Not sure this is public yet Subject: Netfilter / PPTP conntrack helper kernel oops Released: 03 August 2005 Effects: By creating several Call Requests within the same PPTP connection, the PPTP conntrack helper ip_conntrack_pptp can lead to a kernel oops. TCP port 1723 must be open either through or to the firewall, and the ip_conntrack_pptp helper needs to be loaded. Note that the PPTP conntrack helper is not part of the vanilla kernel but available via netfilter patch-o-matic. The error is in ip_conntrack_core.c in function ip_conntrack_expect_related() and ip_conntrack_pptp.c in function exp_gre(). ip_conntrack_expect_related() falsely returns an error, which causes the GRE conntrack entry to be freed. This leads to a kernel oops. Even though the error is in ip_conntrack_core, currently only the PPTP conntrack helper triggers this problem. The vulnerability can be exploited by using the PPTP Bruter tool, which is actually a password cracker against Microsoft PPTP servers but which triggers this problem unintentionally. The kernel can be crashed by using this tool either directly against the machine or against a machine behind it. The tool can be retrieved from the following location: http://www.thc.org/download.php?t=r&f=thc-pptp-bruter-0.1.4.tar.gz Estimated Severity: High Systems Affected: Linux kernels with ip_conntrack_pptp module loaded Solution: 1. Apply the patch below. or 2. Remove the PPTP conntrack helper ip_conntrack_pptp kernel module Contact: Harald Welte <laforge@gnumonks.org> Stephan Scholz <sscholz@astaro.com> Patch for kernel 2.6 -------------------- Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c =================================================================== --- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_core.c +++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_core.c @@ -1015,7 +1015,6 @@ struct ip_conntrack *related_to) { struct ip_conntrack_expect *old; - int ret = 0; WRITE_LOCK(&ip_conntrack_lock); /* Because of the write lock, no reader can walk the lists, @@ -1090,7 +1089,6 @@ * related_to->expecting. */ unexpect_related(old); - ret = -EPERM; } else if (LIST_FIND(&ip_conntrack_expect_list, expect_clash, struct ip_conntrack_expect *, &expect->tuple, &expect->mask)) { @@ -1107,7 +1105,7 @@ CONNTRACK_STAT_INC(expect_create); - return ret; + return 0; } /* Change tuple in an existing expectation */ Index: linux-2.6.10/net/ipv4/netfilter/ip_conntrack_pptp.c =================================================================== --- linux-2.6.10.orig/net/ipv4/netfilter/ip_conntrack_pptp.c +++ linux-2.6.10/net/ipv4/netfilter/ip_conntrack_pptp.c @@ -237,7 +237,6 @@ if (ip_conntrack_expect_related(exp, master) != 0) { ip_ct_gre_keymap_destroy(exp); - ip_conntrack_expect_put(exp); DEBUGP("cannot expect_related()\n"); return 1; } Patch for kernel 2.4 -------------------- --- linux-2.4/net/ipv4/netfilter/ip_conntrack_core.c +++ linux-2.4.conntrack_pptp/net/ipv4/netfilter/ip_conntrack_core.c @@ -939,7 +939,6 @@ struct ip_conntrack_expect *expect) { struct ip_conntrack_expect *old, *new; - int ret = 0; WRITE_LOCK(&ip_conntrack_lock); /* Because of the write lock, no reader can walk the lists, @@ -1021,7 +1020,6 @@ * related_to->expecting. */ unexpect_related(old); - ret = -EPERM; } else if (LIST_FIND(&ip_conntrack_expect_list, expect_clash, struct ip_conntrack_expect *, &expect->tuple, &expect->mask)) { @@ -1061,7 +1059,7 @@ WRITE_UNLOCK(&ip_conntrack_lock); - return ret; + return 0; } /* Change tuple in an existing expectation */
From Chris Wright : "I did not think there was anything for mainline. This is an external (patch-o-matic) netfilter module. Or perhaps I misunderstand the original post? Looking a bit closer, there was one hunk against mainline, however that code's long since been re-written (patch was against 2.6.10, but 2.6.11 and 2.6.12 and current have quite re-writtenip_conntrack_expect_related() function which at quick inspection doesn't have the same error return path at all on expect eviction."
