NAI Security Advisory - Windows IP source routing

[Security_Research_Labs () NAI COM (Security Research Labs)]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

======================================================================

                      Network Associates, Inc.
                        SECURITY ADVISORY
                        September 20, 1999

             Windows IP Source Routing Vulnerability

                         BUGTRAQ ID: 646

======================================================================

SYNOPSIS

Windows TCP/IP stacks configured to disable IP forwarding or IP
source routing, allow specific source routed datagrams to route
between interfaces.  Effectively, the Windows TCP/IP stack can
not be configured to disable IP datagrams passing between
networks if two network cards have been installed.

======================================================================

VULNERABLE HOSTS

All versions of Windows NT (including Terminal Server Edition)
are vulnerable to the attacks within this advisory, including hosts
that have installed Service Pack 5 and enabled the following SP5
specific registry key to disable source routing:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
 \Services\Tcpip\Parameters\DisableIPSourceRouting

All versions of Windows 95 and Windows 98 are vulnerable.

======================================================================

TECHNICAL DETAILS

Every IP stack is required to implement IP options, although they
may or may not appear in each IP datagram.  Options are variable
in length, and generally contain a type, length and data associated
with the option.  The option type is divided into three fields:
the copied flag, option class and the option number.  The copied
flag indicates that this option is copied into all fragments on
fragmentation.

The source route option provides routing information for gateways
in the delivery of a datagram to its destination.  There are two
variations loose and strict routes.  The loose source route (LSRR)
allows any number of intermediate gateways to reach the next
address in the route.  The strict source route (SSRR) requires the
next address in the source route to be on a directly connected
network, otherwise the delivery of the datagram can not be
completed.

The source route options have a variable length, containing a
series of IP addresses and an offset pointer indicating the next
IP address to be processed.  A source routed datagram completes
its delivery when the offset pointer points beyond the last field,
ie the pointer is greater than the length, and the address in
the destination address has been reached.  RFC 1122 states the
option as received must be passed up to the transport layer (or
to ICMP message processing).

It is a common security measure to disable IP source routing.  In
this situation, if a source routed packet attempts to use a
secure host as an intermediate router or to deliver its data to that
hosts application layer then the datagram should be dropped,
optionally delivering an ICMP unreachable - source route failed.
It is important to note that the datagram would be dropped at the
network layer prior to IP reassembly and before data is passed to
the application layer.

As with other operating systems (when configured to deny source
routed packets), if a source routed datagram attempts to use a
Windows host as an intermediate router, an ICMP source route
failed message is sent.  This implies that the offset pointer
is not greater than the length and the destination IP address
has not been reached.

When a source routed datagram completes its delivery, the offset
pointer is greater than the length and the destination has been
reached.

If a specially crafted IP packet, with source route options, has
the offset pointer set greater than the length, Windows TCP/IP
stacks will accept the source routed datagram (rather than
dropping it), and pass the data to the application layer for
processing.  The source route is reversed, delivering the reply
to this datagram to the first host in the reversed route.  Since
the source route can be manipulated by an attacker, the first
host in the reversed source route can be set to a host on the
second network (accessible via the second interface, i.e. the
internal network).

As a result, it is possible to pass data through all Windows
stacks with two network interfaces.

In addition to tunneling data, there are two scenarios which
can allow an intruder to obtain information about the remote
network while obscuring their origin.

The first allows any Windows host to be used to identify
non-Windows hosts that have source routing enabled.  A source
routed datagram is created with a false source address, containing
the true source address of the request and the address of a host
to be scanned in the option data.  Delivering this datagram,
with the correct offset, to a Windows host results in the route
being reversed and routed to the scanned host.  If this host
has source routing enabled the true source of the request
will then see a response returned.

Secondly, by utilizing the above source routing technique, and
masking their source address in the IP header, it is possible to
scan a Windows host for open ports using standard port scanning
techniques.

======================================================================

RESOLUTION

Microsoft has issued a hotfix for this vulnerability, which can be
obtained at the following address:

ftp://ftp.microsoft.com

/bussys/winnt/winnt-public/fixes/usa/nt40/Hotfixes-PostSP5/Spoof-fix

Please note that the above URL has been seperated for formatting
purposes.

A fix for Windows 95 and Windows 98 based systems is in production
and will follow.

======================================================================

CREDITS

Discovery and documentation of this vulnerability was conducted
by Anthony Osborne <Anthony_Osborne () nai com> at the security labs
of Network Associates.

======================================================================

ABOUT THE NETWORK ASSOCIATES SECURITY LABS

The Security Labs at Network Associates hosts some of the most
important research in computer security today.  With over 30
security advisories published in the last 2 years, the Network
Associates security auditing teams have been responsible for the
discovery of many of the Internet's most serious security flaws.
This advisory represents our ongoing commitment to provide
critical information to the security community.

For more information about the Security Labs at Network
Associates, see our website at http://www.nai.com or contact us
at <seclabs () nai com>.

======================================================================

NETWORK ASSOCIATES SECURITY LABS PGP KEY

- -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 5.5.5

mQGiBDXGgDsRBADVOnID6BtEhKlm2cNalho28YP0JAh+J4iRUIaiWshzI0tc0KPc
fvs+0xYwiqjxmeHi2sdIEPQ7S+ltA3Dlp6/DFojWBr2XB9hfWy4uiKBUHqnsKYnB
Gpkh6nIx7DIwn+u0PXMXbJCG3LYf8daiPVdzC2VFtbRvJL4wZc6NLQViFQCg/9uS
DuH/0NE6mO8Cu4iVrUT5Wk8D/ArOpV5T5yIuXHZO1/ZBVeHccVVvHe8wHK4D9WUs
FsB8fgYLNgdFMMjtam7QQSBY/P1KKBzaFqZhkfS4WVMAFEy94NHXG+KTCPhXkZzp
OPPqwWqZgfvOg0Bm20O/GhzQkB6JfFJqcfR87Ej0+fcDKrTTxAELWHGS7c9Qdn6P
bfwHA/4oLNwYrtgWNkjGcG018Pu2jKT7YuP9zBTMu28IBiWdPLGL9Wle4d5cdDVx
Es4iVl8FMtxlgTWCgMnBLS4nyM3pCn1HF+8Gi+IVKUXWCkqt/rtBMsrOMfrOgEIu
BWnTZcTR7kcWtH7xDFNyZ47U4pElLXwATVDty/FczAJnpeht2LQyTmV0d29yayBB
c3NvY2lhdGVzIFNlY3VyaXR5IExhYnMgPHNlY2xhYnNAbmFpLmNvbT6JAEsEEBEC
AAsFAjXGgDsECwMCAQAKCRCheCy6j9WBEtgDAKDpYMwQZP0Ipx7X0ivnTxxJkA/W
vACg4LZv0lmWqmnd7XCe4OIJ05aT6hK5Ag0ENcaAOxAIAPZCV7cIfwgXcqK61qlC
8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh
01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscB
qtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFst
jvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISn
CnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVeky
CzsAAgIH/RZcJoRkhCf9O4Er+rciBNG3QqM3tek23oxGuVwqRxtGlGKuf+YaUDIA
vZhARftupZYJf/+AM9pyjjsF7ON/Df5oIXXhqzrDySw47dNB3I1FG7vwAUBRfYgG
NRP+zvf1nld+FgAXag1DIQteXYPtoMUJP8ZgvbELYVdZS2TapOHUv7r4rOY+UUjl
U+FkQPp9KCNreaNux4NxwT3tzXl1KqqkliC8sYxvMCkJ+JO71TKGplO9dXsf3O8p
2r33+LngmLs4O7inrUlmAUKq3jmCK50J7RsZjd6PlK/0JwcjFkOZeYrxTguZzCR4
QYmo8nEHqEMSKQci0VUf9KH4lHf6xmGJAEYEGBECAAYFAjXGgDsACgkQoXgsuo/V
gRK5LACgoAqLFk10kAMu6xb3ftO4+INJs14Ani+1hujlYRxYphN97c5ci8WtILNZ
=L3C6
- ----

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2

iQA/AwUBN+aLIKF4LLqP1YESEQIMowCgg5m54i4/SuSEfMy10hADCle78P4AoJi2
zZ/1QBgYJaQOwQULBxEOO0FF
=+mMr
-----END PGP SIGNATURE-----