Breaching dual homed hosts?

[Marcus Haebler <mcwimp () gmail com>]

I am looking to traverse a dual homed host with "IP Forwarding" 
DISABLED. Let's assume that the host implements the weak ES model
as defined by RFC1122. I am not looking (at this stage) to exploit
any applications on the dual homed itself but rather on hosts & 
applications behind it via the dual the homed host.

I am connected to the interface which has the default route. For
clarity purposes I call the interface facing me is the WAN
interface. The other interface will be called the LAN interface.
All interfaces are Ethernet.

For starters I can send ICMP echo_reply packets out on the LAN interface
(if I know the IP address space) by spoofing the source address in an
ICMP echo request. All other ICMP req./reply based services will work 
the same way. Similarly I could send/generate TCP SYN|ACKs, RSTs, UDP 
app layer packets and ICMP port unreachables on the LAN by spoofing the 
source address. With the exclusion of the UDP app layer, this does not 
really do much except for being able to DoS hosts on the far end by 
flooding them with packets. The UDP app layer has some pontential. If 
UDP echo is enabled I could use that to introduce a single packet UDP 
exploit (ala Slammer) on the LAN side.

If I am L2 connected to the system in some way, I can access
services running on the LAN side by L2 addressing the local
interface and L3 addressing the far side interface. This will fail
for strong ES model implementations.

What other attacks are possible in this case? The goal is to
get to the LAN network. Should ICMP redirects do anything for
me? Are there any papers on this topic?

Since I realize that a lot of attacks depend heavily on the OS network 
stack implementation, the system I am looking at is a more or less stock 
Solaris 9 installation w/o X11 & NFS.

Thanks,

Marcus