Bugtraq mailing list archives

Re: Linux zero IP ID vulnerability?

From: Andrea Purificato - bunker <bunker () fastwebnet it>
Date: Thu, 16 Mar 2006 17:45:21 +0100


Alle 10:33, martedì 14 marzo 2006, Marco Ivaldi ha scritto:

I've recently stumbled upon an interesting behaviour of some Linux kernels
that may be exploited by a remote attacker to abuse the ID field of IP
packets, effectively bypassing the zero IP ID in DF packets countermeasure
implemented since 2.4.8 (IIRC).


Hi Marco!

I've just tested this thing on available hardware:


- [PIRELLI HOME ACCESS GATEWAY]

bunker@syn:~$ sudo nmap -sS -P0 xxx.xxx.xxx.136 -O -v
[cut]PORT     STATE SERVICE
1720/tcp open  H.323/Q.931
MAC Address: (Pirelli Broadband Solutions)
Device type: PBX
Running: 3Com embedded
OS details: 3Com NBX PBX
[cut]IPID Sequence Generation: Incremental

(closed port)
bunker@syn:~$ sudo /usr/sbin/hping -S xxx.xxx.xxx.136 -c 3
HPING xxx.xxx.xxx.136 (eth0 xxx.xxx.xxx.136): S set, 40 headers
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26002 sport=0 flags=RA seq=0 win=0
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26004 sport=0 flags=RA seq=1 win=0
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26006 sport=0 flags=RA seq=2 win=0 

bunker@syn:~$ sudo /usr/sbin/hping -SA xxx.xxx.xxx.136 -c 3
HPING xxx.xxx.xxx.136 (eth0 xxx.xxx.xxx.136): SA set, 40 headers
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26008 sport=0 flags=R seq=0 win=0
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26010 sport=0 flags=R seq=1 win=0
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26012 sport=0 flags=R seq=2 win=0

(opened port)
bunker@syn:~$ sudo /usr/sbin/hping -S xxx.xxx.xxx.136 -c 3 -p 1720
HPING xxx.xxx.xxx.136 (eth0 xxx.xxx.xxx.136): S set, 40 headers
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26082 sport=1720 flags=SA seq=0 win=8192
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26084 sport=1720 flags=SA seq=1 win=8192
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26086 sport=1720 flags=SA seq=2 win=8192

bunker@syn:~$ sudo /usr/sbin/hping -SA xxx.xxx.xxx.136 -c 3 -p 1720
HPING xxx.xxx.xxx.136 (eth0 xxx.xxx.xxx.136): SA set, 40 headers
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26074 sport=1720 flags=R seq=0 win=8192
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26076 sport=1720 flags=R seq=1 win=8192
len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26078 sport=1720 flags=R seq=2 win=8192


- [MY BOX WITH 2.6.15.6 #1 i686 pentium4 GNU/Linux (vanilla)]
- (no iptables rules)

bunker@syn:~$ sudo nmap -sS -P0 -O -v xxx.xxx.xxx.139
[cut]PORT     STATE SERVICE
22/tcp   open  ssh
53/tcp   open  domain
1080/tcp open  socks
6000/tcp open  X11
MAC Address: (Xnet Technology)
Device type: general purpose
Running: Linux 2.4.X|2.5.X|2.6.X
OS details: Linux 2.4.7 - 2.6.11
[cut]IPID Sequence Generation: All zeros

(closed port + S flag)
bunker@syn:~$ cat hping.closed
HPING xxx.xxx.xxx.139 (eth0 xxx.xxx.xxx.139): S set, 40 headers
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4102 sport=18 flags=RA seq=0 win=0
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4103 sport=18 flags=RA seq=1 win=0
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4104 sport=18 flags=RA seq=2 win=0

(opened port + S flag)
bunker@syn:~$ cat hping.open
HPING xxx.xxx.xxx.139 (eth0 xxx.xxx.xxx.139): S set, 40 headers
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=0 sport=22 flags=SA seq=0 win=5840
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=0 sport=22 flags=SA seq=1 win=5840
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=0 sport=22 flags=SA seq=2 win=5840

(closed port + SA flag)
bunker@syn:~$ cat hpingSA.closed
HPING xxx.xxx.xxx.139 (eth0 xxx.xxx.xxx.139): SA set, 40 headers
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4111 sport=18 flags=R seq=0 win=0
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4112 sport=18 flags=R seq=1 win=0
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4113 sport=18 flags=R seq=2 win=0

(opened port + SA flag)
bunker@syn:~$ cat hpingSA.open
HPING xxx.xxx.xxx.139 (eth0 xxx.xxx.xxx.139): SA set, 40 headers
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4108 sport=22 flags=R seq=0 win=0
len=60 ip=xxx.xxx.xxx.139 ttl=64 DF id=4109 sport=22 flags=R seq=0 win=0
len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4110 sport=22 flags=R seq=1 win=0


Seems to be interesting the results obtained from 2.6.15.6 with +S flag.
-- 
Andrea "bunker" Purificato
+++++++++++[>++++++>+++++++++++++++++++++++++++++++++>++++
++++++<<<-]>.>++++++++++.>.<----------.>---------.<+++++++.

http://rawlab.altervista.org

Current thread:

Linux zero IP ID vulnerability? Marco Ivaldi (Mar 14)
- Message not available
  - Re: Linux zero IP ID vulnerability? Marco Ivaldi (Mar 15)
- Re: Linux zero IP ID vulnerability? Andrea Purificato - bunker (Mar 16)
- <Possible follow-ups>
- Re: Linux zero IP ID vulnerability? Marco Ivaldi (Mar 17)
- Re: Linux zero IP ID vulnerability? Marco Ivaldi (Mar 23)
- Re: Linux zero IP ID vulnerability? GomoR (Mar 23)