dabarar kai hari (CVE-2019-14899) wanda ke ba da damar fakiti don a zuga, gyara, ko musanya su cikin haɗin TCP da aka tura ta hanyar VPN tunnels. Matsalar ta shafi Linux, FreeBSD, OpenBSD, Android, macOS, iOS da sauran tsarin Unix. Linux tana goyan bayan tsarin rp_filter (tace hanya ta baya) don IPV4, kunna shi a cikin yanayin “Tsarin” yana kawar da wannan matsalar.
Hanyar tana ba da damar sauya fakiti a matakin haɗin TCP da ke wucewa a cikin rami mai rufaffen, amma baya ba da izinin ƙulla alaƙar da ke amfani da ƙarin ɓoyayyen yadudduka (misali, TLS, HTTPS, SSH). Algorithms na boye-boye da aka yi amfani da su a cikin VPN ba su da mahimmanci, tunda fakitin da aka zuga sun fito ne daga keɓancewar waje kuma kernel ana sarrafa su azaman fakiti daga haɗin VPN. Mafi yuwuwar makasudin harin shine tsoma baki tare da haɗin gwiwar HTTP da ba a ɓoye ba, amma da kuma amfani da hari don sarrafa martanin DNS.
An nuna nasarar fakitin spoofing don ramukan da aka ƙirƙira ta amfani da OpenVPN, WireGuard da IKEv2/IPSec. Tor ba shi da saukin kamuwa da matsalar, tunda yana amfani da SOCKS don tura zirga-zirga kuma yana ɗaure zuwa madaidaicin hanyar dawowa. Don IPv4, hari yana yiwuwa idan an saita rp_filter zuwa yanayin “Sakowa” (sysctl net.ipv4.conf.all.rp_filter = 2). Da farko, yawancin tsarin sunyi amfani da yanayin "Tsarin", amma farawa daga , wanda aka saki a watan Disambar da ya gabata, an canza yanayin aiki na asali zuwa "Sakowa" kuma wannan canjin ya bayyana a cikin saitunan tsoho na yawancin rabawa na Linux.
rp_filter inji don ƙarin tabbaci na hanyoyin fakiti don hana ɓarna adireshin tushen tushe. Lokacin da aka saita zuwa 0, ba a yin rajistan adireshin tushe kuma kowane fakiti za a iya turawa tsakanin mu'amalar cibiyar sadarwa ba tare da hani ba. Yanayin 1 "Tsarin" ya haɗa da duba kowane fakitin da ke fitowa daga waje don biyan bukatun tebur, kuma idan cibiyar sadarwa ta hanyar da aka karɓi fakitin ba ta da alaƙa da mafi kyawun hanyar isar da amsa, to an watsar da fakitin. Yanayin 2 "Sako da sako" yana kwantar da cak ɗin don ba da damar masu daidaita ma'aunin nauyi ko jigilar asymmetric suyi aiki lokacin
Hanyar amsawa na iya wucewa ta hanyar sadarwa ta hanyar sadarwa ban da wacce fakitin mai shigowa ta iso.
A cikin yanayin sako-sako, ana duba fakitin da ke shigowa a kan tebur ɗin tuƙi, amma ana ɗaukar ingancin aiki idan ana iya samun adireshin tushen ta kowace hanyar sadarwar cibiyar sadarwa. Harin da aka gabatar ya dogara ne akan gaskiyar cewa maharin na iya aika fakiti tare da adireshi mai tushe wanda ya dace da cibiyar sadarwar VPN, kuma duk da cewa wannan fakitin zai shiga tsarin ta hanyar hanyar sadarwa ta waje ba ta hanyar VPN ba, a cikin rp_filter yanayin “Sakowa” irin wannan fakitin ba za a watsar da shi ba.
Don kai harin, dole ne maharin ya sarrafa hanyar da mai amfani ya shiga hanyar sadarwar (misali, ta hanyar ƙungiyar MITM, lokacin da wanda aka azabtar ya haɗu zuwa wurin shiga mara waya ta maharin, ko ta hanyar. ). Ta hanyar sarrafa hanyar da mai amfani ke haɗa shi da hanyar sadarwa, mai hari zai iya aika fakiti na bogi waɗanda za a iya gane su a cikin mahallin cibiyar sadarwar VPN, amma za a bi da martani ta hanyar rami.
Ta hanyar samar da rafi na fakiti na almara wanda aka maye gurbin adireshin IP na cibiyar sadarwa ta VPN, ana ƙoƙarin yin tasiri kan haɗin da abokin ciniki ya kafa, amma ana iya lura da tasirin waɗannan fakitin ta hanyar bincike na sirri na ɓoyayyen zirga-zirgar zirga-zirgar da ke da alaƙa. tare da aiki na rami. Don kai hari, kuna buƙatar nemo adireshin IP na cibiyar sadarwar rami da uwar garken VPN ta sanya, sannan kuma ƙayyade cewa haɗin kai zuwa takamaiman rundunar yana aiki a cikin rami a halin yanzu.
Don ƙayyade IP na cibiyar sadarwa ta hanyar sadarwa ta VPN, ana aika fakitin SYN-ACK zuwa tsarin wanda aka azabtar, tare da ƙididdige duk kewayon adiresoshin kama-da-wane (da farko, adiresoshin da aka yi amfani da su a cikin VPN ana ƙididdige su ta tsohuwa, misali, OpenVPN. yana amfani da 10.8.0.0/24 subnet). Ana iya yin hukunci da wanzuwar adireshi dangane da karɓar amsa tare da tutar RST.
Hakazalika, an ƙayyade kasancewar haɗin zuwa wani rukunin yanar gizon da lambar tashar tashar jiragen ruwa a gefen abokin ciniki - ta hanyar rarraba ta hanyar lambobin tashar jiragen ruwa, ana aika fakitin SYN ga mai amfani, a matsayin adireshin tushen, wanda rukunin yanar gizon yake. An maye gurbin IP, kuma adireshin da ake nufi shine IP VPN mai kama-da-wane. Ana iya yin annabta tashar tashar uwar garke (80 don HTTP), kuma lambar tashar tashar jiragen ruwa a gefen abokin ciniki za a iya ƙididdige shi ta ƙarfin ƙarfi, bincika lambobi daban-daban canjin ƙarfin martanin ACK a hade tare da rashin fakiti tare da RST. tuta.
A wannan mataki, maharin ya san duk abubuwa hudu na haɗin (adiresoshin IP / tashar jiragen ruwa da adireshin IP / tashar jiragen ruwa), amma don samar da fakitin ƙididdiga wanda tsarin da aka azabtar zai karɓa, dole ne maharin ya ƙayyade jerin TCP kuma lambobin yabo (seq da ack) - haɗi. Don tantance waɗannan sigogi, maharin ya ci gaba da aika fakitin RST na bogi, yana gwada lambobi daban-daban, har sai ya gano fakitin amsa ACK, wanda zuwan ya nuna cewa lambar ta faɗi cikin taga TCP.
Bayan haka, maharin yana fayyace ma'anar ma'anar ta hanyar aika fakiti masu lamba ɗaya tare da lura da isowar amsawar ACK, bayan haka sai ya zaɓi ainihin adadin na yanzu. Ayyukan yana da rikitarwa ta gaskiyar cewa ana aika martani a cikin rami da aka rufaffen kuma kasancewarsu a cikin magudanar ruwa da aka katse za'a iya yin nazari ta hanyar amfani da hanyoyin kai tsaye. Ko abokin ciniki ya aika fakitin ACK da aka yi magana zuwa uwar garken VPN an ƙaddara bisa ga girman da latency na ɓoyayyun martanin, waɗanda suka yi daidai da aika fakitin zube. Misali, don OpenVPN, girman fakitin rufaffen 79 yana ba ku damar yin hukunci daidai cewa akwai ACK a ciki.
Har sai an ƙara kariyar kai hari cikin kernel ɗin tsarin aiki azaman hanyar wucin gadi na toshe matsalar ta yin amfani da tacewa fakiti a cikin sarkar “preroute”, toshe hanyar fakitin da aka ayyana adireshin IP na ramin a matsayin adireshin inda ake nufi.
iptables -t raw -I PREROUTING ! -i wg0 -d 10.182.12.8 -m addrtype! --src-nau'in LOCAL -j DROP
ko don nftables
nft ƙara tebur ip raw
nft ƙara sarkar ip raw prerouting '{nau'in tace ƙugiya prerouting fifiko 0; }'
nft ƙara mulkin ip raw prerouting 'iifname! = "wg0" ip daddr 10.182.12.8 fib saddr nau'in ! = gida drop'
Don kare kanka lokacin amfani da ramukan da adiresoshin IPv4, kawai saita rp_filter zuwa yanayin “Tsauri” (“sysctl net.ipv4.conf.all.rp_filter = 1”). A gefen VPN, ana iya toshe hanyar gano lambar ta hanyar ƙara ƙarin fakiti zuwa fakitin da aka rufaffen, yin duk fakiti iri ɗaya girman.
source: budenet.ru