From Security_Research_Labs@NAI.COM Mon Sep 20 18:27:29 1999 From: Security Research Labs Resent-From: mea culpa To: BUGTRAQ@SECURITYFOCUS.COM Resent-To: jericho@attrition.org Date: Mon, 20 Sep 1999 12:24:48 -0700 Subject: NAI Security Advisory - Windows IP source routing [The following text is in the "iso-8859-1" character set] [Your display is set for the "US-ASCII" character set] [Some characters may be displayed incorrectly] -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ====================================================================== Network Associates, Inc. SECURITY ADVISORY September 20, 1999 Windows IP Source Routing Vulnerability BUGTRAQ ID: 646 ====================================================================== SYNOPSIS Windows TCP/IP stacks configured to disable IP forwarding or IP source routing, allow specific source routed datagrams to route between interfaces. Effectively, the Windows TCP/IP stack can not be configured to disable IP datagrams passing between networks if two network cards have been installed. ====================================================================== VULNERABLE HOSTS All versions of Windows NT (including Terminal Server Edition) are vulnerable to the attacks within this advisory, including hosts that have installed Service Pack 5 and enabled the following SP5 specific registry key to disable source routing: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\Tcpip\Parameters\DisableIPSourceRouting All versions of Windows 95 and Windows 98 are vulnerable. ====================================================================== TECHNICAL DETAILS Every IP stack is required to implement IP options, although they may or may not appear in each IP datagram. Options are variable in length, and generally contain a type, length and data associated with the option. The option type is divided into three fields: the copied flag, option class and the option number. The copied flag indicates that this option is copied into all fragments on fragmentation. The source route option provides routing information for gateways in the delivery of a datagram to its destination. There are two variations loose and strict routes. The loose source route (LSRR) allows any number of intermediate gateways to reach the next address in the route. The strict source route (SSRR) requires the next address in the source route to be on a directly connected network, otherwise the delivery of the datagram can not be completed. The source route options have a variable length, containing a series of IP addresses and an offset pointer indicating the next IP address to be processed. A source routed datagram completes its delivery when the offset pointer points beyond the last field, ie the pointer is greater than the length, and the address in the destination address has been reached. RFC 1122 states the option as received must be passed up to the transport layer (or to ICMP message processing). It is a common security measure to disable IP source routing. In this situation, if a source routed packet attempts to use a secure host as an intermediate router or to deliver its data to that hosts application layer then the datagram should be dropped, optionally delivering an ICMP unreachable - source route failed. It is important to note that the datagram would be dropped at the network layer prior to IP reassembly and before data is passed to the application layer. As with other operating systems (when configured to deny source routed packets), if a source routed datagram attempts to use a Windows host as an intermediate router, an ICMP source route failed message is sent. This implies that the offset pointer is not greater than the length and the destination IP address has not been reached. When a source routed datagram completes its delivery, the offset pointer is greater than the length and the destination has been reached. If a specially crafted IP packet, with source route options, has the offset pointer set greater than the length, Windows TCP/IP stacks will accept the source routed datagram (rather than dropping it), and pass the data to the application layer for processing. The source route is reversed, delivering the reply to this datagram to the first host in the reversed route. Since the source route can be manipulated by an attacker, the first host in the reversed source route can be set to a host on the second network (accessible via the second interface, i.e. the internal network). As a result, it is possible to pass data through all Windows stacks with two network interfaces. In addition to tunneling data, there are two scenarios which can allow an intruder to obtain information about the remote network while obscuring their origin. The first allows any Windows host to be used to identify non-Windows hosts that have source routing enabled. A source routed datagram is created with a false source address, containing the true source address of the request and the address of a host to be scanned in the option data. Delivering this datagram, with the correct offset, to a Windows host results in the route being reversed and routed to the scanned host. If this host has source routing enabled the true source of the request will then see a response returned. Secondly, by utilizing the above source routing technique, and masking their source address in the IP header, it is possible to scan a Windows host for open ports using standard port scanning techniques. ====================================================================== RESOLUTION Microsoft has issued a hotfix for this vulnerability, which can be obtained at the following address: ftp://ftp.microsoft.com /bussys/winnt/winnt-public/fixes/usa/nt40/Hotfixes-PostSP5/Spoof-fix Please note that the above URL has been seperated for formatting purposes. A fix for Windows 95 and Windows 98 based systems is in production and will follow. ====================================================================== CREDITS Discovery and documentation of this vulnerability was conducted by Anthony Osborne at the security labs of Network Associates. ====================================================================== ABOUT THE NETWORK ASSOCIATES SECURITY LABS The Security Labs at Network Associates hosts some of the most important research in computer security today. With over 30 security advisories published in the last 2 years, the Network Associates security auditing teams have been responsible for the discovery of many of the Internet's most serious security flaws. This advisory represents our ongoing commitment to provide critical information to the security community. For more information about the Security Labs at Network Associates, see our website at http://www.nai.com or contact us at . ====================================================================== NETWORK ASSOCIATES SECURITY LABS PGP KEY - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP 5.5.5 mQGiBDXGgDsRBADVOnID6BtEhKlm2cNalho28YP0JAh+J4iRUIaiWshzI0tc0KPc fvs+0xYwiqjxmeHi2sdIEPQ7S+ltA3Dlp6/DFojWBr2XB9hfWy4uiKBUHqnsKYnB Gpkh6nIx7DIwn+u0PXMXbJCG3LYf8daiPVdzC2VFtbRvJL4wZc6NLQViFQCg/9uS DuH/0NE6mO8Cu4iVrUT5Wk8D/ArOpV5T5yIuXHZO1/ZBVeHccVVvHe8wHK4D9WUs FsB8fgYLNgdFMMjtam7QQSBY/P1KKBzaFqZhkfS4WVMAFEy94NHXG+KTCPhXkZzp OPPqwWqZgfvOg0Bm20O/GhzQkB6JfFJqcfR87Ej0+fcDKrTTxAELWHGS7c9Qdn6P bfwHA/4oLNwYrtgWNkjGcG018Pu2jKT7YuP9zBTMu28IBiWdPLGL9Wle4d5cdDVx Es4iVl8FMtxlgTWCgMnBLS4nyM3pCn1HF+8Gi+IVKUXWCkqt/rtBMsrOMfrOgEIu BWnTZcTR7kcWtH7xDFNyZ47U4pElLXwATVDty/FczAJnpeht2LQyTmV0d29yayBB c3NvY2lhdGVzIFNlY3VyaXR5IExhYnMgPHNlY2xhYnNAbmFpLmNvbT6JAEsEEBEC AAsFAjXGgDsECwMCAQAKCRCheCy6j9WBEtgDAKDpYMwQZP0Ipx7X0ivnTxxJkA/W vACg4LZv0lmWqmnd7XCe4OIJ05aT6hK5Ag0ENcaAOxAIAPZCV7cIfwgXcqK61qlC 8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh 01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscB qtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFst jvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISn CnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVeky CzsAAgIH/RZcJoRkhCf9O4Er+rciBNG3QqM3tek23oxGuVwqRxtGlGKuf+YaUDIA vZhARftupZYJf/+AM9pyjjsF7ON/Df5oIXXhqzrDySw47dNB3I1FG7vwAUBRfYgG NRP+zvf1nld+FgAXag1DIQteXYPtoMUJP8ZgvbELYVdZS2TapOHUv7r4rOY+UUjl U+FkQPp9KCNreaNux4NxwT3tzXl1KqqkliC8sYxvMCkJ+JO71TKGplO9dXsf3O8p 2r33+LngmLs4O7inrUlmAUKq3jmCK50J7RsZjd6PlK/0JwcjFkOZeYrxTguZzCR4 QYmo8nEHqEMSKQci0VUf9KH4lHf6xmGJAEYEGBECAAYFAjXGgDsACgkQoXgsuo/V gRK5LACgoAqLFk10kAMu6xb3ftO4+INJs14Ani+1hujlYRxYphN97c5ci8WtILNZ =L3C6 - ---- -----BEGIN PGP SIGNATURE----- Version: PGP 6.0.2 iQA/AwUBN+aLIKF4LLqP1YESEQIMowCgg5m54i4/SuSEfMy10hADCle78P4AoJi2 zZ/1QBgYJaQOwQULBxEOO0FF =+mMr -----END PGP SIGNATURE-----