Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Identifying PGP Corporate Desktop 7.1 with PGPfire Personal Desktop Firewall Installed (no need to be enabled) on Microsoft Windows Based OSs

From: Ofir Arkin <ofir () stake com>
Date: Fri, 25 Jan 2002 19:47:36 +0000
Subject: Identifying PGP Corporate Desktop 7.1 with PGPfire Personal Desktop Firewall Installed (no need to be enabled) on Microsoft Windows Based OSs 

Author: Ofir Arkin (ofir () stake com)
Network Associates PGP Corporate Desktop version 7.1 alters the TCP/IP stack of the MS operating system it is installing its PGPfire Personal Desktop Firewall product on. 

This alternation occurs even if PGPfire is not being enabled.
The type of alternation we have absorbed is with an ICMP Port Unreachable Error Messages received from a Microsoft Windows machine using the program.
The following tcpdump trace was produced with Xprobe against a Microsoft Windows 2000 SP2 with the PRE-SP3 patches installed, based machine: 


[root@mavrick root]# tcpdump -xnvv
tcpdump: listening on eth0
17:34:11.113066 192.168.1.100.64257 > 192.168.1.5.32132:  udp 70 (DF)
(ttl 250, id 28832, len 98)
                         4500 0062 70a0 4000 fa11 8c30 c0a8 0164
                         c0a8 0105 fb01 7d84 004e 0312 0000 0000
                         0000 0000 0000 0000 0000 0000 0000 0000
                         0000 0000 0000 0000 0000 0000 0000 0000
                         0000 0000 0000 0000 0000 0000 0000 0000
                         0000
17:34:11.113066 192.168.1.5 > 192.168.1.100: icmp:
192.168.1.5 udp port 32132 unreachable for 192.168.1.100.64257 > 192.168.1.5.32132: udp 70 (ttl 250, id 28832, len 98) (ttl 128, id 
11150, len 56)
                         4500 0038 2b8e 0000 8001 8b7d c0a8 0105
                         c0a8 0164 0303 8116 0000 0000 4500 0062
                         70a0 0000 fa11 cc30 c0a8 0164 c0a8 0105
                         fb01 7d84 004e 0312
If you look at the ICMP Error message, look at the part, which it starts to echo the original message: 

4500, 0062, 70a0 AND THAN 0000!
This behavior is also common with ULTIX based machines. But it is very easy to differentiate the ULTRIX based machines from the traces produced against machines using Network Associates PGP Corporate Desktop 7.1 with PGPfire Personal Desktop Firewall installed (no need to be enabled). If we will examine the echoed UDP Header, for example, with the ULTRIX based machines this echoed field value will be zero, while with the machines running Microsoft Windows operating systems with Network Associates PGP Corporate Desktop 7.1 with the PGPfire Personal Desktop Firewall installed this field will be echoed correctly. 


Tested against machines running PGPfire Installed on:

-Microsoft Windows 2000 Platforms (No-SP, SP1, SP2, Pre-SP3 Patches)
-Microsoft Windows Millennium


Dangers:
Ability to pinpoint Microsoft Windows Operating Systems using Network Associates PGP Corporate Desktop 7.1 with the PGPfire Personal Desktop Firewall installed (no need to be enabled), since this type of echoing error integrity is almost unique.
If the firewall is not being used, or if it is running in a not secure mode an attacker might use this information to maliciously attack a victim's machine.
Vendor Response: Since this is an "Information Leakage" problem no patch will be released for version 7.1. This is already fixed on the upcoming PGP Corporate Desktop software version 7.5.
Remedies: Just enable one of the PGPfire security policies of your choice, and check it does not allow ANY ICMP Error messages from your protected machine to the outside world. 


--
Ofir Arkin
Managing Security Architect
@stake, Limited.
http://www.atstake.com
email: ofir () stake com
Previous By Date Next
Previous By Thread Next

Current thread: