COMMAND
kernel
SYSTEMS AFFECTED
Linux
PROBLEM
Ofir Arkin found following. We must understand that there are
differences between the different ICMP Error messages, not only
with their meaning, but also with their implementation. Ofir was
expecting that several characters with the ICMP Error messages
will be the same along all of the ICMP Error Messages, but he was
wrong regarding few operating systems.
The most interesting case is with the LINUX operating system based
on Kernel 2.2.x and 2.4.t-x.
The next example is with LINUX based on Kernel 2.2.16 as the
targeted machine, eliciting an ICMP Port Unreachable error
message:
00:21:30.199408 pop > x.x.x.x.2066 > y.y.y.y.2000: udp 0 (ttl 64, id 1732)
4500 001c 06c4 0000 4011 c895 xxxx xxxx
yyyy yyyy 0812 07d0 0008 4484
00:21:30.493691 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 2000
unreachable Offending pkt: x.x.x.x.2066 > y.y.y.y.2000: udp 0 (ttl 44, id
1732) [tos 0xc0] (ttl 238, id 53804)
45c0 0038 d22c 0000 ee01 4e60 yyyy yyyy
xxxx xxxx 0303 a88e 0000 0000 4500 001c
06c4 0000 2c11 dc95 xxxx xxxx yyyy yyyy
0812 07d0 0008 4484
The quoted data is the entire offending datagram. LINUX ICMP
Error messages will be up to 576 bytes long according to the
LINUX source code.
The next example is with LINUX as the targeted operating system.
With this example we have sent a protocol scan with NMAP:
13:14:56.942897 < x.x.x.x > y.y.y.y: ip-proto-38 0 (ttl 39, id 37623)
4500 0014 92f7 0000 2726 02cb xxxx xxxx
yyyy yyyy
13:14:56.942964 > y.y.y.y > x.x.x.x: icmp: y.y.y.y protocol 38 unreachable
Offending pkt: x.x.x.x > y.y.y.y: ip-proto-38 0 (ttl 39, id 37623) [tos
0xc0] (ttl 255, id 1884)
45c0 0044 075c 0000 ff01 b59a yyyy yyyy
xxxx xxxx 0302 fb1a 0000 0000 4500 0014
92f7 0000 2726 02cb xxxx xxxx yyyy yyyy
0050 dc84 ae6f 6910 0000 0000 5004 0000
bd89 0000
LINUX adds to the entire offending packet that was quoted, another
20 bytes.
Since LINUX handles the ICMP Protocol Unreachable Error Messages
like the ICMP Fragment Reassembly Time Exceeded Error Messages we
will see the same pattern with ICMP Fragment Reassembly Time
Exceeded:
[root@godfather bin]# hping2 -c 1 -x -y y.y.y.y
ppp0 default routing interface selected (according to /proc)
HPING y.y.y.y ppp0 y.y.y.y): NO FLAGS are set, 40 headers + 0 data bytes
--- y.y.y.y hping statistic ---
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
[root@godfather bin]#
The tcpdump trace:
19:49:22.999108 ppp0 > x.x.x.x.cvspserver > y.y.y.y.0: .
1709055398:1709055398(0) win 512 (frag 35247:20@0+) (DF) (ttl 64)
4500 0028 89af 6000 4006 e0ff xxxx xxxx
yyyy yyyy 0961 0000 65de 1da6 6a01 476b
5000 0200 bf71 0000
19:49:53.303196 ppp0 < y.y.y.y > x.x.x.x: icmp: ip reassembly time exceeded
Offending pkt: x.x.x.x.cvspserver > y.y.y.y.0: . 1709055398:1709055398(0)
win 512 (frag 35247:20@0+) (DF) (ttl 45) [tos 0xc0] (ttl 238, id 379)
45c0 0058 017b 0000 ee01 1a49 yyyy yyyy
xxxx xxxx 0b01 3caf 0000 0000 4500 0028
89af 6000 2d06 f3ff xxxx xxxx yyyy yyyy
0961 0000 65de 1da6 6a01 476b 5000 0200
bf71 0000 601d 1f0d 7a04 5045 0100 0000
4146 4345 4a45 4f46
Since LINUX's ICMP Error messages will not be bigger than 576
bytes long, if the offending packet will be big enough (not
likely in real world situation) we will not see the added 20
bytes in the ICMP Fragment Reassembly / ICMP Protocol Unreachable
error messages.
This unique pattern will allow us to identify LINUX based machines
even if the Precedence Bits value with the LINUX ICMP Error
messages will be changed to 0x000.
SOLUTION
Nothing yet.