Vulnerabilities > CVE-2001-0183 - Unspecified vulnerability in Freebsd

CVSS 7.5 - HIGH

Attack vector

NETWORK

Attack complexity

LOW

Privileges required

NONE

Confidentiality impact

PARTIAL

Integrity impact

PARTIAL

Availability impact

PARTIAL

network

low complexity

freebsd

nessus

exploit available

NVD

Published: 2001-03-26

Updated: 2017-10-10

Summary

ipfw and ip6fw in FreeBSD 4.2 and earlier allows remote attackers to bypass access restrictions by setting the ECE flag in a TCP packet, which makes the packet appear to be part of an established connection.

Vulnerable Configurations

Part	Description	Count
OS	Freebsd Freebsd Freebsd 3.0 Freebsd Freebsd 3.1 Freebsd Freebsd 3.3 Freebsd Freebsd 3.4 Freebsd Freebsd 3.5 Freebsd Freebsd 3.5.1 Freebsd Freebsd 4.0 Freebsd Freebsd 4.1 Freebsd Freebsd 4.1.1 Freebsd Freebsd 4.2	11

Exploit-Db

description	FreeBSD 3.x/4.x ipfw Filtering Evasion Vulnerability. CVE-2001-0183. Remote exploit for freebsd platform
id	EDB-ID:20593
last seen	2016-02-02
modified	2001-01-23
published	2001-01-23
reporter	Aragon Gouveia
source	https://www.exploit-db.com/download/20593/
title	FreeBSD 3.x/4.x ipfw Filtering Evasion Vulnerability

Nessus

NASL family	Firewalls
NASL id	ECE_FLAG.NASL
description	The remote host seems vulnerable to a bug wherein a remote attacker can circumvent the firewall by setting the ECE bit within the TCP flags field. At least one firewall (ipfw) is known to exhibit this sort of behavior. Known vulnerable systems include all FreeBSD 3.x ,4.x, 3.5-STABLE, and 4.2-STABLE.
last seen	2020-06-01
modified	2020-06-02
plugin id	12118
published	2004-03-30
reporter	This script is Copyright (C) 2004-2020 Andrey I. Zakharov and John Lampe
source	https://www.tenable.com/plugins/nessus/12118
title	Multiple BSD ipfw / ip6fw ECE Bit Filtering Evasion
code	# # Changes by Tenable: # - Revised plugin title, tweaked output formatting, changed family (9/1/09) # - Added plugin output report, updated string concatenation (12/24/19) include("compat.inc"); if (description) { script_id(12118); script_version("1.22"); script_cvs_date("Date: 2020/01/02"); script_cve_id("CVE-2001-0183"); script_bugtraq_id(2293); script_name(english:"Multiple BSD ipfw / ip6fw ECE Bit Filtering Evasion"); script_summary(english:"Firewall ECE-bit bypass"); script_set_attribute(attribute:"synopsis", value:"Firewalling rules may be circumvented."); script_set_attribute(attribute:"description", value: "The remote host seems vulnerable to a bug wherein a remote attacker can circumvent the firewall by setting the ECE bit within the TCP flags field. At least one firewall (ipfw) is known to exhibit this sort of behavior. Known vulnerable systems include all FreeBSD 3.x ,4.x, 3.5-STABLE, and 4.2-STABLE."); script_set_attribute(attribute:"solution", value: "If you are running FreeBSD 3.X, 4.x, 3.5-STABLE, 4.2-STABLE, upgrade your firewall. If you are not running FreeBSD, contact your firewall vendor for a patch."); script_set_cvss_base_vector("CVSS2#AV:N/AC:L/Au:N/C:P/I:P/A:P"); script_set_cvss_temporal_vector("CVSS2#E:POC/RL:OF/RC:C"); script_set_cvss3_base_vector("CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L"); script_set_attribute(attribute:"cvss_score_source", value:"CVE-2001-0183"); script_set_attribute(attribute:"exploitability_ease", value:"Exploits are available"); script_set_attribute(attribute:"exploit_available", value:"true"); script_set_attribute(attribute:"vuln_publication_date", value:"2001/01/23"); script_set_attribute(attribute:"plugin_publication_date", value:"2004/03/30"); script_set_attribute(attribute:"potential_vulnerability", value:"true"); script_set_attribute(attribute:"plugin_type", value:"remote"); script_end_attributes(); script_category(ACT_GATHER_INFO); script_family(english:"Firewalls"); script_copyright(english:"This script is Copyright (C) 2004-2020 Andrey I. Zakharov and John Lampe"); script_require_keys("Settings/ParanoidReport"); exit(0); } include("audit.inc"); include('global_settings.inc'); if ( TARGET_IS_IPV6 ) exit(0); if (report_paranoia < 2) audit(AUDIT_PARANOID); if ( islocalnet() \|\| islocalhost() ) exit(0); # start script sport= (rand() % 64511) + 1024; ipid = 1234; myack = 0xFF67; init_seq = 538; # so, we need a list of commonly open, yet firewalled ports... port[0] = 22; port[1] = 111; port[2] = 1025; port[3] = 139; port[4] = 3389; port[5] = 23; for (i=0; port[i]; i++) { if ( get_port_state(port[i]) ) continue; # Port is open reply=NULL; sport++; filter = "src port " + port[i] + " and src host " + get_host_ip() + " and dst port " + sport; # STEP 1: Send a Naked SYN packet ip = forge_ip_packet(ip_v:4, ip_hl:5, ip_tos:0,ip_off:0,ip_len:20, ip_p:IPPROTO_TCP, ip_id:ipid, ip_ttl:0x40, ip_src:compat::this_host()); tcp = forge_tcp_packet(ip:ip, th_sport:sport, th_dport:port[i], th_flags:0x02, th_seq:init_seq,th_ack:myack, th_x2:0, th_off:5, th_win:2048, th_urp:0); for ( j = 0 ; j < 3 ; j ++ ) { reply = send_packet(tcp, pcap_active : TRUE, pcap_filter : filter, pcap_timeout : 1); if ( reply ) break; } # STEP 2: If we don't get a response back from STEP 1, # we will send a SYN+ECE to port if (! reply) { sport++; filter = "src port " + port[i] + " and src host " + get_host_ip() + " and dst port " + sport; ip = forge_ip_packet(ip_v:4, ip_hl:5, ip_tos:0,ip_off:0,ip_len:20, ip_p:IPPROTO_TCP, ip_id:ipid, ip_ttl:0x40, ip_src:compat::this_host()); tcp = forge_tcp_packet(ip:ip, th_sport:sport, th_dport:port[i], th_flags:0x42, th_seq:init_seq,th_ack:myack, th_x2:0, th_off:5, th_win:2048, th_urp:0); for ( j = 0; j < 3 ; j ++ ) { reply = send_packet(pcap_active : TRUE, pcap_filter : filter, pcap_timeout : 1, tcp); if (reply) break; } if (reply) { flags = get_tcp_element(tcp:reply, element:"th_flags"); report = 'Nessus was able to exploit the issue setting the ECE bit within the TCP flags field.'; if (flags & TH_ACK) security_report_v4(port:port, severity: SECURITY_HOLE, extra:report); } } } exit(0);

Summary

Vulnerable Configurations

Exploit-Db

Nessus

References