prevent this? Use stateful packet filtering is the best. At the very least, you could add rules to not allow packets with a SYN and no ACK flag out of your DMZ. This would still leave a similar vector open for UDP attacks, and using a stateful firewall, where the states are maintained on the firewall, and not just the host, would be more secure.

Screenshots:

SSH:


HTTP connection using wget:


SSH connection in netstat, notice the source and destination port are both 22:



Addition:
The "better" rules for stateless filtering is as follows:

iptables -I OUTPUT -o eth1 -p tcp --sport 22 -j ACCEPT
iptables -I OUTPUT -o eth1 -p tcp --sport 22 --tcp-flags SYN,ACK SYN -j DROP

That second rule will not allow new connections out. If a packet has the SYN flag set without the ACK flag set, it drops it. The -I means that the rule will be inserted above the previous, and thus will match first and drop the packets.

Sending a packet to 127.0.0.1

I was sitting in my iptables class the other day, and was watctching our instructor write one of the basic firewall rules that is written every time. It is to allow all traffic in and out on the loopback.

This got me thinking - they were doing no other checks on source/dest ip at all. Pretty much every other firewall how-to I've seen does the same thing, allow loopback regardless.

Now, imagine that we took a linux box, and instead of having the loopback address being 127.0.0.1, make it something else, like 7.7.7.7 (sorry DoD). Then, add a route to 127.0.0.1, with the gateway being the remote host/router you're trying to attack.

The idea is that if you send a packet to 127.0.0.1, it will not go to the lo interface, but instead out to the host you are trying to attack. When the host relieves the packet, it would, theoretically "route" the packet to the loopback interface.

Wow, we can send a packet to the loopback address. What's the point? Say you're running a web server, and also have mysqld running on it. The smart thing to do is make mysql only listen on 127.0.0.1, so that outside users cannot access it. If we can send a packet to the host, and have it route to 127.0.0.1, we could potentially access it from the outside.

The problems:
1) This "attack" could be thwarted by a properly configured firewall.
2) You could only "attack" a host on the same subnet, since there is no way a packet destined for 127.0.0.1 would traverse a router.
3) The big one: the linux ipv4 routing implementation has sanity checks that reject (and logs) all packets with a source or destination in the 127/8 subnet block. They are "martian" packets. Check in the kernel, in net/ipv4/route.c

I'm going to have to do some more research on this topic, but I'd guess that no (modern) kernel's IP implementation would be fooled by this. I've been having problems testing, because the routing engine isn't sending packets to 127/8 addresses out over the wire. I was working on hacking the kernel to allow this for the attacker machine, but I got tired of looking though lot's of C code that I can't really understand.

Oh well, better luck next time.


On another, semi-related not:
Every address in the 127/8 block is a loopback address. You can set services to listen on 127.0.0.2, and you have to connect to them at that ip. With this, you can set services to listen on different loopback ip's, but the same port. Handy for things like running multiple we apps on the same box.

Network Manager/DBus Scripting

At my University, the wireless networks are secured with Perfigo/Cisco Clean Access. This is all well and good, but it gets annoying having to launch a web browser to sign into the captive portal each time I connect to the network. It's made even more annoying by the fact that many programs (liferea, pidgen, Thunderbird, etc.) try to connect before I login, and either end up connecting to the captive portal, or getting blocked. Either way, it's annoying.

I'm now looking into using DBus and a script/program to wait 'til I connect to one of a couple of wireless networks, then automatically authenticate using the captive portal for me. I'm still researching, but it seems that Network Manager (gnome network connection management applet) has DBus interface, like most gui programs these days. After a quick peak around my system, I didn't see it registered to DBus, but I don't really know what I'm doing yet.

I'm thinking about writing the script in Python, as my first real attempt at useful python code (other than my vPython work in physics lab 3+ years ago.) We'll see how it goes.


As a side note: I'm quite tired of network manager applet for many reasons, and am looking for a decent replacement. Any suggestions?

Apple, Phones, and Telecom - We're getting F'd Over

Alright, I was just reading this article, and it ramped up my hatred of Apple again. For you Apple fanboys, try to stick around, because I'm going to get into some other stuff after the Apple bashing.

Apple really needs to wake up. Or get sued like Microsoft did. Everything they do is designed not to play well with others. If I wanted to use an iPhone/iTouch on Linux, I'd HAVE to jailbreak it. Apple spends too much time making sure they people can only do things their way. You can be different, only if you're the different Apple wants you to be. Reminds me of liberals and their open-mindness. But I digress - this is not, nor is it ever going to be, a political blog.

Which brings me to phones, and telecom in general. The iPhone is pretty decent hardware, I'll admit it. But, as a phone, it was, until recently, lacking some things that even my el-cheapo LG has. Like recording video. And sending picture/video messages. I have no use for the picture messaging, but it's a pretty basic feature in phones these days - Apple should have gotten it right the first time.

Now, the biggest problem with the iPhone (and most phones) is not the hardware or software that is restricting features, but the carriers. Phone carriers are so interested in making money with their extra features and such, they're really screwing over the customer. Same thing goes for traditional telecoms. Like Time-Warner trying to charge based on usage. The lack of real competition in the market has destroyed any hope of moving forward. With the Ma-Bell's controlling nearly all of the long-haul connections in the country, it's impossible for anyone to compete. And now the Bells are starting to merge back together.

So, what's my dream? Not quite as epic as MLK's, but I have a dream, that one day, this nation will connect together. That data will move as freely around the country, with no priority for those with the most money or power. That everyone will be able to access the interwebs at blinding speed. Alright, enough of this.

I think that the way current teleco's manage the internet is going to hurt the country. We need Internet to be cheap and readily available. I was going to say like electricity, but Enron proved that industry isn't all fun and games either. How to get there, I'm not sure. I'm not usually one for government intervention, but I think if the government did it right, it could work brilliantly. Problem is, once the government gets their hands on it, they'll try to regulate it to death, and use it to bribe the States into doing something (Think Federal Highway funds...)

So, that's my rant. It's late, so I hope it makes sense.

Linux Disk Useage

So, my roommate was hunting for a large file/directory on his linux box today, and the way do to it is rather non-obvious.

You want to us the du or disk usage command. If you just use the command, you'll get a recursive list of directories and their sized, probably not what you want. If you want the size of the directory you are in, try du -sh - it'll simply print the size of all the files in the current directory.

More useful, however, is to list the subdirectories, and how big they are. For this, you want the --max-depth= option. The -s option is summarize, it's equivalent to --max-depth=0. Try max depth of 1 or 2, or even higher if you need.

Here is a sample from my computer:

user@computer:~/Videos$ du -sh
73G .

So the Videos folder in my home directory has 73GB worth of files in it. Alright, let's see more:

user@computer:~/Videos$ du -h --max-depth=1
21G ./Movies
53G ./TV Shows
73G .

Well, apparently I have 21GB in the Movies directory and 53GB in the TV Shows directory. Let's see a little more.

user@computer:~/Videos$ du -h --max-depth=2
6.6G ./Movies/Forgetting Sarah Marshall
4.4G ./Movies/Get Smart
4.4G ./Movies/How To Lose Friends And Alienate People
4.5G ./Movies/WALL-E
701M ./Movies/Zach and Miri
21G ./Movies
6.3G ./TV Shows/Big Bang Theory
15G ./TV Shows/Chuck
14G ./TV Shows/Get Smart
19G ./TV Shows/The Office
53G ./TV Shows
73G .

There you go, now you know what movies and tv show's I've got on my computer. Of course, it's all legal backups of stuff I own ;)

Redhat Academy - Making Life Easier

When I took the Red Hat Academy courses a while back, I knew enough about linux/unix to make life a lot easier on myself. Here is what I recommend for students doing RHA courses, all the commands are done in the terminal:

1) Add /sbin and /usr/sbin to the path variable. This will let you run commands like mount and fdisk without typing /sbin/fdisk
Open your bash profile in a text editor like nano
nano ~/.bash_profile

Find the line that says:
PATH=$PATH:$HOME/bin
And add to the end of it and make it look like this:
PATH=$PATH:$HOME/bin:/sbin:/usr/sbin
and log out and back in to apply it.

2) Add your user account to sudoers so you can use sudo without a password.
open the /etc/sudoers file in a text editor (linux guru's - I know it's not the best way to do it, but I'm not teaching vi here)
nano /etc/sudoers
At the end of the file, add the following line:
yourusername ALL=(ALL) NOPASSWD: ALL
then save and exit.

You can now type sudo x and it will run x as root. You can also do sudo su - and it will make you root, without entering a password.

That's the two biggies for now - if I think of anything else, I'll post it. If you have any suggestions or ideas, post a comment and I'll see what I can do.

And no requests for me to do your work or anything like that. Not happening.

Addition: The biggest problems that we had when I took the course was dealing with the ipsec VPN. Basically, you had to use VMWare with a bridged network connection, and you had to forward/open ports in any NAT/firewall between you and the server. I recommended OpenVPN as an SSL-based alternative VPN. It has no problems with most firewall/NAT setups, and can be run as a layer 2 or 3 VPN. There are also lots of authentication options, as well as rolling your own. I discussed this VPN option with our instructor, and I think he liked the idea. He wanted me to setup a Fedora server (VM) to test/demo it with, and I didn't have time to mess with it then (and I really dislike Fedora, for reasons I won't get into here). I've basically forgotten about it since then. If any Red Hat administrators would like my help/ideas on this, feel free to contact me. I'd be glad to help.

Linux Security Series - Intro

Alright, I've decided to write a series of how-to articles on linux security. This will be targeted to the linux novice. I'll explain what you want to do, why you would want to do it, and then walk you through how to do it for common distributions.

This will be a work in progress, as I'm going to be doing walk-throughs for multiple distributions. I may have videos for some of the more complicated setups.

Below is a list of the tutorials so far. I'll keep this updated as new ones are added. Or check out the "Linux Security Series" tag.

Tutorials:
1) Su and Sudo
2) Locking Down Logins

If you have any suggestions or tutorials you'd like to see, then make a comment on this post.