Alle 10:33, martedì 14 marzo 2006, Marco Ivaldi ha scritto: > I've recently stumbled upon an interesting behaviour of some Linux kernels > that may be exploited by a remote attacker to abuse the ID field of IP > packets, effectively bypassing the zero IP ID in DF packets countermeasure > implemented since 2.4.8 (IIRC). Hi Marco! I've just tested this thing on available hardware: - [PIRELLI HOME ACCESS GATEWAY] bunker@syn:~$ sudo nmap -sS -P0 xxx.xxx.xxx.136 -O -v [cut]PORT STATE SERVICE 1720/tcp open H.323/Q.931 MAC Address: (Pirelli Broadband Solutions) Device type: PBX Running: 3Com embedded OS details: 3Com NBX PBX [cut]IPID Sequence Generation: Incremental (closed port) bunker@syn:~$ sudo /usr/sbin/hping -S xxx.xxx.xxx.136 -c 3 HPING xxx.xxx.xxx.136 (eth0 xxx.xxx.xxx.136): S set, 40 headers len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26002 sport=0 flags=RA seq=0 win=0 len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26004 sport=0 flags=RA seq=1 win=0 len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26006 sport=0 flags=RA seq=2 win=0 bunker@syn:~$ sudo /usr/sbin/hping -SA xxx.xxx.xxx.136 -c 3 HPING xxx.xxx.xxx.136 (eth0 xxx.xxx.xxx.136): SA set, 40 headers len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26008 sport=0 flags=R seq=0 win=0 len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26010 sport=0 flags=R seq=1 win=0 len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26012 sport=0 flags=R seq=2 win=0 (opened port) bunker@syn:~$ sudo /usr/sbin/hping -S xxx.xxx.xxx.136 -c 3 -p 1720 HPING xxx.xxx.xxx.136 (eth0 xxx.xxx.xxx.136): S set, 40 headers len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26082 sport=1720 flags=SA seq=0 win=8192 len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26084 sport=1720 flags=SA seq=1 win=8192 len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26086 sport=1720 flags=SA seq=2 win=8192 bunker@syn:~$ sudo /usr/sbin/hping -SA xxx.xxx.xxx.136 -c 3 -p 1720 HPING xxx.xxx.xxx.136 (eth0 xxx.xxx.xxx.136): SA set, 40 headers len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26074 sport=1720 flags=R seq=0 win=8192 len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26076 sport=1720 flags=R seq=1 win=8192 len=46 ip=xxx.xxx.xxx.136 ttl=64 id=26078 sport=1720 flags=R seq=2 win=8192 - [MY BOX WITH 2.6.15.6 #1 i686 pentium4 GNU/Linux (vanilla)] - (no iptables rules) bunker@syn:~$ sudo nmap -sS -P0 -O -v xxx.xxx.xxx.139 [cut]PORT STATE SERVICE 22/tcp open ssh 53/tcp open domain 1080/tcp open socks 6000/tcp open X11 MAC Address: (Xnet Technology) Device type: general purpose Running: Linux 2.4.X|2.5.X|2.6.X OS details: Linux 2.4.7 - 2.6.11 [cut]IPID Sequence Generation: All zeros (closed port + S flag) bunker@syn:~$ cat hping.closed HPING xxx.xxx.xxx.139 (eth0 xxx.xxx.xxx.139): S set, 40 headers len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4102 sport=18 flags=RA seq=0 win=0 len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4103 sport=18 flags=RA seq=1 win=0 len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4104 sport=18 flags=RA seq=2 win=0 (opened port + S flag) bunker@syn:~$ cat hping.open HPING xxx.xxx.xxx.139 (eth0 xxx.xxx.xxx.139): S set, 40 headers len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=0 sport=22 flags=SA seq=0 win=5840 len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=0 sport=22 flags=SA seq=1 win=5840 len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=0 sport=22 flags=SA seq=2 win=5840 (closed port + SA flag) bunker@syn:~$ cat hpingSA.closed HPING xxx.xxx.xxx.139 (eth0 xxx.xxx.xxx.139): SA set, 40 headers len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4111 sport=18 flags=R seq=0 win=0 len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4112 sport=18 flags=R seq=1 win=0 len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4113 sport=18 flags=R seq=2 win=0 (opened port + SA flag) bunker@syn:~$ cat hpingSA.open HPING xxx.xxx.xxx.139 (eth0 xxx.xxx.xxx.139): SA set, 40 headers len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4108 sport=22 flags=R seq=0 win=0 len=60 ip=xxx.xxx.xxx.139 ttl=64 DF id=4109 sport=22 flags=R seq=0 win=0 len=46 ip=xxx.xxx.xxx.139 ttl=64 DF id=4110 sport=22 flags=R seq=1 win=0 Seems to be interesting the results obtained from 2.6.15.6 with +S flag. -- Andrea "bunker" Purificato +++++++++++[>++++++>+++++++++++++++++++++++++++++++++>++++ ++++++<<<-]>.>++++++++++.>.<----------.>---------.<+++++++. http://rawlab.altervista.org
