Bindview Advisory - A remotely exploitable IP masquerading vulnerability in the Linux kernel can be used to penetrate protected private networks which have loaded the IRC masquerading module. There was a discussion last year that detailed exploiting NAT packet inspection mechanisms on Linux and other operating systems by forcing a client's browser or MUA software to send specific data patterns without the user's knowledge (see http://www.securityfocus.com/archive/82/50226) in order to open an inbound TCP port on the firewall. Appropriate but not sufficient workarounds were incorporated in Linux kernels released after the original advisory. Unfortunately, protocols other than those mentioned in the original discussions seem to be vulnerable as well. We found that IRC DCC helper (the Linux 2.2 ip_masq_irc module, and modules shipped with some other operating systems / firewalling software) can be exploited.
bcaf95982e917edd271016e86d6d77bc40fd5dd9c9b427da27e25b0f3c3b78f8