Changeset 9e26562

Timestamp:

06/16/14 21:12:49 (4 years ago)

Author:

Erik Ekman <erik@…>

Children:

d10319

Parents:

859b01

git-author:

Erik Ekman <erik@…> (06/16/14 21:12:49)

git-committer:

Erik Ekman <erik@…> (06/17/14 18:59:06)

Message:

Fix authentication bypass bug

The client could bypass the password check by continuing after getting error
from the server and guessing the network parameters. The server would still
accept the rest of the setup and also network traffic.

Add checks for normal and raw mode that user has authenticated before allowing
any other communication.

Problem found by Oscar Reparaz.

Backported to iodine 0.6 branch.

Files:

• CHANGELOG (modified) (1 diff)
• src/iodined.c (modified) (14 diffs)
• src/user.c (modified) (3 diffs)
• src/user.h (modified) (1 diff)
• tests/user.c (modified) (2 diffs)

CHANGELOG

@@ -6 +6 @@
 CHANGES:
 
-2010-02-13: 0.6.0-rc1 "Hotspotify"
+2014-06-17: 0.6.0
+        - Fix authentication bypass vulnerability; found by Oscar Reparaz.
+
+2010-02-06: 0.6.0-rc1 "Hotspotify"
         - Fixed tunnel not working on Windows.
         - Any device name is now supported on Windows, fixes #47.

src/iodined.c

@@ -117 +117 @@
 #endif
 
+/* This will not check that user has passed login challenge */
 static int
 check_user_and_ip(int userid, struct query *q)
@@ -141 +142 @@
         tempin = (struct sockaddr_in *) &(q->from);
         return memcmp(&(users[userid].host), &(tempin->sin_addr), sizeof(struct in_addr));
+}
+
+/* This checks that user has passed normal (non-raw) login challenge */
+static int
+check_authenticated_user_and_ip(int userid, struct query *q)
+{
+        int res = check_user_and_ip(userid, q);
+        if (res)
+                return res;
+
+        if (!users[userid].authenticated)
+                return 1;
+
+        return 0;
 }
 
@@ -781 +796 @@
 
                         if (read >= 18 && (memcmp(logindata, unpacked+1, 16) == 0)) {
-                                /* Login ok, send ip/mtu/netmask info */
-
+                                /* Store login ok */
+                                users[userid].authenticated = 1;
+
+                                /* Send ip/mtu/netmask info */
                                 tempip.s_addr = my_ip;
                                 tmp[0] = strdup(inet_ntoa(tempip));
@@ -811 +828 @@
                 
                 userid = b32_8to5(in[1]);
-                if (check_user_and_ip(userid, q) != 0) {
+                if (check_authenticated_user_and_ip(userid, q) != 0) {
                         write_dns(dns_fd, q, "BADIP", 5, 'T');
                         return; /* illegal id */
@@ -847 +864 @@
 
                 userid = b32_8to5(in[1]);
-                
-                if (check_user_and_ip(userid, q) != 0) {
+
+                if (check_authenticated_user_and_ip(userid, q) != 0) {
                         write_dns(dns_fd, q, "BADIP", 5, 'T');
                         return; /* illegal id */
@@ -889 +906 @@
                 userid = b32_8to5(in[1]);
 
-                if (check_user_and_ip(userid, q) != 0) {
+                if (check_authenticated_user_and_ip(userid, q) != 0) {
                         write_dns(dns_fd, q, "BADIP", 5, 'T');
                         return; /* illegal id */
@@ -1017 +1034 @@
                 /* Downstream fragsize probe packet */
                 userid = (b32_8to5(in[1]) >> 1) & 15;
-                if (check_user_and_ip(userid, q) != 0) {
+                if (check_authenticated_user_and_ip(userid, q) != 0) {
                         write_dns(dns_fd, q, "BADIP", 5, 'T');
                         return; /* illegal id */
@@ -1052 +1069 @@
                 /* Downstream fragsize packet */
                 userid = unpacked[0];
-                if (check_user_and_ip(userid, q) != 0) {
+                if (check_authenticated_user_and_ip(userid, q) != 0) {
                         write_dns(dns_fd, q, "BADIP", 5, 'T');
                         return; /* illegal id */
@@ -1085 +1102 @@
                 /* Ping packet, store userid */
                 userid = unpacked[0];
-                if (check_user_and_ip(userid, q) != 0) {
+                if (check_authenticated_user_and_ip(userid, q) != 0) {
                         write_dns(dns_fd, q, "BADIP", 5, 'T');
                         return; /* illegal id */
@@ -1215 +1232 @@
                 userid = code;
                 /* Check user and sending ip number */
-                if (check_user_and_ip(userid, q) != 0) {
+                if (check_authenticated_user_and_ip(userid, q) != 0) {
                         write_dns(dns_fd, q, "BADIP", 5, 'T');
                         return; /* illegal id */
@@ -1786 +1803 @@
         if (len < 16) return;
 
-        /* can't use check_user_and_ip() since IP address will be different,
+        /* can't use check_authenticated_user_and_ip() since IP address will be different,
            so duplicate here except IP address */
         if (userid < 0 || userid >= created_users) return;
         if (!users[userid].active || users[userid].disabled) return;
+        if (!users[userid].authenticated) return;
         if (users[userid].last_pkt + 60 < time(NULL)) return;
 
@@ -1814 +1832 @@
                 login_calculate(myhash, 16, password, users[userid].seed - 1);
                 send_raw(fd, myhash, 16, userid, RAW_HDR_CMD_LOGIN, q);
+
+                users[userid].authenticated_raw = 1;
         }
 }
@@ -1820 +1840 @@
 handle_raw_data(char *packet, int len, struct query *q, int dns_fd, int tun_fd, int userid)
 {
-        if (check_user_and_ip(userid, q) != 0) {
+        if (check_authenticated_user_and_ip(userid, q) != 0) {
                 return;
         }
+        if (!users[userid].authenticated_raw) return;
 
         /* Update query and time info for user */
@@ -1844 +1865 @@
 handle_raw_ping(struct query *q, int dns_fd, int userid)
 {
-        if (check_user_and_ip(userid, q) != 0) {
+        if (check_authenticated_user_and_ip(userid, q) != 0) {
                 return;
         }
+        if (!users[userid].authenticated_raw) return;
 
         /* Update query and time info for user */

src/user.c

@@ -79 +79 @@
                         created_users++;
                 }
+                users[i].authenticated = 0;
+                users[i].authenticated_raw = 0;
                 users[i].active = 0;
                 /* Rest is reset on login ('V' packet) */
@@ -120 +122 @@
         ret = -1;
         for (i = 0; i < USERS; i++) {
-                if (users[i].active && !users[i].disabled &&
+                if (users[i].active &&
+                        users[i].authenticated &&
+                        !users[i].disabled &&
                         users[i].last_pkt + 60 > time(NULL) &&
                         ip == users[i].tun_ip) {
@@ -172 +176 @@
                 if ((!users[i].active || users[i].last_pkt + 60 < time(NULL)) && !users[i].disabled) {
                         users[i].active = 1;
+                        users[i].authenticated = 0;
+                        users[i].authenticated_raw = 0;
                         users[i].last_pkt = time(NULL);
                         users[i].fragsize = 4096;

src/user.h

@@ -37 +37 @@
         char id;
         int active;
+        int authenticated;
+        int authenticated_raw;
         int disabled;
         time_t last_pkt;

tests/user.c

@@ -94 +94 @@
         
         testip = (unsigned int) inet_addr("127.0.0.2");
+        fail_unless(find_user_by_ip(testip) == -1);
+
+        users[0].authenticated = 1;
+
+        testip = (unsigned int) inet_addr("127.0.0.2");
         fail_unless(find_user_by_ip(testip) == 0);
 }
@@ -136 +141 @@
 
         for (i = 0; i < USERS; i++) {
+                users[i].authenticated = 1;
+                users[i].authenticated_raw = 1;
                 fail_unless(find_available_user() == i);
+                fail_if(users[i].authenticated);
+                fail_if(users[i].authenticated_raw);
         }