From nobody@FreeBSD.org  Fri Jul  9 00:58:29 2010
Return-Path: <nobody@FreeBSD.org>
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34])
	by hub.freebsd.org (Postfix) with ESMTP id 503F5106564A
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  9 Jul 2010 00:58:29 +0000 (UTC)
	(envelope-from nobody@FreeBSD.org)
Received: from www.freebsd.org (www.freebsd.org [IPv6:2001:4f8:fff6::21])
	by mx1.freebsd.org (Postfix) with ESMTP id 24AE58FC13
	for <freebsd-gnats-submit@FreeBSD.org>; Fri,  9 Jul 2010 00:58:29 +0000 (UTC)
Received: from www.freebsd.org (localhost [127.0.0.1])
	by www.freebsd.org (8.14.3/8.14.3) with ESMTP id o690wSVb048457
	for <freebsd-gnats-submit@FreeBSD.org>; Fri, 9 Jul 2010 00:58:28 GMT
	(envelope-from nobody@www.freebsd.org)
Received: (from nobody@localhost)
	by www.freebsd.org (8.14.3/8.14.3/Submit) id o690wSup048456;
	Fri, 9 Jul 2010 00:58:28 GMT
	(envelope-from nobody)
Message-Id: <201007090058.o690wSup048456@www.freebsd.org>
Date: Fri, 9 Jul 2010 00:58:28 GMT
From: Paul-Andrew Joseph Miseiko <pmiseiko@gmail.com>
To: freebsd-gnats-submit@FreeBSD.org
Subject: FreeBSD device can be used as an unintentional router between two or more network(s).
X-Send-Pr-Version: www-3.1
X-GNATS-Notify:

>Number:         148458
>Category:       kern
>Synopsis:       FreeBSD device can be used as an unintentional router between two or more network(s).
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    secteam
>State:          closed
>Quarter:        
>Keywords:       
>Date-Required:  
>Class:          sw-bug
>Submitter-Id:   current-users
>Arrival-Date:   Fri Jul 09 01:00:11 UTC 2010
>Closed-Date:    Fri Jul 09 08:03:06 UTC 2010
>Last-Modified:  Sat Jul 10 06:10:02 UTC 2010
>Originator:     Paul-Andrew Joseph Miseiko
>Release:        8.1-PRERELEASE
>Organization:
>Environment:
FreeBSD teardrop.ca 8.1-PRERELEASE FreeBSD 8.1-PRERELEASE #1: Wed Jul  7 22:18:16 EDT 2010     esoteric@teardrop.ca:/usr/obj/usr/src/sys/TEARDROP  i386
>Description:
An ICMP echo request with a spoofed source IP address can use a FreeBSD device bound to two or more network(s) as a router.  The FreeBSD device does not need IP forwarding enabled for this to work.  The problem is FreeBSD does not validate the source IP address associated with the network the ICMP echo request was received from.  The issue can also be worded that FreeBSD does not validate the ICMP echo response will be sent to the same network the ICMP echo request was received from.

The issue can be used to maliciously communicate between two networks through a FreeBSD device even if policy does not permit communication between those two networks.  For example it is possible to communicate between an Internet and an Intranet through a FreeBSD device configured as the gateway between those two networks.

The issue has been reproduced with a (otherwise forgotten) version of FreeBSD 4, with a (otherwise forgotten) version of FreeBSD 7, with FreeBSD 8.0 and with FreeBSD 8.1-PRERELEASE.
>How-To-Repeat:
Spoof the source IP address for an ICMP echo request from network A with the desired destination IP address (as the spoofed source IP address) on network B.  The ICMP echo request data can contain marshaled data to be sent between the two network(s).  The host on network B can communicate with the host on network A through the same mechanism.  This would result in a potential unexpected communication channel.
>Fix:
Solution #1:
The issue can be resolved with the IPFW verrevpath option.

Example:
deny log ip from any to me in recv any not verrevpath

Solution #2:
The code in "sys/netinet/ipfw/ip_fw2.c" "static int verify_path(struct in_addr src, struct ifnet *ifp, u_int fib)" can be used/referenced/called in "sys/netinet/ip_icmp.c" "void icmp_input(struct mbuf *m, int off)" to resolve this issue.

"static int verify_path(struct in_addr src, struct ifnet *ifp, u_int fib)" can be made not static and moved into a different file since it might not be available if the kernel is not compiled with IPFIREWALL support.

>Release-Note:
>Audit-Trail:
Responsible-Changed-From-To: freebsd-i386->secteam 
Responsible-Changed-By: remko 
Responsible-Changed-When: Fri Jul 9 06:08:14 UTC 2010 
Responsible-Changed-Why:  
Potentially security issues should never be send through gnats 
but can be send by email to secteam@FreeBSD.org. I will take over 
the PR to secteam and have a look at this. 

http://www.freebsd.org/cgi/query-pr.cgi?pr=148458 
State-Changed-From-To: open->closed 
State-Changed-By: remko 
State-Changed-When: Fri Jul 9 08:01:35 UTC 2010 
State-Changed-Why:  
Dear Paul-Andrew, 

This ticket will be closed, there are perfectly valid reasons that 
this can and should work. This is not a security issue, neither is it 
a bug that requires fixing. 

Thanks for submitting this and trying to make FReeBSD better, it's 
greatly appreciated! 

http://www.freebsd.org/cgi/query-pr.cgi?pr=148458 

From: Paul Miseiko <Paul_Miseiko@rapid7.com>
To: "bug-followup@FreeBSD.org" <bug-followup@FreeBSD.org>,
	"pmiseiko@gmail.com" <pmiseiko@gmail.com>
Cc:  
Subject: Re: kern/148458: FreeBSD device can be used as an unintentional
 router between two or more network(s).
Date: Fri, 9 Jul 2010 11:00:29 -0700

 Please help me to understand a valid reason that this can and should work.
 
 Let us consider the following ASCII representation of this issue:
 +-----------+    +----------------+    +-----------+
 | Network A | -> | FreeBSD Server | <- | Network B |
 +-----------+    +----------------+    +-----------+
 
 A host on Network A created an ICMP echo request with a forged/spoofed sour=
 ce IP address on Network B.
 +--------------------------------------------+       +----------------+
 | Network A: Host A: ICMP Echo Request       |  -->  | FreeBSD Server |
 | (src=3DNetwork B Host B, dst=3DFreeBSD Server) |  -->  |                |
 +--------------------------------------------+       +----------------+
 
 The FreeBSD server received the ICMP echo request and will send the ICMP ec=
 ho response to the forged/spoofed source IP address on Network B.
 +----------------+       +-------------------------------------------+
 | FreeBSD Server |  -->  | Network B: Host B: ICMP Echo Response     |
 |                |  -->  | (src=3DFreeBSD Server, dst=3DNetwork B Host B |
 +----------------+       +-------------------------------------------+
 
 Why this is a valid security issue:
 1. The FreeBSD Server administrator might not want traffic to travel betwee=
 n Network A and Network B (and vice versa) through the FreeBSD Server.
 2. The host on Network A can communicate with the host on Network B and vic=
 e versa through the FreeBSD Server.
 3. The FreeBSD Server administrator might not be aware that this is possibl=
 e and might not have proper procedures in place (such as accounting and log=
 ging).
 4. The FreeBSD Server must have a firewall like IPFIREWALL with verrevpath =
 to resolve this issue; otherwise there is no FreeBSD Server configuration a=
 vailable to prevent the use of the FreeBSD Server as an "unintended" router=
  in this scenario.

From: Colin Percival <cperciva@freebsd.org>
To: Paul Miseiko <Paul_Miseiko@rapid7.com>
Cc: bug-followup@FreeBSD.org
Subject: Re: kern/148458: FreeBSD device can be used as an unintentional router
 between two or more network(s).
Date: Fri, 09 Jul 2010 23:04:29 -0700

 On 07/09/10 11:10, Paul Miseiko wrote:
 >  Please help me to understand a valid reason that this can and should work.
 >  [...]
 >  4. The FreeBSD Server must have a firewall like IPFIREWALL with verrevpath =
 >  to resolve this issue; otherwise there is no FreeBSD Server configuration a=
 >  vailable to prevent the use of the FreeBSD Server as an "unintended" router=
 >   in this scenario.
 
 This is correct.  Blocking packets is the purpose for which firewalls exist.
 
 -- 
 Colin Percival
 Security Officer, FreeBSD | freebsd.org | The power to serve
 Founder / author, Tarsnap | tarsnap.com | Online backups for the truly paranoid
>Unformatted:
