FreeBSD ipfw和ip6fw访问限制绕过漏洞

QQ空间 新浪微博 微信 QQ facebook twitter
漏洞ID 1106183 漏洞类型 未知
发布时间 2001-01-23 更新时间 2005-05-02
CVE编号 CVE-2001-0183 CNNVD-ID CNNVD-200103-103
漏洞平台 FreeBSD CVSS评分 7.5
|漏洞来源
https://www.exploit-db.com/exploits/20593
http://www.cnnvd.org.cn/web/xxk/ldxqById.tag?CNNVD=CNNVD-200103-103
|漏洞详情
FreeBSD4.2及其之前版本的ipfw和ip6fw存在漏洞。远程攻击者可以通过设置TCP数据包的ECE标志绕过访问限制,该漏洞导致此数据包作为已建立连接的一部分显示出来。
|漏洞EXP
source: www.securityfocus.com/bid/2293/info

There exists a serious vulnerability in FreeBSD's implementation of packet filtering for IPv4 and IPv6.

The vulnerability exists in situations where a filtering rule permits packets through if they are part of an established connection.

It is possible for packets that are not part of an established connection to be allowed through. These packets must have the ECE flag set, which is in the TCP reserved options field.

Exploitation of this vulnerability may allow for unauthorized remote access to otherwise protected services. 

https://github.com/offensive-security/exploit-database-bin-sploits/raw/master/bin-sploits/20593.tgz
|参考资料

来源:BID
名称:2293
链接:http://www.securityfocus.com/bid/2293
来源:FREEBSD
名称:FreeBSD-SA-01:08
链接:ftp://ftp.freebsd.org/pub/FreeBSD/CERT/advisories/FreeBSD-SA-01:08.ipfw.asc
来源:XF
名称:ipfw-bypass-firewall(5998)
链接:http://xforce.iss.net/xforce/xfdb/5998
来源:BUGTRAQ
名称:20010125ecepass-proofofconceptcodeforFreeBSDipfwbypass
链接:http://www.security-express.com/archives/bugtraq/2001-01/0424.html
来源:OSVDB
名称:1743
链接:http://www.osvdb.org/1743
来源:CIAC
名称:L-029
链接:http://www.ciac.org/ciac/bulletins/l-029.shtml