netfilter bypassed by nessus using UDP packets with source port
mathieu.delaplace at aquitaine.cci.fr
Fri Apr 1 08:59:03 CEST 2005
Cedric Blancher wrote:
> Le mercredi 30 mars 2005 à 16:45 +0200, grumpy a écrit :
>>I'm using netfilter/iptables on my Debian woody box (kernel 2.6.11-5),
>>and when I want to audit the security of this box with nessus, it tells me :
>>"It is possible to by-pass the rules of the remote firewall by sending
>>UDP packets with a source port equal to 53.
>>An attacker may use this flaw to inject UDP packets to the remote hosts,
>>in spite of the presence of a firewall.
>>It's quite annoying !
> Have you checked if this alert is true, and not some false positive ? I
> don't think so.
You are right, I do not know how to check this (by the way If you know
any documentation that would help, I would be glad to read it).
> I mean, if Nessus sends an UDP packet (any port), it
> will get an ICMP port unreachable. That's typically the normal behaviour
> of an unfiltered box. So Nessus thinks "OK, if there's a firewall
> between me and this box, then this packet went through".
In that case nessus would think the packets it sent to port 1-65635
(except 22 and 3000) went through as well. Wouldn't it ?
> Speaking of your ruleset, what's the point of :
>>-A INPUT -i eth0 -p tcp -m tcp --tcp-flags FIN,SYN FIN,SYN -j DROP
> Linux treats SYN/FIN packets as SYN ones, just as it should be on any
> RFC compliant stack.
nessus told me something like that :
"the remote host does not discard TCP SYN packet which have FIN flag
set. This can allow an attacker to defeat your firewall rules set"
According to you, this is a false positive, thanks for your correction :)
> You ICMP rule is also quite bizarre. First, we can get your timestamp
> looking at your SYN/ACK TCP options when querying port 22 or 3000.
Yes, that's right, I have not thought about it.
> Second, your rule implicitly accepts any ICMP paquets, even with INVALID
I have not thought about it either ...
> Why not instead having something like this :
> -A INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
> -A INPUT -i eth0 -p icmp -m icmp --icmp-type 8
> ICMP errors will be handled by RELATED state and ping will be accepted
> (info and netmask requests are not answered by Linux).
Since, it is impossible to prevent somebody to get the timestamp (if I
am not mistaken), I think I will try this :)
(If you would know, I tried to prevent someone to get the timestamp
after nessus told me something like : "the remote host replies to icmp
timestamp requests, it allow an attacker to know about the time set one
the machine and defeat all you time based authentication system")
thanks a lot for all these information
More information about the netfilter