5842401 2000-12-06 16:45 +0100 /99 rader/ Ofir Arkin <ofir@SYS-SECURITY.COM> Sänt av: joel@lysator.liu.se Importerad: 2000-12-11 02:26 av Brevbäraren (som är implementerad i) Python Extern mottagare: BUGTRAQ@SECURITYFOCUS.COM Externa svar till: ofir@sys-security.com Mottagare: Bugtraq (import) <14139> Ärende: LINUX ICMP Error Message Quoting Size Differences (The 20 Bytes ------------------------------------------------------------ from No Where) From: Ofir Arkin <ofir@SYS-SECURITY.COM> To: BUGTRAQ@SECURITYFOCUS.COM Message-ID: <GDEIJDIGIGIFHEIILCALMEJOCJAA.ofir@sys-security.com> We must understand that there are differences between the different ICMP Error messages, not only with their meaning, but also with their implementation. I was expecting that several characters with the ICMP Error messages will be the same along all of the ICMP Error Messages, but I was wrong regarding few operating systems. The most interesting case is with the LINUX operating system based on Kernel 2.2.x and 2.4.t-x. The next example is with LINUX based on Kernel 2.2.16 as the targeted machine, eliciting an ICMP Port Unreachable error message: 00:21:30.199408 pop > x.x.x.x.2066 > y.y.y.y.2000: udp 0 (ttl 64, id 1732) 4500 001c 06c4 0000 4011 c895 xxxx xxxx yyyy yyyy 0812 07d0 0008 4484 00:21:30.493691 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 2000 unreachable Offending pkt: x.x.x.x.2066 > y.y.y.y.2000: udp 0 (ttl 44, id 1732) [tos 0xc0] (ttl 238, id 53804) 45c0 0038 d22c 0000 ee01 4e60 yyyy yyyy xxxx xxxx 0303 a88e 0000 0000 4500 001c 06c4 0000 2c11 dc95 xxxx xxxx yyyy yyyy 0812 07d0 0008 4484 The quoted data is the entire offending datagram. LINUX ICMP Error messages will be up to 576 bytes long according to the LINUX source code. The next example is with LINUX as the targeted operating system. With this example I have sent a protocol scan with NMAP: 13:14:56.942897 < x.x.x.x > y.y.y.y: ip-proto-38 0 (ttl 39, id 37623) 4500 0014 92f7 0000 2726 02cb xxxx xxxx yyyy yyyy 13:14:56.942964 > y.y.y.y > x.x.x.x: icmp: y.y.y.y protocol 38 unreachable Offending pkt: x.x.x.x > y.y.y.y: ip-proto-38 0 (ttl 39, id 37623) [tos 0xc0] (ttl 255, id 1884) 45c0 0044 075c 0000 ff01 b59a yyyy yyyy xxxx xxxx 0302 fb1a 0000 0000 4500 0014 92f7 0000 2726 02cb xxxx xxxx yyyy yyyy 0050 dc84 ae6f 6910 0000 0000 5004 0000 bd89 0000 LINUX adds to the entire offending packet that was quoted, another 20 bytes. Since LINUX handles the ICMP Protocol Unreachable Error Messages like the ICMP Fragment Reassembly Time Exceeded Error Messages we will see the same pattern with ICMP Fragment Reassembly Time Exceeded: [root@godfather bin]# hping2 -c 1 -x -y y.y.y.y ppp0 default routing interface selected (according to /proc) HPING y.y.y.y ppp0 y.y.y.y): NO FLAGS are set, 40 headers + 0 data bytes --- y.y.y.y hping statistic --- 1 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms [root@godfather bin]# The tcpdump trace: 19:49:22.999108 ppp0 > x.x.x.x.cvspserver > y.y.y.y.0: . 1709055398:1709055398(0) win 512 (frag 35247:20@0+) (DF) (ttl 64) 4500 0028 89af 6000 4006 e0ff xxxx xxxx yyyy yyyy 0961 0000 65de 1da6 6a01 476b 5000 0200 bf71 0000 19:49:53.303196 ppp0 < y.y.y.y > x.x.x.x: icmp: ip reassembly time exceeded Offending pkt: x.x.x.x.cvspserver > y.y.y.y.0: . 1709055398:1709055398(0) win 512 (frag 35247:20@0+) (DF) (ttl 45) [tos 0xc0] (ttl 238, id 379) 45c0 0058 017b 0000 ee01 1a49 yyyy yyyy xxxx xxxx 0b01 3caf 0000 0000 4500 0028 89af 6000 2d06 f3ff xxxx xxxx yyyy yyyy 0961 0000 65de 1da6 6a01 476b 5000 0200 bf71 0000 601d 1f0d 7a04 5045 0100 0000 4146 4345 4a45 4f46 Since LINUXs ICMP Error messages will not be bigger than 576 bytes long, if the offending packet will be big enough (not likely in real world situation) we will not see the added 20 bytes in the ICMP Fragment Reassembly / ICMP Protocol Unreachable error messages. This unique pattern will allow us to identify LINUX based machines even if the Precedence Bits value with the LINUX ICMP Error messages will be changed to 0x000. Ofir Arkin ofir@sys-security.com http://www.sys-security.com PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA Copyright (c) 2000 Sys-Security.com & Ofir Arkin All rights reserved (5842401) --------------------------------(Ombruten)