Bugtraq mailing list archives
Re: Linux zero IP ID vulnerability?
From: Andrea Purificato - bunker <bunker () fastwebnet it>
Date: Thu, 16 Mar 2006 17:45:21 +0100
Alle 10:33, martedì 14 marzo 2006, Marco Ivaldi ha scritto:
I've recently stumbled upon an interesting behaviour of some Linux kernels that may be exploited by a remote attacker to abuse the ID field of IP packets, effectively bypassing the zero IP ID in DF packets countermeasure implemented since 2.4.8 (IIRC).
Hi Marco! I've just tested this thing on available hardware: - [PIRELLI HOME ACCESS GATEWAY] bunker@syn:~$ sudo nmap -sS -P0 xxx.xxx.xxx.136 -O -v [cut]PORT STATE SERVICE 1720/tcp open H.323/Q.931 MAC Address: (Pirelli Broadband Solutions) Device type: PBX Running: 3Com embedded OS details: 3Com NBX PBX [cut]IPID Sequence Generation: Incremental (closed port) bunker@syn:~$ sudo /usr/sbin/hping -S xxx.xxx.xxx.136 -c 3 HPING xxx.xxx.xxx.136 (eth0 xxx.xxx.xxx.136): S set, 40 headers len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26002 sport=0 flags=RA seq=0 win=0 len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26004 sport=0 flags=RA seq=1 win=0 len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26006 sport=0 flags=RA seq=2 win=0 bunker@syn:~$ sudo /usr/sbin/hping -SA xxx.xxx.xxx.136 -c 3 HPING xxx.xxx.xxx.136 (eth0 xxx.xxx.xxx.136): SA set, 40 headers len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26008 sport=0 flags=R seq=0 win=0 len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26010 sport=0 flags=R seq=1 win=0 len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26012 sport=0 flags=R seq=2 win=0 (opened port) bunker@syn:~$ sudo /usr/sbin/hping -S xxx.xxx.xxx.136 -c 3 -p 1720 HPING xxx.xxx.xxx.136 (eth0 xxx.xxx.xxx.136): S set, 40 headers len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26082 sport=1720 flags=SA seq=0 win=8192 len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26084 sport=1720 flags=SA seq=1 win=8192 len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26086 sport=1720 flags=SA seq=2 win=8192 bunker@syn:~$ sudo /usr/sbin/hping -SA xxx.xxx.xxx.136 -c 3 -p 1720 HPING xxx.xxx.xxx.136 (eth0 xxx.xxx.xxx.136): SA set, 40 headers len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26074 sport=1720 flags=R seq=0 win=8192 len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26076 sport=1720 flags=R seq=1 win=8192 len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26078 sport=1720 flags=R seq=2 win=8192 - [MY BOX WITH 2.6.15.6 #1 i686 pentium4 GNU/Linux (vanilla)] - (no iptables rules) bunker@syn:~$ sudo nmap -sS -P0 -O -v xxx.xxx.xxx.139 [cut]PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 1080/tcp open socks 6000/tcp open X11 MAC Address: (Xnet Technology) Device type: general purpose Running: Linux 2.4.X|2.5.X|2.6.X OS details: Linux 2.4.7 - 2.6.11 [cut]IPID Sequence Generation: All zeros (closed port + S flag) bunker@syn:~$ cat hping.closed HPING xxx.xxx.xxx.139 (eth0 xxx.xxx.xxx.139): S set, 40 headers len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4102 sport=18 flags=RA seq=0 win=0 len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4103 sport=18 flags=RA seq=1 win=0 len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4104 sport=18 flags=RA seq=2 win=0 (opened port + S flag) bunker@syn:~$ cat hping.open HPING xxx.xxx.xxx.139 (eth0 xxx.xxx.xxx.139): S set, 40 headers len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=0 sport=22 flags=SA seq=0 win=5840 len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=0 sport=22 flags=SA seq=1 win=5840 len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=0 sport=22 flags=SA seq=2 win=5840 (closed port + SA flag) bunker@syn:~$ cat hpingSA.closed HPING xxx.xxx.xxx.139 (eth0 xxx.xxx.xxx.139): SA set, 40 headers len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4111 sport=18 flags=R seq=0 win=0 len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4112 sport=18 flags=R seq=1 win=0 len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4113 sport=18 flags=R seq=2 win=0 (opened port + SA flag) bunker@syn:~$ cat hpingSA.open HPING xxx.xxx.xxx.139 (eth0 xxx.xxx.xxx.139): SA set, 40 headers len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4108 sport=22 flags=R seq=0 win=0 len=60 ip=xxx.xxx.xxx.139 ttl=64 DF id=4109 sport=22 flags=R seq=0 win=0 len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4110 sport=22 flags=R seq=1 win=0 Seems to be interesting the results obtained from 2.6.15.6 with +S flag. -- Andrea "bunker" Purificato +++++++++++[>++++++>+++++++++++++++++++++++++++++++++>++++ ++++++<<<-]>.>++++++++++.>.<----------.>---------.<+++++++. http://rawlab.altervista.org
Current thread:
- Linux zero IP ID vulnerability? Marco Ivaldi (Mar 14)
- Message not available
- Re: Linux zero IP ID vulnerability? Marco Ivaldi (Mar 15)
- Message not available
- Re: Linux zero IP ID vulnerability? Andrea Purificato - bunker (Mar 16)
- <Possible follow-ups>
- Re: Linux zero IP ID vulnerability? Marco Ivaldi (Mar 17)
- Re: Linux zero IP ID vulnerability? Marco Ivaldi (Mar 23)
- Re: Linux zero IP ID vulnerability? GomoR (Mar 23)