Re: Linux zero IP ID vulnerability?
Alle 10:33, martedì 14 marzo 2006, Marco Ivaldi ha scritto:
> I've recently stumbled upon an interesting behaviour of some Linux kernels
> that may be exploited by a remote attacker to abuse the ID field of IP
> packets, effectively bypassing the zero IP ID in DF packets countermeasure
> implemented since 2.4.8 (IIRC).
Hi Marco!
I've just tested this thing on available hardware:
- [PIRELLI HOME ACCESS GATEWAY]
bunker@syn:~$ sudo nmap -sS -P0 xxx.xxx.xxx.136 -O -v
[cut]PORT STATE SERVICE
1720/tcp open H.323/Q.931
MAC Address: (Pirelli Broadband Solutions)
Device type: PBX
Running: 3Com embedded
OS details: 3Com NBX PBX
[cut]IPID Sequence Generation: Incremental
(closed port)
bunker@syn:~$ sudo /usr/sbin/hping -S xxx.xxx.xxx.136 -c 3
HPING xxx.xxx.xxx.136 (eth0 xxx.xxx.xxx.136): S set, 40 headers
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26002 sport=0 flags=RA seq=0 win=0
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26004 sport=0 flags=RA seq=1 win=0
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26006 sport=0 flags=RA seq=2 win=0
bunker@syn:~$ sudo /usr/sbin/hping -SA xxx.xxx.xxx.136 -c 3
HPING xxx.xxx.xxx.136 (eth0 xxx.xxx.xxx.136): SA set, 40 headers
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26008 sport=0 flags=R seq=0 win=0
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26010 sport=0 flags=R seq=1 win=0
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26012 sport=0 flags=R seq=2 win=0
(opened port)
bunker@syn:~$ sudo /usr/sbin/hping -S xxx.xxx.xxx.136 -c 3 -p 1720
HPING xxx.xxx.xxx.136 (eth0 xxx.xxx.xxx.136): S set, 40 headers
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26082 sport=1720 flags=SA seq=0 win=8192
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26084 sport=1720 flags=SA seq=1 win=8192
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26086 sport=1720 flags=SA seq=2 win=8192
bunker@syn:~$ sudo /usr/sbin/hping -SA xxx.xxx.xxx.136 -c 3 -p 1720
HPING xxx.xxx.xxx.136 (eth0 xxx.xxx.xxx.136): SA set, 40 headers
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26074 sport=1720 flags=R seq=0 win=8192
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26076 sport=1720 flags=R seq=1 win=8192
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26078 sport=1720 flags=R seq=2 win=8192
- [MY BOX WITH 2.6.15.6 #1 i686 pentium4 GNU/Linux (vanilla)]
- (no iptables rules)
bunker@syn:~$ sudo nmap -sS -P0 -O -v xxx.xxx.xxx.139
[cut]PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
1080/tcp open socks
6000/tcp open X11
MAC Address: (Xnet Technology)
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.4.7 - 2.6.11
[cut]IPID Sequence Generation: All zeros
(closed port + S flag)
bunker@syn:~$ cat hping.closed
HPING xxx.xxx.xxx.139 (eth0 xxx.xxx.xxx.139): S set, 40 headers
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4102 sport=18 flags=RA seq=0 win=0
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4103 sport=18 flags=RA seq=1 win=0
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4104 sport=18 flags=RA seq=2 win=0
(opened port + S flag)
bunker@syn:~$ cat hping.open
HPING xxx.xxx.xxx.139 (eth0 xxx.xxx.xxx.139): S set, 40 headers
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=0 sport=22 flags=SA seq=0 win=5840
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=0 sport=22 flags=SA seq=1 win=5840
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=0 sport=22 flags=SA seq=2 win=5840
(closed port + SA flag)
bunker@syn:~$ cat hpingSA.closed
HPING xxx.xxx.xxx.139 (eth0 xxx.xxx.xxx.139): SA set, 40 headers
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4111 sport=18 flags=R seq=0 win=0
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4112 sport=18 flags=R seq=1 win=0
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4113 sport=18 flags=R seq=2 win=0
(opened port + SA flag)
bunker@syn:~$ cat hpingSA.open
HPING xxx.xxx.xxx.139 (eth0 xxx.xxx.xxx.139): SA set, 40 headers
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4108 sport=22 flags=R seq=0 win=0
len=60 ip=xxx.xxx.xxx.139 ttl=64 DF id=4109 sport=22 flags=R seq=0 win=0
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4110 sport=22 flags=R seq=1 win=0
Seems to be interesting the results obtained from 2.6.15.6 with +S flag.
--
Andrea "bunker" Purificato
+++++++++++[>++++++>+++++++++++++++++++++++++++++++++>++++
++++++<<<-]>.>++++++++++.>.<----------.>---------.<+++++++.
http://rawlab.altervista.org