Permalink
Browse files

another merge from master

  • Loading branch information...
2 parents 5daaca0 + 40ac28d commit 55fa4841f24f13c1db84fa76a02d106298c057ec @mrash committed Sep 4, 2012
View
@@ -60,3 +60,9 @@ Fernando Arnaboldi (IOActive)
developed along with a new fuzzing capability in the test suite.
- Found a condition in which an overly long IP from malicious authenticated
clients is not properly validated by the fwknopd server (pre-2.0.3).
+ - Found a local buffer overflow in --last processing with a maliciously
+ constructed ~/.fwknop.run file. This has been fixed with proper
+ validation of .fwknop.run arguments.
+ - Found several conditions in which the server did not properly throw out
+ maliciously constructed variables in the access.conf file. This has been
+ fixed along with new fuzzing tests in the test suite.
View
@@ -1,6 +1,4 @@
-fwknop-2.0.3 (08//2012):
- - Fixed RPM builds by including the $(DESTDIR) prefix for uninstall-local
- and install-exec-hook stages in Makefile.am.
+fwknop-2.0.3 (09/03/2012):
- [server] Fernando Arnaboldi from IOActive found several DoS/code
execution vulnerabilities for malicious fwknop clients that manage to
get past the authentication stage (so a such a client must be in
@@ -21,9 +19,15 @@ fwknop-2.0.3 (08//2012):
- [client] Fernando Arnaboldi from IOActive found a local buffer overflow
in --last processing with a maliciously constructed ~/.fwknop.run file.
This has been fixed with proper validation of .fwknop.run arguments.
+ - [server] Fernando Arnaboldi from IOActive found several conditions in
+ which the server did not properly throw out maliciously constructed
+ variables in the access.conf file. This has been fixed along with new
+ fuzzing tests in the test suite.
- [test suite] Added a new fuzzing capability to ensure proper server-side
input validation. Fuzzing data is constructed with modified fwknop
client code that is designed to emulate malicious behavior.
+ - Fixed RPM builds by including the $(DESTDIR) prefix for uninstall-local
+ and install-exec-hook stages in Makefile.am.
fwknop-2.0.2 (08/18/2012):
- [server] For GPG mode, added a new access.conf variable
View
@@ -150,6 +150,9 @@ EXTRA_DIST = \
test/conf/subnet_source_match_access.conf \
test/conf/local_nat_fwknopd.conf \
test/conf/disable_aging_fwknopd.conf \
+ test/conf/fuzzing_source_access.conf \
+ test/conf/fuzzing_open_ports_access.conf \
+ test/conf/fuzzing_restrict_ports_access.conf \
test/hardening-check \
test/local_spa.key \
test/test-fwknop.pl \
View
@@ -1 +1 @@
-fwknop-2.0.2
+fwknop-2.0.3
@@ -207,13 +207,13 @@
#define PACKAGE_NAME "fwknop"
/* Define to the full name and version of this package. */
-#define PACKAGE_STRING "fwknop 2.0.2"
+#define PACKAGE_STRING "fwknop 2.0.3"
/* Define to the one symbol short name of this package. */
#define PACKAGE_TARNAME "fwknop"
/* Define to the version of this package. */
-#define PACKAGE_VERSION "2.0.2"
+#define PACKAGE_VERSION "2.0.3"
/* The size of `unsigned int', as computed by sizeof. */
#define SIZEOF_UNSIGNED_INT 4
@@ -247,7 +247,7 @@
/* Version number of package */
-#define VERSION "2.0.2"
+#define VERSION "2.0.3"
/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
significant byte first (like Motorola and SPARC, unlike Intel). */
View
@@ -518,7 +518,7 @@ process_rc(fko_cli_options_t *options)
}
/* Check rc file permissions - if anything other than user read/write,
- * then don't process it. This change was made to help ensure that the
+ * then throw a warning. This change was made to help ensure that the
* client consumes a proper rc file with strict permissions set (thanks
* to Fernando Arnaboldi from IOActive for pointing this out).
*/
View
@@ -637,6 +637,7 @@ show_last_command(void)
#endif
if (get_save_file(args_save_file)) {
+ verify_file_perms_ownership(args_save_file);
if ((args_file_ptr = fopen(args_save_file, "r")) == NULL) {
fprintf(stderr, "Could not open args file: %s\n",
args_save_file);
@@ -681,7 +682,6 @@ run_last_args(fko_cli_options_t *options)
if (get_save_file(args_save_file))
{
verify_file_perms_ownership(args_save_file);
-
if ((args_file_ptr = fopen(args_save_file, "r")) == NULL)
{
fprintf(stderr, "Could not open args file: %s\n",
View
@@ -110,6 +110,7 @@ set_file_perms(const char *file)
int
verify_file_perms_ownership(const char *file)
{
+ int res = 1;
#if HAVE_STAT
struct stat st;
@@ -118,9 +119,17 @@ verify_file_perms_ownership(const char *file)
*/
if((stat(file, &st)) != 0)
{
- fprintf(stderr, "[-] unable to run stat() against file: %s: %s\n",
- file, strerror(errno));
- exit(EXIT_FAILURE);
+ /* if the path doesn't exist, just return, but otherwise something
+ * went wrong
+ */
+ if(errno == ENOENT)
+ {
+ return 0;
+ } else {
+ fprintf(stderr, "[-] stat() against file: %s returned: %s\n",
+ file, strerror(errno));
+ exit(EXIT_FAILURE);
+ }
}
/* Make sure it is a regular file or symbolic link
@@ -131,7 +140,7 @@ verify_file_perms_ownership(const char *file)
"[-] file: %s is not a regular file or symbolic link.\n",
file
);
- return 0;
+ res = 0;
}
if((st.st_mode & (S_IRWXU|S_IRWXG|S_IRWXO)) != (S_IRUSR|S_IWUSR))
@@ -140,18 +149,18 @@ verify_file_perms_ownership(const char *file)
"[-] file: %s permissions should only be user read/write (0600, -rw-------)\n",
file
);
- return 0;
+ res = 0;
}
if(st.st_uid != getuid())
{
fprintf(stderr, "[-] file: %s not owned by current effective user id.\n",
file);
- return 0;
+ res = 0;
}
#endif
- return 1;
+ return res;
}
/***EOF***/
View
@@ -11,7 +11,7 @@ AC_PREREQ(2.62)
dnl Define our name, version and email.
m4_define(my_package, [fwknop])
-m4_define(my_version, [2.0.2])
+m4_define(my_version, [2.0.3])
m4_define(my_bug_email, [dstuart@dstuart.org])
AC_INIT(my_package, my_version, my_bug_email)
View
@@ -13,7 +13,7 @@
%define _mandir /usr/share/man
Name: fwknop
-Version: 2.0.2
+Version: 2.0.3
Epoch: 1
Release: 1%{?dist}
Summary: Firewall Knock Operator client. An implementation of Single Packet Authorization.
View
@@ -203,13 +203,13 @@ Copyright (C) Max Kastanas 2010
#define PACKAGE_NAME "fwknop"
/* Define to the full name and version of this package. */
-#define PACKAGE_STRING "fwknop 2.0.2"
+#define PACKAGE_STRING "fwknop 2.0.3"
/* Define to the one symbol short name of this package. */
#define PACKAGE_TARNAME "fwknop"
/* Define to the version of this package. */
-#define PACKAGE_VERSION "2.0.2"
+#define PACKAGE_VERSION "2.0.3"
/* The size of `unsigned int', as computed by sizeof. */
#define SIZEOF_UNSIGNED_INT 4
@@ -243,7 +243,7 @@ Copyright (C) Max Kastanas 2010
/* Version number of package */
-#define VERSION "2.0.2"
+#define VERSION "2.0.3"
/* Define WORDS_BIGENDIAN to 1 if your processor stores words with the most
significant byte first (like Motorola and SPARC, unlike Intel). */
View
@@ -33,6 +33,7 @@
#include <time.h>
#include "fko_limits.h"
+#include "fko_message.h"
#include "rijndael.h" /* For encryption modes */
#include "digest.h"
@@ -57,7 +58,7 @@ extern "C" {
/* General params
*/
-#define FKO_PROTOCOL_VERSION "2.0.2" /* The fwknop protocol version */
+#define FKO_PROTOCOL_VERSION "2.0.3" /* The fwknop protocol version */
/* Supported FKO Message types...
*/
View
@@ -30,6 +30,7 @@
*****************************************************************************
*/
#include "fko_common.h"
+#include "fko_message.h"
#include "fko.h"
/* Set the SPA message type.
@@ -265,12 +266,17 @@ validate_nat_access_msg(const char *msg)
int
got_allow_ip(const char *msg)
{
- const char *ndx = msg;
- int dot_ctr = 0, char_ctr = 0;
- int res = FKO_SUCCESS;
+ const char *ndx = msg;
+ char ip_str[MAX_IPV4_STR_LEN];
+ int dot_ctr = 0, char_ctr = 0;
+ int res = FKO_SUCCESS;
+#if HAVE_SYS_SOCKET_H
+ struct in_addr in;
+#endif
while(*ndx != ',' && *ndx != '\0')
{
+ ip_str[char_ctr] = *ndx;
char_ctr++;
if(char_ctr >= MAX_IPV4_STR_LEN)
{
@@ -287,12 +293,25 @@ got_allow_ip(const char *msg)
ndx++;
}
- if (char_ctr < MIN_IPV4_STR_LEN)
+ if(char_ctr < MAX_IPV4_STR_LEN)
+ ip_str[char_ctr] = '\0';
+ else
res = FKO_ERROR_INVALID_ALLOW_IP;
- if(dot_ctr != 3)
+ if ((res == FKO_SUCCESS) && (char_ctr < MIN_IPV4_STR_LEN))
res = FKO_ERROR_INVALID_ALLOW_IP;
+ if((res == FKO_SUCCESS) && dot_ctr != 3)
+ res = FKO_ERROR_INVALID_ALLOW_IP;
+
+#if HAVE_SYS_SOCKET_H
+ /* Stronger IP validation now that we have a candidate that looks
+ * close enough
+ */
+ if((res == FKO_SUCCESS) && (inet_aton(ip_str, &in) == 0))
+ res = FKO_ERROR_INVALID_ALLOW_IP;
+#endif
+
return(res);
}
View
@@ -32,6 +32,16 @@
#ifndef FKO_MESSAGE_H
#define FKO_MESSAGE_H 1
+#if PLATFORM_OPENBSD
+ #include <sys/types.h>
+ #include <netinet/in.h>
+#else
+ #if HAVE_SYS_SOCKET_H
+ #include <sys/socket.h>
+ #endif
+#endif
+#include <arpa/inet.h>
+
#define MAX_PROTO_STR_LEN 5 /* tcp, udp, icmp for now */
#define MAX_PORT_STR_LEN 6
Oops, something went wrong.

0 comments on commit 55fa484

Please sign in to comment.