Re: Loopback and multi-homed routing flaw in TCP/IP stack.

[David Litchfield <mnemonix () GLOBALNET CO UK>]

> > > We believe there to be a serious security flaw in the TCP/IP stack of
> > > several Unix-like operating systems. Whilst being "known" behavior on
> > > technical mailing lists, we feel that the implications of this
> > > "feature" are unexpected. Furthermore, not all platforms behave in the
> > > same way, which will obviously lead to invalid expectations.

This affects Windows NT as well. I spoke of the exact same problem back in
the December of 1998 (http://www.securityfocus.com/vdb/bottom.html?vid=1692
for the BID and http://oliver.efri.hr/~crv/security/bugs/NT/msproxy3.html
for the details) whereby we could get to the "clean" interface via the
"dirty" interface on MS Proxy II and from there to the rest of the
"protected" network. Mircosoft's response at that time was that this
"feature" was part of the IP routing spec and as such they wouldn't do
anything about it because it would break this spec.

In terms of the threat posed by this "feature" in terms of proxy servers,
like MSP and Squid, this should be control at the application level. For
example, in MSP, you have a Local Address Table that specifies those IP
address that are _allowed_ to use the proxy services. The dirty interface in
not in the LAT so MSP should dump a request for proxy services if the source
IP address is that of the dirty interface. Why service a request from an IP
address if it is not in the LAT? Unfortunately to my knowledge this is not
the way things are done with MSP or Squid - so perhaps they should.

Cheers,
David Litchfield
Director of Security Architecture
@stake
http://www.atstake.com/