RE: ipforwarding enabled, what can I do

[Yonatan Bokovza <Yonatan () xpert com>]

OK, time to clear some smoke:
The IP protocol was designed a long long time ago (September 1981
according to the RFC:
http://www.ietf.org/rfc/rfc0791.txt), and several archaic feature that
were probably considered "cool" at that time.

Source routing divides to two features:
Loose source routing- means you set "Loose Source Routing"
and add 1 to 8 IPs in the IP-options. The reason you can only use
8 hops is due to IP header size limitations. Your IP packet will travel
to the first IP first, and then to the second IP and on until it travels
through all the IPs you defined, and then it will head toward the
Destination. See traceroute -g.

Strict Source Routing- is quite the same, only it means setting
a different flag, and that the packet _must_ travel through _only_
the hops you wrote. Since you can only specify 8 hops this option
is of little use nowadays.

Another relevant option is "Record Route"- Another flag needs to
be set in the header, and every hop the packet goes through will
write it's IP in the header, hence you can get traceroute-like
capabilities with one packet. -R to ping will do that for you.

How do I attack a machine/network with this?
Suppose you have stupid firewall with LAN and DMZ, you _might_
be able to pose as the DMZ if you send a packet to the LAN with
IP of a DMZ server in Loose Source Routing mode.

Real Life?
All these options are deprecated. Any good firewall should drop
packets with these flags, and any such packet should be treated
like an attack by an IDS. There are lots of TCP/IP 
implementations out there that don't support that, and many
routers that just drop that.

Since you've sucked your target's SNMP data, why don't you
look for more lenient weaknesses?

Best Regards, 

Yonatan Bokovza
IT Security Consultant
Xpert Systems


> Vladimir Parkhaev wrote:
> > I am doing a vulnerability assesment for one of our clients. One
> > of their boxes is a multihomed Solaris server with 
> ipforwarding enabled.
> > IP addresses are available via snmp with default community string.
> >
> > I tried to use this box as a gateway to internal network coming
> > from the Internet without success.  I also looked at source
> > routing but did not find any tools (Net::RawIP does not seem
> > to support IP options).
> >
> > Does anybody know how I can use this box to do routing for me?
> >
> > Thanks.

>

----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/