From owner-freebsd-bugs Wed Jul 5 19:30:10 2000 Delivered-To: freebsd-bugs@freebsd.org Received: from freefall.freebsd.org (freefall.FreeBSD.ORG [204.216.27.21]) by hub.freebsd.org (Postfix) with ESMTP id 8432237BAFD for ; Wed, 5 Jul 2000 19:30:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: (from gnats@localhost) by freefall.freebsd.org (8.9.3/8.9.2) id TAA25101; Wed, 5 Jul 2000 19:30:01 -0700 (PDT) (envelope-from gnats@FreeBSD.org) Received: from resurrection.oznetcom.com.au (resurrection.oznetcom.com.au [203.18.50.11]) by hub.freebsd.org (Postfix) with ESMTP id 3F22C37B6A8 for ; Wed, 5 Jul 2000 19:22:03 -0700 (PDT) (envelope-from radius@resurrection.oznetcom.com.au) Received: (from radius@localhost) by resurrection.oznetcom.com.au (8.9.3/8.9.3) id MAA08187; Thu, 6 Jul 2000 12:21:56 +1000 (EST) Message-Id: <200007060221.MAA08187@resurrection.oznetcom.com.au> Date: Thu, 6 Jul 2000 12:21:56 +1000 (EST) From: radius@oznetcom.com.au Reply-To: radius@oznetcom.com.au To: FreeBSD-gnats-submit@freebsd.org X-Send-Pr-Version: 3.2 Subject: kern/19722: FreeBSD box responds to broadcast IP Sender: owner-freebsd-bugs@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org >Number: 19722 >Category: kern >Synopsis: FreeBSD box responds to broadcast IP >Confidential: yes >Severity: critical >Priority: high >Responsible: freebsd-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: sw-bug >Submitter-Id: current-users >Arrival-Date: Wed Jul 05 19:30:00 PDT 2000 >Closed-Date: >Last-Modified: >Originator: M P Hibbard >Release: FreeBSD 3.4-STABLE i386 >Organization: Davnet Telecommunications Pty Ltd >Environment: FreeBSD running as a gateway for between networks. Seems to work on tested versions from 3.4S (June 22), and recent 4.0S. In the situation described below, the test machine was running 4.0-STABLE with IPF, IPFW and DUMMYNET in the kernel. >Description: If FreeBSD is running as a gateway for between two networks, and packets from one network are travelling to the other network's broadcast address the FreeBSD gateway will intercept them and interpret them as if they were destined for itself. This could possibly allow an attacker to bypass firewall rules by sending packets to the broadcast address of a network being firewalled by a FreeBSD gateway - the FreeBSD gateway might allow the packets directly through to it as the firewall rules may not allow for this situation. >How-To-Repeat: FreeBSD box at 203.62.175.1, gateway on a dialup connection with the network 203.62.175.0/24 routed to it. From a network outside of 203.62.175.1, past the dialup gateway: radius@resurrection:~$ telnet 203.62.175.255 Trying 203.62.175.255... Connected to 203.62.175.255. Escape character is '^]'. FreeBSD/i386 (scythe.darktide.net) (ttyp0) login: We get a connection to the gateway box itself, 203.62.175.1. This has been tested with different packets, TCP/UDP/ICMP. ICMP seems a bit weird. A ping to 203.62.175.255 from inside the network 203.62.175.0/24 and the .1 machine will not respond, however, from outside it, ONLY .1 will respond even if other machines -would- have responded normally. This has also been tested on other network configurations with up to 7 network interfaces. It also seems to work regardless of whether IPFW has been compiled into the kernel. >Fix: none known >Release-Note: >Audit-Trail: >Unformatted: To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-bugs" in the body of the message