From owner-announce-jp@jp.freebsd.org  Sat Nov 25 11:35:54 2000
Received: (from daemon@localhost)
	by castle.jp.freebsd.org (8.9.3+3.2W/8.7.3) id LAA28574;
	Sat, 25 Nov 2000 11:35:54 +0900 (JST)
	(envelope-from owner-announce-jp@jp.FreeBSD.org)
Message-Id: <200011242001.FAA04841@eos.ocn.ne.jp>
To: announce-jp@jp.freebsd.org
In-Reply-To: <20001114223203.72E6B37B4D7@hub.freebsd.org>
References: <20001114223203.72E6B37B4D7@hub.freebsd.org>
X-Mailer: Mew version 1.94.1 on Emacs 19.34 / Mule 2.3 (SUETSUMUHANA)
Mime-Version: 1.0
Content-Type: Text/Plain; charset=iso-2022-jp
Content-Transfer-Encoding: 7bit
Date: Sat, 25 Nov 2000 04:44:11 +0900
From: Hiroki Sato <hrs@eos.ocn.ne.jp>
X-Dispatcher: imput version 20000228(IM140)
X-ML-maintainer: owner-announce-jp@jp.FreeBSD.org
Precedence: list
X-Distribute: distribute version 2.1 (Alpha) patchlevel 24e+000315
X-Sequence: announce-jp 623
Subject: Re: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:70.ppp-nat
Errors-To: owner-announce-jp@jp.freebsd.org
Sender: owner-announce-jp@jp.freebsd.org


 $B$3$N%a!<%k$O(B, announce-jp $B$KN.$l$?(B

  Subject: ANNOUNCE: FreeBSD Security Advisory: FreeBSD-SA-00:70.ppp-nat
  From: FreeBSD Security Advisories <security-advisories@freebsd.org>
  Date: Tue, 14 Nov 2000 14:32:03 -0800 (PST)
  Message-Id: <20001114223203.72E6B37B4D7@hub.freebsd.org>
  X-Sequence: announce-jp 602

 $B$rF|K\8lLu$7$?$b$N$G$9(B. 

 $B$3$N4+9p$NCf$G>R2p$5$l$F$$$k(B WWW $B%5%$%H(B http://www.FreeBSD.org/ $B$*$h$S(B
 FTP $B%5%$%H(B ftp://ftp.FreeBSD.org/ $B$K$O(B, $BF|K\$N%_%i!<%5%$%H$,B8:_$7$^$9(B.
 $B%_%i!<%5%$%H$rMxMQ$9$k$K$O(B,
 http://www.FreeBSD.org/ $B$r(B http://www.jp.FreeBSD.org/www.freebsd.org/ $B$K(B,
 ftp://ftp.FreeBSD.org/ $B$r(B ftp://ftp.jp.FreeBSD.org/ $B$K(B,
 $B$=$l$>$lCV$-49$($F$/$@$5$$(B.

 $B%M%C%H%o!<%/$N:.;($r4KOB$9$k$?$a(B, $B$^$:$O%_%i!<%5%$%H$NMxMQ$r(B
 $B9MN8$9$k$h$&$*4j$$$7$^$9(B.  $B%_%i!<%5%$%H$K4X$9$k>\:Y$O(B

  http://www.FreeBSD.org/handbook/mirror.html ($B1QJ8(B)
  http://www.FreeBSD.org/ja/handbook/mirror.html ($BF|K\8lLu(B)

 $B$K(B, $B$^$?(B, $B2a5n$NF|K\8lHG%;%-%e%j%F%#4+9p$O(B

  http://www.FreeBSD.org/ja/security/

 $B$K$^$H$a$i$l$F$$$^$9(B.

 $B86J8$O(B PGP $B=pL>$5$l$F$$$^$9$,(B, $B$3$NF|K\8lLu$O(B PGP $B=pL>$5$l$F$$$^$;$s(B. 
 $B%Q%C%AEy$NFbMF$,2~cb$5$l$F$$$J$$$3$H$r3NG'$9$k$?$a$K(B PGP $B$N%A%'%C%/$r(B
 $B9T$J$&$K$O(B, $B86J8$r;2>H$7$F$/$@$5$$(B. 

 $BF|K\8lLu$O(B FreeBSD $BF|K\8l%I%-%e%a%s%F!<%7%g%s%W%m%8%'%/%H(B (doc-jp) $B$,;29M$N(B
 $B$?$a$KDs6!$9$k$b$N$G(B, doc-jp $B$O(B $B$=$NFbMF$K$D$$$F$$$+$J$kJ]>Z$b$$$?$7$^$;$s(B.
 $BF|K\8lLu$K$D$$$F$N$*Ld$$9g$o$;$O(B doc-jp@jp.FreeBSD.org $B$^$G$*4j$$$7$^$9(B.

--($B$3$3$+$i(B)

=============================================================================
FreeBSD-SA-00:70                                           Security Advisory
                                                                FreeBSD, Inc.

$B%H%T%C%/(B:	ppp "deny_incoming" does not correctly deny incoming packets

$BJ,N`(B:		core
$B%b%8%e!<%k(B:	ppp
$B9pCNF|(B:		2000-11-14
$B%/%l%8%C%H(B:	Robin Melville <robmel@innotts.co.uk>
$B1F6AHO0O(B:	FreeBSD 3.5, 3.5.1, 4.1, 4.1.1
                $B=$@5F|0JA0$N(B FreeBSD 3.5.1-STABLE $B$*$h$S(B 4.1.1-STABLE
$B=$@5F|(B:		2000-10-30 (FreeBSD 4.1.1-STABLE)
                2000-10-30 (FreeBSD 3.5.1-STABLE)
FreeBSD $B$K8GM-$+(B:	Yes

I.   $BGX7J(B - Background

ppp(8) $B%f!<%F%#%j%F%#$K$O(B, $B8x3+%"%I%l%9$H%W%i%$%Y!<%H%"%I%l%9$rJQ49$9$k(B,
$B%M%C%H%o!<%/%"%I%l%9JQ495!G=(B ($BLuCm(B: $B$$$o$f$k(B NAT $B$N$3$H(B) $B$,4^$^$l$F$$$^$9(B.
$B$3$N5!G=$O(B, libalias $B%i%$%V%i%j$rMQ$$$F<B8=$5$l$F$$$^$9(B.

II.  $BLdBj$N>\:Y(B - Problem Description

ppp $B$N%I%-%e%a%s%H$K$h$k$H(B, "nat deny_incoming" $B%3%^%s%I$O(B
$B!V30B&$+$i$N$9$Y$F$N@\B3$r5qH]$9$k!W$H$J$C$F$$$^$9(B.  $B$3$l$O(B
$B30It$N%f!<%6$,FbIt%M%C%H%o!<%/$N%5!<%S%9$X@\B3$G$-$J$$$h$&$K$7(B,
ppp $B$r4J0WE*$J%U%!%$%"%&%)!<%k$H$7$FMxMQ$9$k$?$a$KNI$/;H$o$l$k(B
$B%3%^%s%I$G$9(B.  $B$7$+$7(B, 3.x $B%V%i%s%A$H(B 4.x $B%V%i%s%A$NN>J}$N(B ppp $B$N(B
$B%3!<%I$O(B FreeBSD 4.1 $B$*$h$S(B 3.5 $B$N%j%j!<%9A0(B (4.x $B$O(B 2000-06-05,
3.x $B$O(B 2000-06-03) $B$N;~4|$K(B, $BG'<1$G$-$J$$%Q%1%C%H(B, $B$?$H$($P(B
IPSEC $B%Q%1%C%H$dB>$N(B IP $B%W%m%H%3%k$N%Q%1%C%H$J$I(B, ppp $B$N=hM}%3!<%I$G(B
$B!V30B&$+$i$N@\B3MW5a!W$H$_$J$5$l$J$$%Q%1%C%H$K$D$$$F$ODL2a$r5v2D$9$k(B
$B$h$&$KJQ99$5$l$^$7$?(B.  $B$3$l<+BN$b$*$=$i$/@5$7$$F0:n$H$O8@$($J$$$b$N(B
$B$@$C$?$N$G$9$,(B, ppp $B$N=hM}%3!<%I$O$5$i$KE~Ce$9$k!V$9$Y$F$N!W%Q%1%C%H$N(B
$BDL2a$b8m$C$F5v2D$9$k$?$a(B, $B7k2LE*$K(B "deny_incoming" $B$N5!G=$rL58z$J$b$N$K(B
$B$7$F$7$^$$$^$9(B.

$B$7$?$,$C$F(B, $B4{B8$N(B NAT $B%;%7%g%s$K4^$^$l$k%Q%1%C%H$N$_$NDL2a$r5v2D$9$k(B,
$B!V%G%U%)%k%H$G5qH]!W$N%U%!%$%"%&%)!<%k$r<B8=$9$k$?$a$K(B deny_incoming $B$r(B
$B;H$C$F$$$k%f!<%6$O(B, $B<B:]$K$OFbIt%M%C%H%o!<%/$KBP$7$F(B, $B$"$k<o$N0U?^$7$J$$(B
IP $B%Q%1%C%H(B ($BLuCm(B: $B?7$7$$30B&$+$i$N@\B3MW5a$d(B ICMP $B$J$I(B) $B$N?/F~$r(B
$B5v$7$F$7$^$$$^$9(B.

$BLdBj$H$J$C$F$$$?(B ppp $B$NF0:n$O(B, $BM-8z$J(B NAT $B%;%7%g%s$K4^$^$l$k(B
$BE~Ce%Q%1%C%H$NDL2a$N$_$r5v2D$9$k$h$&$K=$@5$5$l$^$7$?(B.  $B$=$N$?$a(B,
$B0lHLE*$KK>$^$l$k$h$&$J%Q%1%C%H%U%#%k%?$NF0:n$r<B8=$9$k$h$&$K(B
$B$J$C$F$$$^$9(B.  libalias $B$,G'<1$G$-$J$$308~$-$N(B IP $B%Q%1%C%H(B (VPN $B$K(B
$B;H$o$l$k308~$-$N(B IPSEC $B%Q%1%C%H$J$I(B) $B$O(B, $BBP1~$9$kAw?.85%"%I%l%9(B,
$BAw?.@h%"%I%l%9$*$h$S%W%m%H%3%kHV9f$r;}$DE~Ce%Q%1%C%H$r5v2D$7(B,
$B$=$NB>$r5qH]$9$k(B NAT $B%;%7%g%s$r0l$D3NN)$7$^$9(B.

$B$3$NF0:n$O(B, $B$[$H$s$I$N%f!<%6$K$H$C$F%;%-%e%j%F%#E*$K==J,$J$b$N$G$"$k$H(B
$B;W$o$l$^$9(B.  $B$h$jJ#;($J%U%#%k%?$d%;%-%e%j%F%#%]%j%7$,MW5a$5$l$k>l9g$O(B,
ipfw(8) $B$d(B ipf(8) $B$,Ds6!$7$F$$$k(B, $B>\:Y$J@_Dj$,2DG=$J%Q%1%C%H%U%#%k%?$r(B
$BMxMQ$7$F$/$@$5$$(B.  $B$3$l$i$O$=$N$h$&$JMW5a$K$bBP1~$G$-$^$9(B.

$B$3$NLdBj$N1F6A$r<u$1$k(B FreeBSD $B%j%j!<%9$O(B, FreeBSD 3.5, 3.5.1, 4.1,
4.1.1 $B$N$_$G$9(B.  $BLdBjE@$N=$@5$O(B FreeBSD 4.2-RELEASE $B$N8x3+A0$N(B
4.1.1-STABLE $B%V%i%s%A$G9T$J$o$l$^$7$?(B.

III. $B1F6AHO0O(B - Impact

$B4{B8$N(B NAT $B%;%7%g%s$K4^$^$l$J$$%j%b!<%H%f!<%6$+$i$NE~Ce%Q%1%C%H$O(B,
NAT $B%2!<%H%&%'%$$rDL2a$9$k$3$H$,$G$-$^$9(B.  $B$3$N%Q%1%C%H$NDL2a$O(B,
$B%;%-%e%j%F%#%]%j%7$KH?$9$k$b$N$G$"$k2DG=@-$,$"$j$^$9(B.

IV.  $B2sHrJ}K!(B - Workaround

PPP $B%2!<%H%&%'%$$G(B ipfw(8) $B$d(B ipf(8) $B$H$$$C$?@lMQ$N%Q%1%C%H%U%#%k%?$r(B
$B;H$$(B, $B=jK>$N%;%-%e%j%F%#%]%j%7$KE,9g$9$k$h$&$KE~Ce%Q%1%C%H$r(B
$B5qH]$7$F$/$@$5$$(B.


V.   $B2r7h:v(B - Solution

$B<!$N$$$:$l$+$K=>$C$F$/$@$5$$(B.

1) $B<eE@$r;}$C$?(B FreeBSD $B%7%9%F%`$r(B, $B=$@5F|0J9_$N(B
   4.1.1-STABLE $B$b$7$/$O(B 3.5.1-STABLE $B$K%"%C%W%0%l!<%I$7$^$9(B.

2) $B2<$N=$@5%Q%C%A$rE,MQ$7(B, $B4XO"%U%!%$%k$r:F9=C[$7$^$9(B.

$B$3$N4+9p$r%U%!%$%k$KJ]B8$9$k$+(B, $B=$@5%Q%C%A$H(B PGP $B=pL>$r0J2<$N>l=j$+$i(B
$B%@%&%s%m!<%I$7(B, PGP $B%f!<%F%#%j%F%#$r;H$C$F=pL>$r3NG'$7$^$9(B.

ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:70/ppp.patch
ftp://ftp.freebsd.org/pub/FreeBSD/CERT/patches/SA-00:70/ppp.patch.asc

$B$=$7$F(B root $B8"8B$G<!$N%3%^%s%I$r<B9T$7$^$9(B.

# cd /usr/src/usr.sbin/ppp
# patch -p < /path/to/patch_or_advisory
# make depend && make all install

$B<eE@$r;}$C$?%7%9%F%`MQ$N=$@5%Q%C%A(B:

Index: nat_cmd.c
===================================================================
RCS file: /mnt/ncvs/src/usr.sbin/ppp/nat_cmd.c,v
retrieving revision 1.49
retrieving revision 1.50
diff -u -r1.49 -r1.50
- --- nat_cmd.c	2000/07/11 22:11:31	1.49
+++ nat_cmd.c	2000/10/30 18:02:01	1.50
@@ -421,7 +421,11 @@
       break;
 
     case PKT_ALIAS_IGNORED:
- -      if (log_IsKept(LogTCPIP)) {
+      if (PacketAliasSetMode(0, 0) & PKT_ALIAS_DENY_INCOMING) {
+        log_Printf(LogTCPIP, "NAT engine denied data:\n");
+        m_freem(bp);
+        bp = NULL;
+      } else if (log_IsKept(LogTCPIP)) {
         log_Printf(LogTCPIP, "NAT engine ignored data:\n");
         PacketCheck(bundle, MBUF_CTOP(bp), bp->m_len, NULL, NULL, NULL);
       }

