iptable_evil: evil bit backdoor for iptables

by do son · December 23, 2021

iptable_evil

iptable_evil is a very specific backdoor for iptables that allows all packets with the evil bit set, no matter the firewall rules.

The initial implementation is in iptable_evil.c, which adds a table to iptables and requires modifying a kernel header to insert a spot for it. The second implementation is a modified version of the ip_tables core module and its dependents to allow all Evil packets.

I have tested it on Linux kernel version 5.8.0-48, but this should be applicable to pretty much any kernel version with a full implementation of iptables.

Explanation of the Evil Bit

RFC3514, published April 1st, 2003, defines the previously-unused high-order bit of the IP fragment offset field as a security flag. To RFC-compliant systems, a 1 in that bit, position indicates evil intent and will cause the packet to be blocked.

By default, this bit is turned off but can be turned on in your software if you’re assembling the entirety of your IP packet (as some hacking tools do), or in the Linux kernel using this patch (mirrored in this repository here).

How does the backdoor work?

When a packet is received by the Linux kernel, it is processed by iptables and either sent to userspace, rejected, or modified based on the rules configured.

In particular, each iptables table uses the function ipt_do_table in ip_tables.c to decide whether to accept a given packet. I have modified that to automatically accept any packet with the evil bit set and skip all further processing.

I also attempted to add another table (iptable_evil.c) that would accept all evil packets and hand others off to the standard tables for processing, but I never figured out how to pass the packets to the next table and decided that the ipt_do_table backdoor was enough as a proof of concept.