LinuxQuestions.org
Go Job Hunting at the LQ Job Marketplace
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Networking
User Name
Password
Linux - Networking This forum is for any issue related to networks or networking.
Routing, network cards, OSI, etc. Anything is fair game.

Notices

Reply
 
Search this Thread
Old 05-06-2004, 01:45 PM   #1
wedgeworth
Member
 
Registered: Aug 2003
Posts: 234

Rep: Reputation: 30
udp vulnerability (nessus report)


one of my security vulnerabilities i got back in my audit report is:

******************
AUDIT:
It is possible to by-pass the rules of the remote firewall
by sending UDP packets with a source port equal to 53.

An attacker may use this flaw to inject UDP packets to the remote
hosts, in spite of the presence of a firewall.

Solution : Review your firewall rules policy
Risk Factor : High
BID : 7436
******************


i have udp rejected under ipchains leaving access to only computers that have certain ip address .... aka a known "safe list" of servers that i know (example: our dns server). since i've "corrected" the problem above by blocking all udp's and accepting only known ip's; then why is my report still showing up under nessus's audit report?.... even though all udp stuff is blocked.
 
Old 05-06-2004, 02:51 PM   #2
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Are you running Nessus from a computer that's on the "Safe List"? Remember that it's not the machine running the Nessus client that actually scans, it's the machine running Nessus daemon.

The other possibility is that it might be a poorly written probe that just assumes that any UDP packet that doesn't generate an ICMP port-unreachable did actually go through. If your firewall is dropping UDP packets rather than rejecting them, it would *appear* that they've been accepted (because no ICMP error) but it was actually dropped.
 
Old 05-06-2004, 04:08 PM   #3
wedgeworth
Member
 
Registered: Aug 2003
Posts: 234

Original Poster
Rep: Reputation: 30
nope....i'm not running my nessus server from a "friendly". else it would get past my firewall and report loads of stuff that are actually sealed off. that's the first thing we made sure of.


Last edited by wedgeworth; 05-10-2004 at 03:55 PM.
 
Old 05-10-2004, 03:58 PM   #4
wedgeworth
Member
 
Registered: Aug 2003
Posts: 234

Original Poster
Rep: Reputation: 30
also.....

i don't ever drop in my firewall. i only accept and reject. so i'm still not sure why it keeps reporting this vul. presently, i drop both udp and icmp packets in my ipchains. however, this error was happening on my servers before i rejected the icmp packets. any idea why this vul. is still showing up?

Last edited by wedgeworth; 05-10-2004 at 04:02 PM.
 
Old 05-10-2004, 05:00 PM   #5
unSpawn
Moderator
 
Registered: May 2001
Posts: 26,944
Blog Entries: 54

Rep: Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731Reputation: 2731
Basically it means if you don't restrict inbound traffic with a source port of UDP/53 to only come from legitimate DNS servers someone could forge access by specifiying source port UDP/53.
 
Old 05-10-2004, 06:18 PM   #6
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Maybe it would clarify things if you posted your firewall rules so we can tell exactly what's going on.
 
Old 05-11-2004, 01:40 AM   #7
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Hmm, based on another recent post, I'm guessing you're running Red Hat with "lokkit". That pathetic excuse for a firewall allows all packets (to any address, /boggle) with a source port of 53/udp. That's supposed to allow DNS lookups, but that is the absolute worst way to attempt letting them through the firewall.

Someone could quiet easily scan and attack all your open UDP ports on the machine, right through your firewall, by simply using port 53/udp as the source for each datagram.
 
Old 05-11-2004, 07:59 AM   #8
wedgeworth
Member
 
Registered: Aug 2003
Posts: 234

Original Poster
Rep: Reputation: 30
____________________________________
"Basically it means if you don't restrict inbound traffic with a source port of UDP/53 to only come from legitimate DNS servers someone could forge access by specifiying source port UDP/53."
____________________________________


my last three entries in my ipchains is this:

.
.
.
.
# everyone else
-A input -p tcp -j REJECT -l
-A input -p udp -j REJECT -l
-A input -p icmp -j REJECT -l

therefore i have restricted inbound traffic. so as far as my dns server is conserned. it is allowed based on it's ip address. so udp can be blocked for everone else.

second:
____________________________________
"I'm guessing you're running Red Hat with "lokkit"
____________________________________
i don't know if lokkit is what i'm running. after looking for it i found this:

# find . -name "*lokkit*"
./usr/sbin/lokkit
./usr/share/doc/lokkit-0.50


but since i only use command line i don't think that i've used it. i had the above entries directly in my ipchains table. is lokkit still going to allow the vulnerability you were talking about?

Last edited by wedgeworth; 05-11-2004 at 08:07 AM.
 
Old 05-11-2004, 01:34 PM   #9
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Those reject rules are only your default, though. iptables is first match, so whatever comes above that is what's really important. That's why I suggested that you post your entire firewall ruleset.
 
Old 05-12-2004, 04:05 PM   #10
wedgeworth
Member
 
Registered: Aug 2003
Posts: 234

Original Poster
Rep: Reputation: 30
here is what my ipchains look like. hopefully this will help.




# Firewall configuration written by lokkit
# Manual customization of this file is not recommended.
# Note: ifup-post will punch the current nameservers through the
# firewall; such entries will *not* be listed here.
:input ACCEPT
:forward REJECT
utput ACCEPT

# DNS servers
-A input -p tcp -s xx.xxx.xx.xxx domain -j ACCEPT

# reject for "register.asp" spam
-A input -p tcp -s xx.xxx.xxx.xx -j REJECT

# incoming ssh
#-A input -d 0/0 ssh -p tcp -j ACCEPT

# return from outgoing ssh
#-A input -s 0/0 ssh -p tcp -j ACCEPT

# return from outgoing chatterbox info connection
#-A input -s 0/0 4443 -p tcp -j ACCEPT

# incoming http/https
-A input -d 0/0 http -p tcp -j ACCEPT
-A input -d 0/0 https -p tcp -j ACCEPT

# return from outgoing http/https
-A input -s 0/0 http -p tcp -j ACCEPT
-A input -s 0/0 https -p tcp -j ACCEPT

# return from outgoing smtp
-A input -s 0/0 smtp -p tcp -j ACCEPT

# incoming smtp (temp)
-A input -d 0/0 smtp -p tcp -j ACCEPT

# return from outgoing mysql
-A input -s 0/0 mysql -p tcp -j ACCEPT

# localhost
-A input -i lo -j ACCEPT

# office IP
-A input -s xx.xx.xx.xx -j ACCEPT

# mail server
-A input -s xx.xx.xx.xx -j ACCEPT

# another server
-A input -s xx.xx.xx.xx -j ACCEPT

# somebody's home ip
-A input -s xx.xx.xx.xx -j ACCEPT

# everyone else
-A input -p tcp -j REJECT -l
-A input -p udp -j REJECT -l
-A input -p icmp -j REJECT -l
 
Old 05-13-2004, 03:04 AM   #11
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
You firewall looks sound (brief glance, certainly nothing to cause a UDP hole), so I looked at the source of that particular Nessus plugin

Now I'm not familiar with the Nessus plugin syntax, and I'm also not a brilliant TCP/IP programmer, but it appears to me that the plugin is simply looking for an ICMP "unreachable" error (any of the type 3 codes). Since you're using reject rather than drop for your default, it will return an ICMP unreachable error in response to UDP datagrams, thus I believe this to be a false positive. You can easily make that determination by changing
-A input -p udp -j REJECT -l
to
-A input -p udp -j DROP -l

And rerunning that particular Nessus plugin.
 
Old 05-13-2004, 10:41 AM   #12
wedgeworth
Member
 
Registered: Aug 2003
Posts: 234

Original Poster
Rep: Reputation: 30
.

Last edited by wedgeworth; 05-13-2004 at 10:49 AM.
 
Old 05-13-2004, 10:49 AM   #13
wedgeworth
Member
 
Registered: Aug 2003
Posts: 234

Original Poster
Rep: Reputation: 30
unfortunately this does not seem to be the problem. after trying your test:

*************************
# everyone else
-A input -p tcp -j REJECT -l
#-A input -p udp -j REJECT -l
-A input -p udp -j DROP -l
-A input -p icmp -j REJECT -l
*************************

[]# /etc/rc.d/init.d/ipchains restart
Flushing all current rules and user defined chains: [ OK ]
Clearing all current rules and user defined chains: [ OK ]
Applying ipchains firewall rules: Auto-creating chain DROP
[ OK ]



changing the REJECT to a DROP, restarted ipchains, i then reran my audit. not only did the same udp error still remain. but new errors (some sunrpc port 111/tcp errors and some unknown erros from port 32768/udp) have not been added to my audit. these last errors were not there when i was REJECTing udp instead of DROPing
 
Old 05-13-2004, 02:43 PM   #14
chort
Senior Member
 
Registered: Jul 2003
Location: Silicon Valley, USA
Distribution: OpenBSD 4.6, OS X 10.6.2, CentOS 4 & 5
Posts: 3,660

Rep: Reputation: 69
Well I'd have to look at those plugins too, but I would assume that they base their errors on the fact that the packets did not get rejected (for ports 111 and 32768).

By the way, on second inspection your firewall is a bit lacking. You're using a stateless packet filter so you are allowing return traffic excplicitly, but not requiring that ACK be set. This means that sneaking packets through would be trivial (by using the correct source port). You should look into using the ESTABLISHED and RELATED keywords in your rules to cover all existing and related connection traffic and not open yourself to attacks originating from specially choosen source ports.
 
Old 05-13-2004, 02:58 PM   #15
wedgeworth
Member
 
Registered: Aug 2003
Posts: 234

Original Poster
Rep: Reputation: 30
you mean i should change to from ipchains to iptables (iptables is stateful packet filtering right?) you can't do such things with ipchains (which is what i'm using right now).



i just wish that i knew that the error was false. that there is no udp error under port 53. that i've blocked it. that only those ip's that i've allowed will be able to reach it. that is is nessus presumptive code that assumes that there is a vulnerability, and that i knew what this assumption was.....

Last edited by wedgeworth; 05-13-2004 at 03:06 PM.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
Nessus install script not finding nessus.tar.gz darin3200 Linux - Software 1 08-15-2005 05:35 PM
RFC 868 udp 37 time-udp gpl Suse/Novell 2 03-31-2005 10:07 AM
How to receive UDP and ICMP packets, by one UDP socket(PMTUD) myself_rajat Linux - Networking 0 05-28-2004 05:43 AM
How can I report the Error Report? domeili Linux - Newbie 1 10-30-2003 05:42 AM
This looks interesting, spoofed IGMP report DoS vulnerability neo77777 Linux - Security 1 06-21-2002 07:13 AM


All times are GMT -5. The time now is 02:45 PM.

Main Menu
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
identi.ca: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration