Greets: (in no particular order)
Marty (and others for their brilliant work with Snort)
Fyodor (for nmap)
LBNL Network Research Group
zen-parse [4] and jaguar for looking over this and suggesting
improvements.
It is possible to read parts of a remote machines memory. To be specific,
it would have to be memory recently freed/swapped to disk. Consider this
for example:
int main(int argc, char **argv[], char **envp[])
{
char *ptr=0; /* We take a rather large chunk of memory and fill it with A's */
int val, i;
while(1) {
sleep(1);
val = 30000000; // ~ 30 M
ptr = (char *)malloc(val);
memset(ptr, 0x41, val-1);
free(ptr);
}
}
And then we modify nmap(1) (Around line 687) so it only transmits the
first fragment out of a fragmented scan. This will illict a ICMP TTL
Exceeded message. Due to Linux including a lot more of the packet than most
other OS's, we have around 20 bytes to read. From memory, Solaris includes
a little bit extra on ICMP messages.
Let's look at a sniffer trace from snort(2):
(Ignore the time stamps, as the machine this was originally done had a date
in 1994...)
12/11-00:34:34.290903 127.0.0.1 -> 127.0.0.1
ICMP TTL:255 TOS:0xC0 ID:29812
TTL EXCEEDED
00 00 00 00 45 00 00 24 A2 15 20 00 3E 06 BC BC ....E..$.. .>...
7F 00 00 01 7F 00 00 01 E1 C1 01 91 FB 73 6B E2 .............sk.
00 00 00 00 50 02 08 00 41 41 41 41 41 41 41 41 ....P...AAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAA
12/11-01:02:30.170720 127.0.0.1 -> 127.0.0.1
CMP TTL:255 TOS:0xC0 ID:31185
TTL EXCEEDED
00 00 00 00 45 00 00 24 32 25 20 00 3B 06 2F AD ....E..$2% .;./.
7F 00 00 01 7F 00 00 01 AA 1E 01 11 50 FE C6 45 ............P..E
00 00 00 00 50 02 08 00 41 41 41 41 41 41 41 41 ....P...AAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAA
Also - to prove this is not Snort's fault I included a tcpdump(3) log.
01:06:02.640246 lo < 127.0.0.1 > 127.0.0.1: icmp: ip reassembly time exceeded
[tos 0xc0]
45c0 0054 7b85 0000 ff01 4161 7f00 0001
7f00 0001 0b01 77a3 0000 0000 4500 0024
d3e5 2000 3306 95ec 7f00 0001 7f00 0001
c027 055a 5fa5 73a5 0000 0000 5002 0800
4141 4141 4141 4141 4141 4141 4141 4141
AFFECTED:
I assume it would be any OS that includes more than the ipaddresses/ports.
USAGES:
The ramifications from this could be great. You may get fragments of the
shadow file, various plaintext passwords (greatly depends...), pieces of code,
urls, random memory.
One specific use is for this could be identifying the endianness of a remote
machine because of the addresses are in memory. (Reading from Linux Magazine
November 2001, page 50, you have 0xef* for the stack on a big endian system as opposed to the 0xbf* on little endian. (linux-wise)).
FIX:
hrmm.... well.
+ Locking memory for important stuff (passwords etc.). I've forgotten the
call to do that but it is possible. This will prevent swapping to disk
which might make it better.
+ Modifying the kernel so in its idle loop (or whatever) it wipes some
(unused!) memory. Could lead to a race though...
+ A small program to continues malloc()/zero/free() stuff. A little like the
program above, but zeroing it instead. (You could always take the
offensive stand by filling it with decoy data... that's left to the
reader to implement. ;)
+ Make the network code zero out the packet before sending it. This would
slow it down though, and make it even more obvious that you are running
linux.
+ Filter out various icmp error messages, but as usual that breaks
everything.
(1). Nmap http://www.insecure.org/nmap
(2). Snort http://www.snort.org
snort -vd -i lo
(3) tcpdump -lnx
Lawrence Berkeley National Laboratory
Network Research Group
tcpdump@ee.lbl.gov
ftp://ftp.ee.lbl.gov/tcpdump.tar.Z
(4) Make sure you visit Chapel of Stilled Voices
. . _ _ _ _ . . _ _ _ . .
|_ _|_ _|_ _ . / / |\/| |_| _| | | ||\/| / | | ||_ | |
| | | | |_|. / / | | | _|.|_ |_|| | / |_ |_| _| \/
|
(5) Hey, there is no [5], so why are you reading this!?@!
--
www.tasmail.com
