Bugtraq mailing list archives
Novell Netware Echoing Integrity Bug with ICMP Fragment Reassembly Time Exceeded
From: Ofir Arkin <ofir () ITCON-LTD COM>
Date: Thu, 23 Nov 2000 08:55:40 +0200
Novell Netware operating systems have a unique pattern with ICMP Fragment Reassembly Time Exceeded error messages they produce. In general, when an ICMP error message is produced, the offending packet's IP Header + at least 8 bytes of data are echoed with the error message. If we examine closely the next example, we can see that the Offending packet's IP TTL field value echoed back is zero. We expect this value to decrement from the value initially assigned, but not to be zero. Since this value should change from one hop to another, the Checksum need to be recalculated each time. With the error message we can see that the Checksum echoed is miscalculated. ...And again this is a Fragment Reassembly Time Exceeded ICMP error message and not ICMP Time Exceeded in Transit error message. The next example is with Novell Netware 5.1: [root@godfather bin]# hping2 -c 1 -x -y y.y.y.y ppp0 default routing interface selected (according to /proc) HPING y.y.y.y (ppp0 y.y.y.y): NO FLAGS are set, 40 headers + 0 data bytes --- y.y.y.y hping statistic --- 1 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms [root@godfather bin]# The Trace: 20:12:28.008893 ppp0 > x.x.x.x.1865 > y.y.y.y.0: . 687160929:687160929(0) win 512 (frag 58586:20@0+) (DF) (ttl 64) 4500 0028 e4da 6000 4006 c236 xxxx xxxx yyyy yyyy 0749 0000 28f5 3e61 669e 9f15 5000 0200 c5d2 0000 20:12:41.313202 ppp0 < y.y.y.y > x.x.x.x: icmp: ip reassembly time exceeded Offending pkt: [|tcp] (frag 58586:20@0+) (DF) [ttl 0] (bad cksum d336!) (ttl 111, id 9591) 4500 0038 2577 0000 6f01 b28f yyyy yyyy xxxx xxxx 0b01 b55f 0000 0000 4500 0028 e4da 6000 0006 d336 xxxx xxxx yyyy yyyy 0749 0000 28f5 3e61 This unique pattern enable us to determine if the operating system in question is a Novell Netware or other with one datagram only. The information was sent to Novell. I would like to thank Simple Nomad for verifying this info. Ofir Arkin [ofir () itcon-ltd com] Senior Security Analyst Chief of Grey Hats ITcon, Israel. http://www.itcon-ltd.com Founder http://www.sys-security.com "Opinions expressed do not necessarily represent the views of my employer."
Current thread:
- Novell Netware Echoing Integrity Bug with ICMP Fragment Reassembly Time Exceeded Ofir Arkin (Nov 24)