kern/180881: [panic] Attack invalid user in mpd causes kernel panic.
Marcelo Gondim
gondim at intnet.com.br
Fri Aug 9 20:40:03 UTC 2013
The following reply was made to PR kern/180881; it has been noted by GNATS.
From: Marcelo Gondim <gondim at intnet.com.br>
To: bug-followup at FreeBSD.org, gondim at bsdinfo.com.br
Cc:
Subject: Re: kern/180881: [panic] Attack invalid user in mpd causes kernel
panic.
Date: Fri, 09 Aug 2013 17:31:21 -0300
Hi All,
More information about this problem:
My mpd.conf:
===========
startup:
# configure mpd users
#set user foo bar admin
set user suporte papatango
set user admin tutumineiro admin
# configure the console
set console self 192.168.8.34 5005
set console open
# configure the web server
set web self 0.0.0.0 5006
set web open
default:
load pppoe_server
pppoe_server:
create bundle template B
set iface disable proxy-arp
set iface enable tcpmssfix
set ipcp dns 8.8.8.8 8.8.4.4
#set ipcp enable vjcomp
set iface up-script /usr/local/etc/mpd5/addclient.sh
set iface down-script /usr/local/etc/mpd5/removeclient.sh
set ippool add pool1 10.10.0.1 10.10.255.254
set ipcp ranges 10.51.0.1/32 ippool pool1
create link template common pppoe
#set link enable multilink
set link action bundle B
set link disable chap pap eap
set link mtu 1492
set link mru 1492
set link enable pap
load radius
create link template igb1 common
set pppoe iface igb1
set pppoe acname "IntBSD1"
set pppoe service "*"
set link enable incoming
set auth max-logins 1
set link max-children 5000
create link template igb2 common
set pppoe iface igb2
set pppoe acname "IntBSD2"
set pppoe service "*"
set link enable incoming
set auth max-logins 1
set link max-children 5000
create link template igb3 common
set pppoe iface igb3
set pppoe acname "IntBSD3"
set pppoe service "*"
set link enable incoming
set auth max-logins 1
set link max-children 5000
radius:
set radius server localhost xuxupedra 1812 1813
set radius retries 3
set radius timeout 3
# send the given IP in the RAD_NAS_IP_ADDRESS attribute to the
server.
set radius me 127.0.0.1
# send accounting updates every 5 minutes
set auth acct-update 300
# enable RADIUS, and fallback to mpd.secret, if RADIUS auth failed
set auth enable radius-auth
# enable RADIUS accounting
set auth enable radius-acct
# protect our requests with the message-authenticator
set radius enable message-authentic
###########################################################################
/usr/local/etc/mpd5/addclient.sh:
============================
#!/bin/sh
# script interface proto local-ip remote-ip authname [ dns1 server-ip ]
[ dns2 server-ip ] peer-address
if [ "$5" == "hercilia201254" ]; then
ipfw table 11 add $4
exit
fi
if [ "$5" == "cpcosta" ]; then
ipfw table 10 add $4
exit
fi
if [ "$5" == "sergio" ]; then
ipfw table 12 add $4
exit
fi
ipfw table 13 add $4
/usr/local/etc/mpd5/removeclient.sh:
===============================
#!/bin/sh
# script interface proto local-ip remote-ip authname peer-address
if [ "$5" == "hercilia201254" ]; then
ipfw table 11 delete $4
exit
fi
if [ "$5" == "cpcosta" ]; then
ipfw table 10 delete $4
exit
fi
if [ "$5" == "sergio" ]; then
ipfw table 12 delete $4
exit
fi
ipfw table 13 delete $4
###########################################################################
My ipfw:
=======
fw="/sbin/ipfw"
ext_if="igb0"
$fw disable one_pass
$fw -f flush
$fw zero
$fw table all flush
$fw -f pipe flush
ssh_port="4321"
$fw add allow all from any to any via lo0
$fw add deny all from 127.0.0.0/8 to any
$fw add deny all from any to 127.0.0.0/8
$fw add check-state
# velocidade de 1024kbps
$fw add pipe 1 ip from "table(10)" to any in via ng*
$fw add pipe 2 ip from any to "table(10)" out via ng*
$fw pipe 1 config bw 1024Kbit/s queue 128 mask src-ip 255.255.255.255
$fw pipe 2 config bw 1024Kbit/s queue 128 mask dst-ip 255.255.255.255
# velocidade de 2048kbps
$fw add pipe 3 ip from "table(11)" to any in via ng*
$fw add pipe 4 ip from any to "table(11)" out via ng*
$fw pipe 3 config bw 2048Kbit/s queue 256 mask src-ip 255.255.255.255
$fw pipe 4 config bw 2048Kbit/s queue 256 mask dst-ip 255.255.255.255
# velocidade de 10240kbps
$fw add pipe 5 ip from "table(12)" to any in via ng*
$fw add pipe 6 ip from any to "table(12)" out via ng*
$fw pipe 5 config bw 10240Kbit/s queue 1280 mask src-ip 255.255.255.255
$fw pipe 6 config bw 10240Kbit/s queue 1280 mask dst-ip 255.255.255.255
# velocidade de 64kbps
$fw add pipe 7 ip from "table(13)" to any in via ng*
$fw add pipe 8 ip from any to "table(13)" out via ng*
$fw pipe 7 config bw 64Kbit/s queue 8 mask src-ip 255.255.255.255
$fw pipe 8 config bw 64Kbit/s queue 8 mask dst-ip 255.255.255.255
$fw add allow icmp from any to any icmptypes 0,3,8,11,12
$fw add deny icmp from any to any
=============================================================
My PF Rules for NAT only:
=====================
ext_if = "igb0"
table <masq> persist { 10.0.0.0/8 }
set skip on lo0
set limit states 40000
nat on $ext_if from <masq> to any -> 192.168.8.34
###########################################################################
Below the test I ran in other FreeBSD:
My ppp.conf:
===========
intnet:
set device PPPoE:re0
set mru 1492
set mtu 1492
set authname hercilia201254
set authkey password_wrong
set login
set dial
enable dns
add default HISADDR
set timeout 0
open
###########################################################################
Command for attack:
# for (( i=0; i < 3000; i++ )); do ppp -ddial intnet ; done
The user hercilia201254 is the password wrong deliberately to execute
the attack.
After about 3 hours of the attack, the problem occurs.
This problem happened with the igb driver. With the em driverhave not
seen the problem happen.
Thanks and best regards.
More information about the freebsd-bugs
mailing list