lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 16 Mar 2006 17:45:21 +0100
From: Andrea Purificato - bunker <bunker@...twebnet.it>
To: bugtraq@...urityfocus.com
Subject: Re: Linux zero IP ID vulnerability?



Alle 10:33, martedì 14 marzo 2006, Marco Ivaldi ha scritto:

> I've recently stumbled upon an interesting behaviour of some Linux kernels
> that may be exploited by a remote attacker to abuse the ID field of IP
> packets, effectively bypassing the zero IP ID in DF packets countermeasure
> implemented since 2.4.8 (IIRC).

Hi Marco!

I've just tested this thing on available hardware:


- [PIRELLI HOME ACCESS GATEWAY]

bunker@syn:~$ sudo nmap -sS -P0 xxx.xxx.xxx.136 -O -v
[cut]PORT     STATE SERVICE
1720/tcp open  H.323/Q.931
MAC Address: (Pirelli Broadband Solutions)
Device type: PBX
Running: 3Com embedded
OS details: 3Com NBX PBX
[cut]IPID Sequence Generation: Incremental

(closed port)
bunker@syn:~$ sudo /usr/sbin/hping -S xxx.xxx.xxx.136 -c 3
HPING xxx.xxx.xxx.136 (eth0 xxx.xxx.xxx.136): S set, 40 headers
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26002 sport=0 flags=RA seq=0 win=0
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26004 sport=0 flags=RA seq=1 win=0
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26006 sport=0 flags=RA seq=2 win=0 

bunker@syn:~$ sudo /usr/sbin/hping -SA xxx.xxx.xxx.136 -c 3
HPING xxx.xxx.xxx.136 (eth0 xxx.xxx.xxx.136): SA set, 40 headers
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26008 sport=0 flags=R seq=0 win=0
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26010 sport=0 flags=R seq=1 win=0
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26012 sport=0 flags=R seq=2 win=0

(opened port)
bunker@syn:~$ sudo /usr/sbin/hping -S xxx.xxx.xxx.136 -c 3 -p 1720
HPING xxx.xxx.xxx.136 (eth0 xxx.xxx.xxx.136): S set, 40 headers
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26082 sport=1720 flags=SA seq=0 win=8192
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26084 sport=1720 flags=SA seq=1 win=8192
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26086 sport=1720 flags=SA seq=2 win=8192

bunker@syn:~$ sudo /usr/sbin/hping -SA xxx.xxx.xxx.136 -c 3 -p 1720
HPING xxx.xxx.xxx.136 (eth0 xxx.xxx.xxx.136): SA set, 40 headers
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26074 sport=1720 flags=R seq=0 win=8192
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26076 sport=1720 flags=R seq=1 win=8192
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26078 sport=1720 flags=R seq=2 win=8192


- [MY BOX WITH 2.6.15.6 #1 i686 pentium4 GNU/Linux (vanilla)]
- (no iptables rules)

bunker@syn:~$ sudo nmap -sS -P0 -O -v xxx.xxx.xxx.139
[cut]PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
1080/tcp open  socks
6000/tcp open  X11
MAC Address: (Xnet Technology)
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.4.7 - 2.6.11
[cut]IPID Sequence Generation: All zeros

(closed port + S flag)
bunker@syn:~$ cat hping.closed
HPING xxx.xxx.xxx.139 (eth0 xxx.xxx.xxx.139): S set, 40 headers
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4102 sport=18 flags=RA seq=0 win=0
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4103 sport=18 flags=RA seq=1 win=0
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4104 sport=18 flags=RA seq=2 win=0

(opened port + S flag)
bunker@syn:~$ cat hping.open
HPING xxx.xxx.xxx.139 (eth0 xxx.xxx.xxx.139): S set, 40 headers
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=0 sport=22 flags=SA seq=0 win=5840
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=0 sport=22 flags=SA seq=1 win=5840
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=0 sport=22 flags=SA seq=2 win=5840

(closed port + SA flag)
bunker@syn:~$ cat hpingSA.closed
HPING xxx.xxx.xxx.139 (eth0 xxx.xxx.xxx.139): SA set, 40 headers
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4111 sport=18 flags=R seq=0 win=0
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4112 sport=18 flags=R seq=1 win=0
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4113 sport=18 flags=R seq=2 win=0

(opened port + SA flag)
bunker@syn:~$ cat hpingSA.open
HPING xxx.xxx.xxx.139 (eth0 xxx.xxx.xxx.139): SA set, 40 headers
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4108 sport=22 flags=R seq=0 win=0
len=60 ip=xxx.xxx.xxx.139 ttl=64 DF id=4109 sport=22 flags=R seq=0 win=0
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4110 sport=22 flags=R seq=1 win=0


Seems to be interesting the results obtained from 2.6.15.6 with +S flag.
-- 
Andrea "bunker" Purificato
+++++++++++[>++++++>+++++++++++++++++++++++++++++++++>++++
++++++<<<-]>.>++++++++++.>.<----------.>---------.<+++++++.

http://rawlab.altervista.org

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ