COMMAND

    kernel

SYSTEMS AFFECTED

    Sun Solaris & HpUX 11.0

PROBLEM

    Ofir Arkin found  following.  RFC  791 defines a  three bits field
    used for various control  flags in the IP  Header.  Bit 0  of this
    bits field  is the  reserved flag,  and must  be zero according to
    the RFC.

    What will happen  if we will  decide to break  this definition and
    send our ICMP Query requests  with this bit set (having  the value
    of one)?

    Sun Solaris & HPUX 11.0 will echo back the reserved bit.

    This is a tcpdump trace describing an ICMP Echo request sent  with
    the reserved Bit set, and the ICMP Echo reply we received  echoing
    the reserved   bit. This trace  was produced against  an HPUX 11.0
    machine.

        21:31:21.033366 if 4  > 195.72.167.186 > x.x.x.x: icmp: echo request (ttl 255, id 13170)
			         4500 0024 3372 8000 ff01 fc8c c348 a7ba
			         xxxx xxxx 0800 8b1b 8603 0000 f924 bd39
			         3082 0000
        21:31:21.317916 if 4  < x.x.x.x > 195.72.167.186: icmp: echo reply (ttl 236, id 25606)
			         4500 0024 6406 8000 ec01 def8 xxxx xxxx
			         c348 a7ba 0000 931b 8603 0000 f924 bd39
                           3082 0000

    The next trace was produced against a Sun Solaris 2.8 machine:

        16:51:37.470995 if 4  > 195.72.167.220 > x.x.x.x: icmp: echo request (ttl 255, id 13170)
			         4500 0024 3372 8000 ff01 e0e1 c348 a7dc
			         xxxx xxxx 0800 edae 3004 0000 69e3 bc39
			         ad2f 0700
        16:51:37.745254 if 4  < x.x.x.x > 195.72.167.220: icmp: echo reply (DF) (ttl 243, id 5485)
			         4500 0024 156d c000 f301 cae6 xxxx xxxx
			         c348 a7dc 0000 f5ae 3004 0000 69e3 bc39
                           ad2f 0700

    If we  examine this  trace closely  we can  identify a distinction
    between Sun Solaris machines and  HPUX machines.  The DF  bit will
    be set with the  Sun Solaris ICMP Query  replies and not with  the
    HPUX 11.0 machines replies.   We can than distinguish between  Sun
    Solaris and HPUX 11.0 machines.

    All ICMP Query replies on  the same operating system use  the same
    pattern (either echo with all replies or not).  This enable us  to
    use  another  ICMP  Query  message  type  for  this fingerprinting
    method.   If  we  send  an  ICMP  Address  Mask  request  with the
    reserved  bit  set,  the  result  a  Sun  Solaris 2.8 machine will
    produce:

        18:39:32.262869 if 4  > 195.72.167.147 > x.x.x.x : icmp: address mask request (ttl 255, id 13170)
			         4500 0020 3372 8000 ff01 e12e c348 a793
			         xxxx xxxx 1100 a0fb 4e04 0000 0000 0000
        18:39:32.561373 if 4  < x.x.x.x > 195.72.167.147: icmp: address mask is 0xffffff00 (DF) (ttl 243, id 51792)
			         4500 0020 ca50 c000 f301 1650 xxxx xxxx
			         c348 a793 1200 a0fa 4e04 0000 ffff ff00

    We will  have both  the reserved  and the  DF bit  set on the ICMP
    Address Mask  reply, a  unique pattern  Sun Solaris  machines have
    with ICMP Address Mask replies.

    This operating system fingerprinting method enable us to  identify
    and distinguish between Sun Solaris, and  HPUX 11.0.

    The latest SING CVS (12  September 2000), which is available  from
    http://sourceforge.net/projects/sing introduced the U option along
    with the ability to identify if  this bit is set on the  reply (if
    any) we get:

        [root@godfather bin]# ./sing -mask -U IP_Address
        SINGing to IP_Address (IP_Address): 12 data bytes
        12 bytes from IP_Address: icmp_seq=0 RF! DF! ttl=243 TOS=0
        mask=255.255.255.0
        12 bytes from IP_Address: icmp_seq=1 RF! DF! ttl=243 TOS=0
        mask=255.255.255.0
        12 bytes from IP_Address: icmp_seq=2 RF! DF! ttl=243 TOS=0
        mask=255.255.255.0
        12 bytes from IP_Address: icmp_seq=3 RF! DF! ttl=243 TOS=0
        mask=255.255.255.0
        12 bytes from IP_Address: icmp_seq=4 RF! DF! ttl=243 TOS=0
        mask=255.255.255.0
        --- IP_Address sing statistics ---
        5 packets transmitted, 5 packets received, 0% packet loss
        [root@godfather bin]#

    This method was test against: Linux Kernel 2.4 test 2,4,5,6; Linux
    Kernel 2.2.x;  FreeBSD 4.0,  3.4; OpenBSD  2.7,2.6; NetBSD  1.4.1,
    1.4.2;  BSDI  BSD/OS  4.0,3.1;  Solaris  2.6,2.7,2.8; HP-UX 10.20,
    11.0; Compaq Tru64 5.0; Aix 4.1,3.2; Irix 6.5.3, 6.5.8; Ultrix 4.2
    4.5; OpenVMS v7.1-2; Novel  Netware 5.1 SP1, 5.0,  3.12; Microsoft
    Windows 98/98SE, Microsoft Windows NT WRKS SP6a, Microsoft Windows
    NT Server SP4, Microsoft Windows 2000 Family.

SOLUTION

    Nothing yet.