Re: testing for IP address space leakage in NAT systems

From: R. DuFresne (dufresne@sysinfo.com)
Date: 01/21/02


Date: Mon, 21 Jan 2002 13:05:44 -0500 (EST)
From: "R. DuFresne" <dufresne@sysinfo.com>
To: R P G <inittab@jtan.com>


Intereting topic.

Off the top mf my head, headers, e-mail, http, etc, as well as running
tcpdump traces of packets might reveal any issues here.

Additionally, there was a posting today that had some issues that might
well be related, let me include it here:

<quote>

From: Andrew Griffiths <andrewg@tasmail.com>
Subject: remote memory reading through tcp/icmp
Date: Sun, 20 Jan 2002 20:17:22 +1100 (EST)
To: bugtraq@securityfocus.com

Greets: (in no particular order)

        Marty (and others for their brilliant work with Snort)
        Fyodor (for nmap)
        LBNL Network Research Group
        zen-parse [4] and jaguar for looking over this and suggesting
        improvements.

It is possible to read parts of a remote machines memory. To be specific,
it would have to be memory recently freed/swapped to disk. Consider this
for example:

int main(int argc, char **argv[], char **envp[])
{
  char *ptr=0; /* We take a rather large chunk of memory and fill it with
A's
*/
  int val, i;

  while(1) {
    sleep(1);
    val = 30000000; // ~ 30 M
    ptr = (char *)malloc(val);

    memset(ptr, 0x41, val-1);
    free(ptr);
  }
}

And then we modify nmap(1) (Around line 687) so it only transmits the
first fragment out of a fragmented scan. This will illict a ICMP TTL
Exceeded message. Due to Linux including a lot more of the packet than
most
other OS's, we have around 20 bytes to read. From memory, Solaris includes
a little bit extra on ICMP messages.

Let's look at a sniffer trace from snort(2):
  (Ignore the time stamps, as the machine this was originally done had a
date
  in 1994...)

12/11-00:34:34.290903 127.0.0.1 -> 127.0.0.1
ICMP TTL:255 TOS:0xC0 ID:29812
TTL EXCEEDED
00 00 00 00 45 00 00 24 A2 15 20 00 3E 06 BC BC ....E..$.. .>...
7F 00 00 01 7F 00 00 01 E1 C1 01 91 FB 73 6B E2 .............sk.
00 00 00 00 50 02 08 00 41 41 41 41 41 41 41 41 ....P...AAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAA

12/11-01:02:30.170720 127.0.0.1 -> 127.0.0.1
CMP TTL:255 TOS:0xC0 ID:31185
TTL EXCEEDED
00 00 00 00 45 00 00 24 32 25 20 00 3B 06 2F AD ....E..$2% .;./.
7F 00 00 01 7F 00 00 01 AA 1E 01 11 50 FE C6 45 ............P..E
00 00 00 00 50 02 08 00 41 41 41 41 41 41 41 41 ....P...AAAAAAAA
41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAA

Also - to prove this is not Snort's fault I included a tcpdump(3) log.

01:06:02.640246 lo < 127.0.0.1 > 127.0.0.1: icmp: ip reassembly time
exceeded
[tos 0xc0]
                         45c0 0054 7b85 0000 ff01 4161 7f00 0001
                         7f00 0001 0b01 77a3 0000 0000 4500 0024
                         d3e5 2000 3306 95ec 7f00 0001 7f00 0001
                         c027 055a 5fa5 73a5 0000 0000 5002 0800
                         4141 4141 4141 4141 4141 4141 4141 4141

AFFECTED:

I assume it would be any OS that includes more than the ipaddresses/ports.

USAGES:

The ramifications from this could be great. You may get fragments of the
shadow file, various plaintext passwords (greatly depends...), pieces of
code, urls, random memory.

One specific use is for this could be identifying the endianness of a
remote
machine because of the addresses are in memory. (Reading from Linux
Magazine
November 2001, page 50, you have 0xef* for the stack on a big endian
system as
opposed to the 0xbf* on little endian. (linux-wise)).

FIX:

  hrmm.... well.

  + Locking memory for important stuff (passwords etc.). I've forgotten
the call to do that but it is possible. This will prevent swapping to
disk which might make it better.

  + Modifying the kernel so in its idle loop (or whatever) it wipes some
    (unused!) memory. Could lead to a race though...

  + A small program to continues malloc()/zero/free() stuff. A little like
the
      program above, but zeroing it instead. (You could always take the
      offensive stand by filling it with decoy data... that's left to the
      reader to implement. ;)

  + Make the network code zero out the packet before sending it. This
would slow it down though, and make it even more obvious that you are
running linux.

  + Filter out various icmp error messages, but as usual that breaks
    everything.

(1). Nmap http://www.insecure.org/nmap

(2). Snort http://www.snort.org
     snort -vd -i lo

(3) tcpdump -lnx
Lawrence Berkeley National Laboratory
Network Research Group
tcpdump@ee.lbl.gov
ftp://ftp.ee.lbl.gov/tcpdump.tar.Z

(4) Make sure you visit Chapel of Stilled Voices
                       . . _ _ _ _ . . _ _ _ . .
 |_ _|_ _|_ _ . / / |\/| |_| _| | | ||\/| / | | ||_ | |
 | | | | |_|. / / | | | _|.|_ |_|| | / |_ |_| _| \/
             |
(5) Hey, there is no [5], so why are you reading this!?@!

</quote>

Thanks,

Ron DuFresne

On Mon, 21 Jan 2002, R P G wrote:

> I was wondering if anyone knows of a method to test a NAT system for
> address space leakage.
>
> Thanks.
>
> --Bob
>
>
>
> ----------------------------------------------------------------------------
> This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
> Service. For more information on SecurityFocus' SIA service which
> automatically alerts you to the latest security vulnerabilities please see:
> https://alerts.securityfocus.com/
>

-- 
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
        admin & senior security consultant:  sysinfo.com
                        http://sysinfo.com

"Cutting the space budget really restores my faith in humanity. It eliminates dreams, goals, and ideals and lets us get straight to the business of hate, debauchery, and self-annihilation." -- Johnny Hart

testing, only testing, and damn good at it too!

---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/



Relevant Pages

  • [UNIX] Linux Kernel binfmt_elf ELF Loader Privilege Escalation
    ... Get your security news from a reliable source. ... or in other words to execute a new program. ... One of the Linux format loaders is the ELF (Executable and Linkable ... of the memory map header in the binary image and the program ...
    (Securiteam)
  • [NEWS] Downgrading the Oracle Native Authentication
    ... Get your security news from a reliable source. ... Oracle native authentication protocols are typical challenge-response ... After some negotiation the client sends the username. ... calls it packet version ...
    (Securiteam)
  • [NT]Microsoft Windows WRITE_ANDX SMB Command Handling Kernel DoS
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Microsoft Windows Vista SP1 with latest security updates ... Invalid system memory was referenced. ... Srv.sys is the driver that will process the received SMB packet, ...
    (Securiteam)
  • Re: PCI newbie problems
    ... there is a manual on the Xilinx web site that I would look at first. ... How to decode a PCIexpress packet. ... As regards writing to memory using PCItree. ... These are typically control registers, ...
    (comp.arch.fpga)
  • [NEWS] Xbox 360 Hypervisor Privilege Escalation Vulnerability
    ... Get your security news from a reliable source. ... Xbox 360 Hypervisor Privilege Escalation Vulnerability ... access to memory and provides encryption and decryption services. ... to the syscall dispatcher, as illustrated below. ...
    (Securiteam)