[ Thanks to Gene
Wilburn for this link. ]
“A serious vulnerability exists in the IP Masquerading code
present in, but not necessarily limited to, the 2.2.x Linux kernel.
Due to poor checking of connections in the kernel code, an attacker
can potentially rewrite the UDP masquerading entries, making it
possible for UDP packets to be routed back to the internal
machine.“
“The IP masquerading code only uses destination ports to
determine if a packet from the external network is to be forwarded
to the internal network. It then sets the remote host and port in
its tables to the source address and port of the incoming packet.
The attacker needs to determine the local port on the masq gateway
to be able to rewrite the table with their own address and port. As
the range of ports used to masquerade connections is small, from
6100 to 65096 for both UDP and TCP, it becomes fairly easy for an
external host to determine the ports in use….”