COMMAND

    IP Source Routing

SYSTEMS AFFECTED

    WinNT, Win9x

PROBLEM

    Following  is  based  on  NAI  Security  Advisory.  Windows TCP/IP
    stacks configured to disable  IP forwarding or IP  source routing,
    allow  specific   source  routed   datagrams  to   route   between
    interfaces.   Effectively,  the  Windows  TCP/IP  stack can not be
    configured to  disable IP  datagrams passing  between networks  if
    two network cards  have been installed.   All versions of  Windows
    NT  (including  Terminal  Server  Edition)  are  vulnerable to the
    attacks within this advisory, including hosts that have  installed
    Service Pack 5 and enabled the following SP5 specific registry key
    to disable source routing:

        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\DisableIPSourceRouting

    Every IP stack is required to implement IP options, although  they
    may or may not appear in  each IP datagram.  Options are  variable
    in  length,  and  generally  contain  a  type,  length  and   data
    associated  with  the  option.   The  option  type is divided into
    three  fields:   the  copied  flag,  option  class  and the option
    number.   The copied  flag indicates  that this  option is  copied
    into  all  fragments  on  fragmentation.   The source route option
    provides routing  information for  gateways in  the delivery  of a
    datagram to its destination.   There are two variations loose  and
    strict routes.   The loose source  route (LSRR) allows  any number
    of intermediate gateways to reach  the next address in the  route.
    The strict source  route (SSRR) requires  the next address  in the
    source route to be on a directly connected network, otherwise  the
    delivery of the datagram can not be completed.

    The  source  route  options  have  a variable length, containing a
    series of IP addresses and  an offset pointer indicating the  next
    IP address to  be processed.   A source routed  datagram completes
    its delivery when the offset pointer points beyond the last field,
    ie the  pointer is  greater than  the length,  and the  address in
    the destination  address has  been reached.   RFC 1122  states the
    option as received  must be passed  up to the  transport layer (or
    to ICMP message processing).   It is a common security  measure to
    disable IP source routing.  In this situation, if a source  routed
    packet attempts to use a secure host as an intermediate router  or
    to  deliver  its  data  to  that  hosts application layer then the
    datagram  should  be  dropped,   optionally  delivering  an   ICMP
    unreachable - source route failed.   It is important to note  that
    the datagram  would be  dropped at  the network  layer prior to IP
    reassembly and before data is passed to the application layer.

    As with other  operating systems (when  configured to deny  source
    routed packets),  if a  source routed  datagram attempts  to use a
    Windows  host  as  an  intermediate  router,  an ICMP source route
    failed message  is sent.   This implies  that the  offset  pointer
    is not  greater than  the length  and the  destination IP  address
    has not  been reached.   When a  source routed  datagram completes
    its delivery, the  offset pointer is  greater than the  length and
    the  destination  has  been  reached.   If  a specially crafted IP
    packet,  with  source  route  options,  has the offset pointer set
    greater than  the length,  Windows TCP/IP  stacks will  accept the
    source routed  datagram (rather  than dropping  it), and  pass the
    data to the  application layer for  processing.  The  source route
    is reversed, delivering  the reply to  this datagram to  the first
    host  in  the  reversed  route.   Since  the  source  route can be
    manipulated by an attacker, the first host in the reversed  source
    route can be set to a  host on the second network (accessible  via
    the second interface, i.e.  the internal network).

    As  a  result,  it  is  possible  to pass data through all Windows
    stacks  with  two  network  interfaces.   In addition to tunneling
    data,  there  are  two  scenarios  which  can allow an intruder to
    obtain information about the remote network while obscuring  their
    origin.  The first allows any Windows host to be used to  identify
    non-Windows  hosts  that  have  source  routing enabled.  A source
    routed datagram is created with a false source address, containing
    the true source address of the  request and the address of a  host
    to  be  scanned  in  the  option  data.  Delivering this datagram,
    with the correct  offset, to a  Windows host results  in the route
    being  reversed  and  routed  to  the  scanned host.  If this host
    has source  routing enabled  the true  source of  the request will
    then see a  response returned.   Secondly, by utilizing  the above
    source routing technique, and masking their source address in  the
    IP header, it is  possible to scan a  Windows host for open  ports
    using standard port scanning techniques.

    Discovery and  documentation of  this vulnerability  was conducted
    by Anthony Osborne at the security labs of Network Associates.

SOLUTION

    Microsoft has issued a hotfix for this vulnerability, which can be
    obtained at the following address:

        ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/Hotfixes-PostSP5/Spoof-fix

    A fix for Windows 95 and Windows 98 based systems is in production
    and will follow.