COMMAND

    kernel

SYSTEMS AFFECTED

    OpenBSD 2.6...2.9

PROBLEM

    Ofir Arkin found following.   When a host generates an  ICMP Error
    message it  will echo  some parts  of the  offending packet.   The
    ICMP  Error  message  will  include  the  IP Header and at least 8
    bytes of data from the offending packet.

    There  are  some  fingerprinting  methods  which relay on the fact
    that some operating  systems do not  echo correctly the  offending
    packet's data.

    It is known that some operating systems do not echo correctly  the
    IP Total Length field value.   The problem is that some  operating
    systems echo a  value which is  20 bytes bigger  than the original
    value carried with the offending packet.

    During  the  research  on  X  Ofir  has found a new fingerprinting
    method that involves the same  field value.  With this  method the
    IP  Total  Length  field  value  being  echoed  (with an ICMP Port
    Unreachable  Error  Message)  is  20  bytes less than the original
    value.  With  the next example  I have used  hping2 to generate  a
    UDP  datagram  with  80  bytes  of  data  querying  UDP port 50 on
    OpenBSD 2.9 i386 based machine:

        [root@godfather /root]# hping2 -2 -y -p 50 -d 80 172.18.2.145
        eth0 default routing interface selected (according to /proc)
        HPING 172.18.2.145 (eth0 172.18.2.145): udp mode set, 28 headers + 80 data bytes
        ICMP Port Unreachable from 172.18.2.145  (unknown host name)
        ICMP Port Unreachable from 172.18.2.145  (unknown host name)
        ICMP Port Unreachable from 172.18.2.145  (unknown host name)
        ...

    The tcpdump trace:

        09:52:33.989622 eth0 > 172.18.2.201.2999 > 172.18.2.145.re-mail-ck: udp 80
        (DF) (ttl 64, id 5207)
                                 4500 006c 1457 4000 4011 c8ab ac12 02c9
                                 ac12 0291 0bb7 0032 0058 c808 5858 5858
                                 5858 5858 5858 5858 5858 5858 5858 5858
                                 5858 5858 5858 5858 5858 5858 5858 5858
                                 5858 5858 5858 5858 5858 5858 5858 5858
                                 5858 5858 5858 5858 5858 5858 5858 5858
                                 5858 5858 5858 5858 5858 5858
        09:52:33.989622 eth0 < 172.18.2.145 > 172.18.2.201: icmp: 172.18.2.145 udp
        port re-mail-ck unreachable Offending pkt: 172.18.2.201.2999 >
        172.18.2.145.re-mail-ck: udp 80 (DF) (ttl 64, id 5207) (ttl 255, id 41822)
                                 4500 0038 a35e 0000 ff01 bae7 ac12 0291
                                 ac12 02c9 0303 28b3 0000 0000 4500 0058
                                 1457 4000 4011 c8bf ac12 02c9 ac12 0291
                                 0bb7 0032 0058 c808

    The snort trace:

        06/20-09:53:07.989622 172.18.2.201:3033 -> 172.18.2.145:50
        UDP TTL:64 TOS:0x0 ID:10872 IpLen:20 DgmLen:108 DF
        Len: 88
        58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
        58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
        58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
        58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
        58 58 58 58 58 58 58 58 58 58 58 58 58 58 58 58  XXXXXXXXXXXXXXXX
        
        
        06/20-09:53:07.989622 172.18.2.145 -> 172.18.2.201
        ICMP TTL:255 TOS:0x0 ID:51307 IpLen:20 DgmLen:56
        Type:3  Code:3  DESTINATION UNREACHABLE: PORT UNREACHABLE
        ** ORIGINAL DATAGRAM DUMP:
        172.18.2.201:3033 -> 172.18.2.145:50
        UDP TTL:64 TOS:0x0 ID:10872 IpLen:20 DgmLen:88
        Len: 88
        ** END OF DUMP
        00 00 00 00 45 00 00 58 2A 78 40 00 40 11 B2 9E  ....E..X*x@.@...
        AC 12 02 C9 AC 12 02 91 0B D9 00 32 00 58 C7 E6  ...........2.X..

    Looking  at  the  traces  you  can  see  that  the datagram length
    reported by the ICMP Port  Unreachable error message is 88  bytes,
    while the offending packet was 108 bytes long.

    The  same  behavior  is  produced  with  OpenBSD  2.6-2.8  as well
    (checked on the i386 platform).

    But OpenBSD  2.6-2.9 is  not the  only operating  system that acts
    like  this.   Cross  referencing  this  fingerprinting method with
    nmap's  fingerprinting  database  (www.insecure.org)  reveals that
    Apollo  Domain/OS  SR10.4,  NFR  IDS  Appliance,  Extreme Networks
    Black  Diamond  Switch,  Extreme  Networks Gigabit Switch, Network
    Systems router  NS6614 (NSC  6600 series),  and Cabletron  Systems
    SSR 8000 System Software version 3.1.B.16 does the same.

    Since  all  the  other  operating  systems  and networking devices
    listed  above  have  other  echoing  integrity problems with their
    ICMP  Port  Unreachable  error  messages,  while  OpenBSD  2.6-2.9
    correctly echoes all the other  data fields carried with the  ICMP
    Port  Unreachable  error  message,  it  enables  us to fingerprint
    OpenBSD  2.6-2.9  based  systems  initiating  one  crafted   query
    receiving one ICMP Port Unreachable error message.

SOLUTION

    Nothing Yet.