我正在处理由PCI-DSS扫描器报告的漏洞,其中一个对我来说是新的:
标题
防火墙UDP数据包源端口53规则集旁路
概要:
防火墙规则集可以被绕过。
影响:
通过发送源端口号为53的UDP数据包,可以绕过远程防火墙的规则。攻击者可以使用这个漏洞将UDP数据包注入远程主机,尽pipe存在防火墙。
也可以看看 :
http://archives.neohapsis.com/archives/fulldisclosure/2003-q2/0352.html
http://www.nessus.org/u?4368bb37
第一个链接的文章给出了exploit命令的certificate, nmap -v -P0 -sU -p 1900 ${IP} -g 53 ,如果源端口是nmap -v -P0 -sU -p 1900 ${IP} -g 53 ,它实际上会返回一个56字节的数据包。但为什么呢? 在这个例子中,它报告端口1900是“closures的”,但是返回了一个56字节的回复。 相比之下,端口1900与UDP源端口123(也是打开的)的请求返回0字节。
# # Source port 53: # $ sudo nmap -v -P0 -sU -p 1900 ${IP} -g 53 Starting Nmap 6.47 ( http://nmap.org ) at 2015-11-24 20:19 CST Initiating Parallel DNS resolution of 1 host. at 20:19 Completed Parallel DNS resolution of 1 host. at 20:19, 0.00s elapsed Initiating UDP Scan at 20:19 Scanning *HOST* (*IP*) [1 port] Completed UDP Scan at 20:19, 0.21s elapsed (1 total ports) Nmap scan report for *HOST* (*IP*) Host is up (0.038s latency). PORT STATE SERVICE 1900/udp closed upnp Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 0.25 seconds Raw packets sent: 1 (28B) | Rcvd: 1 (56B) # # Source Port 123: # $ sudo nmap -v -P0 -sU -p 1900 ${IP} -g 123 Starting Nmap 6.47 ( http://nmap.org ) at 2015-11-24 20:20 CST Initiating Parallel DNS resolution of 1 host. at 20:20 Completed Parallel DNS resolution of 1 host. at 20:20, 0.00s elapsed Initiating UDP Scan at 20:20 Scanning *HOST* (*IP*) [1 port] Completed UDP Scan at 20:20, 2.42s elapsed (1 total ports) Nmap scan report for *HOST* (*IP*) Host is up. PORT STATE SERVICE 1900/udp open|filtered upnp Read data files from: /usr/bin/../share/nmap Nmap done: 1 IP address (1 host up) scanned in 2.46 seconds Raw packets sent: 2 (56B) | Rcvd: 0 (0B)
这个Linux服务器正在运行一个控制面板(InterWorx-CP),它正在pipe理一个APF安装,这个安装会产生iptables规则。 他们来了:
$ sudo iptables -L Chain INPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere REFRESH_TEMP all -- anywhere anywhere TALLOW all -- anywhere anywhere TGALLOW all -- anywhere anywhere TDENY all -- anywhere anywhere TGDENY all -- anywhere anywhere DROP tcp -- anywhere anywhere tcp dpts:epmap:netbios-ssn DROP udp -- anywhere anywhere udp dpts:epmap:netbios-ssn DROP tcp -- anywhere anywhere tcp dpt:sunrpc DROP udp -- anywhere anywhere udp dpt:sunrpc DROP tcp -- anywhere anywhere tcp dpt:login DROP udp -- anywhere anywhere udp dpt:who DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds DROP udp -- anywhere anywhere udp dpt:microsoft-ds DROP tcp -- anywhere anywhere tcp dpt:ms-sql-s DROP udp -- anywhere anywhere udp dpt:ms-sql-s DROP tcp -- anywhere anywhere tcp dpt:ms-sql-m DROP udp -- anywhere anywhere udp dpt:ms-sql-m DROP tcp -- anywhere anywhere tcp dpt:search-agent DROP udp -- anywhere anywhere udp dpt:search-agent DROP tcp -- anywhere anywhere tcp dpt:ingreslock DROP udp -- anywhere anywhere udp dpt:ingreslock DROP tcp -- anywhere anywhere tcp dpt:ctx-bridge DROP udp -- anywhere anywhere udp dpt:ctx-bridge ACCEPT tcp -- anywhere anywhere tcp dpt:ftp ACCEPT tcp -- anywhere anywhere tcp dpt:ssh ACCEPT tcp -- anywhere anywhere tcp dpt:lmtp ACCEPT tcp -- anywhere anywhere tcp dpt:smtp ACCEPT tcp -- anywhere anywhere tcp dpt:http ACCEPT tcp -- anywhere anywhere tcp dpt:pop3 ACCEPT tcp -- anywhere anywhere tcp dpt:imap ACCEPT tcp -- anywhere anywhere tcp dpt:https ACCEPT tcp -- anywhere anywhere tcp dpt:imaps ACCEPT tcp -- anywhere anywhere tcp dpt:pop3s ACCEPT tcp -- anywhere anywhere tcp dpt:autodesk-nlm ACCEPT tcp -- anywhere anywhere tcp dpt:powerclientcsf ACCEPT tcp -- anywhere anywhere tcp dpts:50000:51000 ACCEPT tcp -- anywhere anywhere tcp dpt:submission ACCEPT udp -- anywhere anywhere udp dpt:ftp-data ACCEPT udp -- anywhere anywhere udp dpt:ftp ACCEPT udp -- anywhere anywhere udp dpt:ntp ACCEPT udp -- anywhere anywhere udp dpt:domain ACCEPT icmp -- anywhere anywhere icmp destination-unreachable limit: avg 14/sec burst 5 ACCEPT icmp -- anywhere anywhere icmp redirect limit: avg 14/sec burst 5 ACCEPT icmp -- anywhere anywhere icmp time-exceeded limit: avg 14/sec burst 5 ACCEPT icmp -- anywhere anywhere icmp echo-reply limit: avg 14/sec burst 5 ACCEPT icmp -- anywhere anywhere icmp type 30 limit: avg 14/sec burst 5 ACCEPT icmp -- anywhere anywhere icmp echo-request limit: avg 14/sec burst 5 DROP tcp -- anywhere anywhere tcp flags:!FIN,SYN,RST,ACK/SYN state NEW ACCEPT tcp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere udp spt:domain dpts:1023:65535 ACCEPT tcp -- anywhere anywhere tcp spt:domain dpts:1023:65535 DROP tcp -- anywhere anywhere DROP udp -- anywhere anywhere DROP all -- anywhere anywhere Chain FORWARD (policy ACCEPT) target prot opt source destination Chain OUTPUT (policy ACCEPT) target prot opt source destination ACCEPT all -- anywhere anywhere TCPMSS tcp -- anywhere anywhere tcp flags:SYN,RST/SYN TCPMSS clamp to PMTU REFRESH_TEMP all -- anywhere anywhere TALLOW all -- anywhere anywhere TGALLOW all -- anywhere anywhere TDENY all -- anywhere anywhere TGDENY all -- anywhere anywhere DROP tcp -- anywhere anywhere tcp dpts:epmap:netbios-ssn DROP udp -- anywhere anywhere udp dpts:epmap:netbios-ssn DROP tcp -- anywhere anywhere tcp dpt:sunrpc DROP udp -- anywhere anywhere udp dpt:sunrpc DROP tcp -- anywhere anywhere tcp dpt:login DROP udp -- anywhere anywhere udp dpt:who DROP tcp -- anywhere anywhere tcp dpt:microsoft-ds DROP udp -- anywhere anywhere udp dpt:microsoft-ds DROP tcp -- anywhere anywhere tcp dpt:ms-sql-s DROP udp -- anywhere anywhere udp dpt:ms-sql-s DROP tcp -- anywhere anywhere tcp dpt:ms-sql-m DROP udp -- anywhere anywhere udp dpt:ms-sql-m DROP tcp -- anywhere anywhere tcp dpt:search-agent DROP udp -- anywhere anywhere udp dpt:search-agent DROP tcp -- anywhere anywhere tcp dpt:ingreslock DROP udp -- anywhere anywhere udp dpt:ingreslock DROP tcp -- anywhere anywhere tcp dpt:ctx-bridge DROP udp -- anywhere anywhere udp dpt:ctx-bridge ACCEPT tcp -- anywhere anywhere tcp dpts:1024:65535 state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere udp dpts:1024:65535 state RELATED,ESTABLISHED ACCEPT udp -- anywhere anywhere udp spts:1023:65535 dpt:domain ACCEPT tcp -- anywhere anywhere tcp spts:1023:65535 dpt:domain ACCEPT all -- anywhere anywhere Chain PROHIBIT (0 references) target prot opt source destination REJECT all -- anywhere anywhere reject-with icmp-host-prohibited Chain REFRESH_TEMP (2 references) target prot opt source destination Chain RESET (0 references) target prot opt source destination REJECT tcp -- anywhere anywhere reject-with tcp-reset Chain TALLOW (2 references) target prot opt source destination Chain TDENY (2 references) target prot opt source destination Chain TGALLOW (2 references) target prot opt source destination Chain TGDENY (2 references) target prot opt source destination
服务器也是它所托pipe的域的DNS权限,复制到从属服务器,因此传入的DNS查询可能被禁用。 但是即使我在CP中这样做,这个漏洞仍然是成功的。 我的猜测是APF在我的间接控制之外产生了一些规则。
我如何去closures防火墙的这个洞?
从2003年开始,PCI扫描器刚刚报告(已经扫描多年)的这个漏洞有什么影响?
他们testing端口53,因为它可能是开放的(即由DNS使用的端口)。
我得到了同样的错误,解决办法是写两条规则。
首先,您现在可以拥有UDP的ESTABLISHED和RELATED规则。 这是不可能的,因为UDP被认为是无状态的,但是他们通过跟踪发送的内容并接受相关的回复来添加该function。
-A INPUT -i eth0 -p udp -m state --state ESTABLISH,RELATED -m udp -d 1.2.3.4 -j ACCEPT
注意:用正确的名称/ IP更改eth0和1.2.3.4
然后,您可以打开端口53为DNS服务器传入数据包。
-A INPUT -i eth0 -p udp -m udp --dport 53 -d 1.2.3.4 -j ACCEPT
注意:用正确的名称/ IP更改eth0和1.2.3.4
您现有的规则如下所示:
ACCEPT udp -- anywhere anywhere udp dpt:domain
它不受接口或目标地址的限制。 应该确保你不会从虚假来源获得数据。 (即在DigitalOcean上,也可能是许多其他的,有一个隐藏的IP地址…你不想接受来自那个的数据;而且,我曾经有一个形状错误,接口的名称改变了!如果你有一个单一的networking连接,它应该是直接的,但如果你不在硬件的控制,你不知道什么时候可能会发生…)
这就是说,你的规则集中的BIG问题是INPUT链中的第一行。 它看起来像这样:
ACCEPT all -- anywhere anywhere
这意味着接受任何。 之后的所有规则都被忽略了。 换句话说,你根本就没有防火墙
你在OUTPUT链中有相同的第一条规则,我想这是为了确保你的防火墙不会阻塞任何东西。
一个build议的话,写一个-nvx看看你的防火墙使用-nvx选项。 -n通过不尝试转换IP地址使速度更快。 -v将显示在每个规则上传输的数据包和字节的数量(即,如果规则接受数据包,则数据包计数器将递增1.)- -x显示每个计数器的确切数字(而不是制作它是“人”),所以我知道一个计数器增加1或更多。 重要的是你正在testing。
如果你使用了-nvx ,你可能会注意到只有第一条规则的计数器是为INPUT和OUTPUT递增的。 那么也许你会徘徊为什么你从来没有得到对其他规则的打击…