Bugtraq mailing list archives
ecepass - proof of concept code for FreeBSD ipfw bypass
From: Roelof Temmingh <roelof () SENSEPOST COM>
Date: Thu, 25 Jan 2001 15:04:30 +0200
An all ZA production...;) FreeBSD ipfw+ECE proof of concept code -------------------------------------- Code written by: Plathond (jacques4i () yahoo com) for Sensepost (http://www.sensepost.com, info () sensepost com) More info on the problem: http://packetstorm.securify.com/advisories/freebsd/FreeBSD-SA-01:08.ipfw Original problem found by: Aragon Gouveia <aragon () phat za net> How it works: ------------- Using FreeBSD divert rule, all outgoing traffic (or as specified in ipfw rule) will be diverted to the ecepass process - the ECE flag will be added. Traffic directed to hosts behind ipfw-based firewall will be passed, rendering the firewall useless if it makes use of the "allow all from any to any established" rule. Tried & tested... How to use: ----------- 1. Make sure your kernel is compiled with the following options: options IPDIVERT options IPFIREWALL 2. gcc -o ecepass ecepass.c 3. ./ecepass & 4. ipfw add 5 divert 7000 tcp from any to any 5. All TCP traffic will now have the ECE flag added to it. PS1: obviously you need to make sure that the last ipfw rule allows traffic e.g.: 00001 divert 7000 tcp from any to any 65535 allow ip from any to any PS2: as the exploit uses "ipfw divert" it only works on FreeBSD. Ironic eh? spidermark: sensepostdata ece Regards, Roelof. ------------------------------------------------------ Roelof W Temmingh SensePost IT security roelof () sensepost com +27 83 448 6996 http://www.sensepost.com
Attachment:
ecepass.tgz
Description:
Current thread:
- ecepass - proof of concept code for FreeBSD ipfw bypass Roelof Temmingh (Jan 25)