Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Novell Netware Echoing Integrity Bug with ICMP Fragment Reassembly Time Exceeded

From: Ofir Arkin <ofir () ITCON-LTD COM>
Date: Thu, 23 Nov 2000 08:55:40 +0200
Novell Netware operating systems have a unique pattern with ICMP Fragment
Reassembly Time Exceeded error messages they produce.

In general, when an ICMP error message is produced, the offending packet's
IP Header + at least 8 bytes of data are echoed with the error message. If
we examine closely the next example, we can see that the Offending packet's
IP TTL field value echoed back is zero. We expect this value to decrement
from the value initially assigned, but not to be zero. Since this value
should change from one hop to another, the Checksum need to be recalculated
each time. With the error message we can see that the Checksum echoed is
miscalculated.

...And again this is a Fragment Reassembly Time Exceeded ICMP error message
and not ICMP Time Exceeded in Transit error message.

The next example is with Novell Netware 5.1:

[root@godfather bin]# hping2 -c 1 -x -y y.y.y.y
ppp0 default routing interface selected (according to /proc)
HPING y.y.y.y (ppp0 y.y.y.y): NO FLAGS are set, 40 headers + 0 data bytes

--- y.y.y.y hping statistic ---
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
[root@godfather bin]#

The Trace:

20:12:28.008893 ppp0 > x.x.x.x.1865 > y.y.y.y.0: . 687160929:687160929(0)
win 512 (frag 58586:20@0+) (DF) (ttl 64)
                         4500 0028 e4da 6000 4006 c236 xxxx xxxx
                         yyyy yyyy 0749 0000 28f5 3e61 669e 9f15
                         5000 0200 c5d2 0000

20:12:41.313202 ppp0 < y.y.y.y > x.x.x.x: icmp: ip reassembly time exceeded
Offending pkt: [|tcp] (frag 58586:20@0+) (DF) [ttl 0] (bad cksum d336!) (ttl
111, id 9591)
                         4500 0038 2577 0000 6f01 b28f yyyy yyyy
                         xxxx xxxx 0b01 b55f 0000 0000 4500 0028
                         e4da 6000 0006 d336 xxxx xxxx yyyy yyyy
                         0749 0000 28f5 3e61


This unique pattern enable us to determine if the operating system in
question is a Novell Netware or other with one datagram only.

The information was sent to Novell.

I would like to thank Simple Nomad for verifying this info.

Ofir Arkin  [ofir () itcon-ltd com]
Senior Security Analyst
Chief of Grey Hats
ITcon, Israel.
http://www.itcon-ltd.com

Founder
http://www.sys-security.com

"Opinions expressed do not necessarily
represent the views of my employer."
Previous By Date Next
Previous By Thread Next

Current thread: