Author: kp
Date: Fri Mar 22 07:39:28 2019
New Revision: 345409
URL: https://svnweb.freebsd.org/changeset/base/345409
Log:
pf tests: Test CVE-2019-5598
Verify that pf correctly drops inconsistent ICMP packets (i.e. where the
IP src/dst do not match the IP src/dst in the ICMP packet.
Added:
head/tests/sys/netpfil/pf/CVE-2019-5598.py (contents, props changed)
head/tests/sys/netpfil/pf/icmp.sh (contents, props changed)
Modified:
head/tests/sys/netpfil/pf/Makefile
Added: head/tests/sys/netpfil/pf/CVE-2019-5598.py
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/tests/sys/netpfil/pf/CVE-2019-5598.py Fri Mar 22 07:39:28 2019
(r345409)
@@ -0,0 +1,130 @@
+#!/usr/local/bin/python2.7
+
+import argparse
+import scapy.all as sp
+import sys
+from sniffer import Sniffer
+
+def check_icmp_error(args, packet):
+ ip = packet.getlayer(sp.IP)
+ if not ip:
+ return False
+ if ip.dst != args.to[0]:
+ return False
+
+ icmp = packet.getlayer(sp.ICMP)
+ if not icmp:
+ return False
+ if icmp.type != 3 or icmp.code != 3:
+ return False
+
+ return True
+
+def main():
+ parser = argparse.ArgumentParser("CVE-2019-icmp.py",
+ description="CVE-2019-icmp test tool")
+ parser.add_argument('--sendif', nargs=1,
+ required=True,
+ help='The interface through which the packet will be sent')
+ parser.add_argument('--recvif', nargs=1,
+ required=True,
+ help='The interface on which to check for the packet')
+ parser.add_argument('--src', nargs=1,
+ required=True,
+ help='The source IP address')
+ parser.add_argument('--to', nargs=1,
+ required=True,
+ help='The destination IP address')
+
+ args = parser.parse_args()
+
+ # Send the allowed packet to establish state
+ udp = sp.Ether() / \
+ sp.IP(src=args.src[0], dst=args.to[0]) / \
+ sp.UDP(dport=53, sport=1234)
+ sp.sendp(udp, iface=args.sendif[0], verbose=False)
+
+ # Start sniffing on recvif
+ sniffer = Sniffer(args, check_icmp_error)
+
+ # Send the bad error packet
+ icmp_reachable = sp.Ether() / \
+ sp.IP(src=args.src[0], dst=args.to[0]) / \
+ sp.ICMP(type=3, code=3) / \
+ sp.IP(src="4.3.2.1", dst="1.2.3.4") / \
+ sp.UDP(dport=53, sport=1234)
+ sp.sendp(icmp_reachable, iface=args.sendif[0], verbose=False)
+
+ sniffer.join()
+ if sniffer.foundCorrectPacket:
+ sys.exit(1)
+
+ sys.exit(0)
+
+if __name__ == '__main__':
+ main()
+#!/usr/local/bin/python2.7
+
+import argparse
+import scapy.all as sp
+import sys
+from sniffer import Sniffer
+
+def check_icmp_error(args, packet):
+ ip = packet.getlayer(sp.IP)
+ if not ip:
+ return False
+ if ip.dst != args.to[0]:
+ return False
+
+ icmp = packet.getlayer(sp.ICMP)
+ if not icmp:
+ return False
+ if icmp.type != 3 or icmp.code != 3:
+ return False
+
+ return True
+
+def main():
+ parser = argparse.ArgumentParser("CVE-2019-icmp.py",
+ description="CVE-2019-icmp test tool")
+ parser.add_argument('--sendif', nargs=1,
+ required=True,
+ help='The interface through which the packet will be sent')
+ parser.add_argument('--recvif', nargs=1,
+ required=True,
+ help='The interface on which to check for the packet')
+ parser.add_argument('--src', nargs=1,
+ required=True,
+ help='The source IP address')
+ parser.add_argument('--to', nargs=1,
+ required=True,
+ help='The destination IP address')
+
+ args = parser.parse_args()
+
+ # Send the allowed packet to establish state
+ udp = sp.Ether() / \
+ sp.IP(src=args.src[0], dst=args.to[0]) / \
+ sp.UDP(dport=53, sport=1234)
+ sp.sendp(udp, iface=args.sendif[0], verbose=False)
+
+ # Start sniffing on recvif
+ sniffer = Sniffer(args, check_icmp_error)
+
+ # Send the bad error packet
+ icmp_reachable = sp.Ether() / \
+ sp.IP(src=args.src[0], dst=args.to[0]) / \
+ sp.ICMP(type=3, code=3) / \
+ sp.IP(src=args.src[0], dst=args.to[0]) / \
+ sp.UDP(dport=53, sport=1234)
+ sp.sendp(icmp_reachable, iface=args.sendif[0], verbose=False)
+
+ sniffer.join()
+ if sniffer.foundCorrectPacket:
+ sys.exit(1)
+
+ sys.exit(0)
+
+if __name__ == '__main__':
+ main()
Modified: head/tests/sys/netpfil/pf/Makefile
==============================================================================
--- head/tests/sys/netpfil/pf/Makefile Fri Mar 22 06:36:40 2019
(r345408)
+++ head/tests/sys/netpfil/pf/Makefile Fri Mar 22 07:39:28 2019
(r345409)
@@ -16,15 +16,18 @@ ATF_TESTS_SH+= anchor \
route_to \
synproxy \
set_skip \
- pfsync
+ pfsync \
+ icmp
${PACKAGE}FILES+= utils.subr \
echo_inetd.conf \
sniffer.py \
pft_ping.py \
- CVE-2019-5597.py
+ CVE-2019-5597.py \
+ CVE-2019-5598.py
${PACKAGE}FILESMODE_pft_ping.py= 0555
${PACKAGE}FILESMODE_CVE-2019-5597.py= 0555
+${PACKAGE}FILESMODE_CVE-2019-5598.py= 0555
.include <bsd.test.mk>
Added: head/tests/sys/netpfil/pf/icmp.sh
==============================================================================
--- /dev/null 00:00:00 1970 (empty, because file is newly added)
+++ head/tests/sys/netpfil/pf/icmp.sh Fri Mar 22 07:39:28 2019
(r345409)
@@ -0,0 +1,99 @@
+# $FreeBSD$
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_test_case "cve_2019_5598" "cleanup"
+cve_2019_5598_head()
+{
+ atf_set descr 'Test CVE-2019-5598'
+ atf_set require.user root
+ atf_set require.progs scapy
+}
+
+cve_2019_5598_body()
+{
+ pft_init
+
+ epair_in=$(vnet_mkepair)
+ epair_out=$(vnet_mkepair)
+ ifconfig ${epair_in}a 192.0.2.1/24 up
+ ifconfig ${epair_out}a up
+
+ vnet_mkjail alcatraz ${epair_in}b ${epair_out}b
+ jexec alcatraz ifconfig ${epair_in}b 192.0.2.2/24 up
+ jexec alcatraz ifconfig ${epair_out}b 198.51.100.2/24 up
+ jexec alcatraz sysctl net.inet.ip.forwarding=1
+ jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05
+ jexec alcatraz route add default 198.51.100.3
+ route add -net 198.51.100.0/24 192.0.2.2
+
+ jexec alcatraz pfctl -e
+ pft_set_rules alcatraz "block all" \
+ "pass in proto udp to 198.51.100.3 port 53" \
+ "pass out proto udp to 198.51.100.3 port 53"
+
+ atf_check -s exit:0 $(atf_get_srcdir)/CVE-2019-icmp.py \
+ --sendif ${epair_in}a \
+ --recvif ${epair_out}a \
+ --src 192.0.2.1 \
+ --to 198.51.100.3
+}
+
+cve_2019_5598_cleanup()
+{
+ pft_cleanup
+}
+
+atf_init_test_cases()
+{
+ atf_add_test_case "cve_2019_5598"
+}
+# $FreeBSD$
+
+. $(atf_get_srcdir)/utils.subr
+
+atf_test_case "cve_2019_5598" "cleanup"
+cve_2019_5598_head()
+{
+ atf_set descr 'Test CVE-2019-5598'
+ atf_set require.user root
+ atf_set require.progs scapy
+}
+
+cve_2019_5598_body()
+{
+ pft_init
+
+ epair_in=$(vnet_mkepair)
+ epair_out=$(vnet_mkepair)
+ ifconfig ${epair_in}a 192.0.2.1/24 up
+ ifconfig ${epair_out}a up
+
+ vnet_mkjail alcatraz ${epair_in}b ${epair_out}b
+ jexec alcatraz ifconfig ${epair_in}b 192.0.2.2/24 up
+ jexec alcatraz ifconfig ${epair_out}b 198.51.100.2/24 up
+ jexec alcatraz sysctl net.inet.ip.forwarding=1
+ jexec alcatraz arp -s 198.51.100.3 00:01:02:03:04:05
+ route add -net 198.51.100.0/24 192.0.2.2
+
+ jexec alcatraz pfctl -e
+ pft_set_rules alcatraz "block all" \
+ "pass in proto udp to 198.51.100.3 port 53" \
+ "pass out proto udp to 198.51.100.3 port 53"
+
+ atf_check -s exit:0 $(atf_get_srcdir)/CVE-2019-icmp.py \
+ --sendif ${epair_in}a \
+ --recvif ${epair_out}a \
+ --src 192.0.2.1 \
+ --to 198.51.100.3
+}
+
+cve_2019_5598_cleanup()
+{
+ pft_cleanup
+}
+
+atf_init_test_cases()
+{
+ atf_add_test_case "cve_2019_5598"
+}
_______________________________________________
svn-src-all@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/svn-src-all
To unsubscribe, send any mail to "svn-src-all-unsubscr...@freebsd.org"
