Breaching dual homed hosts?

From: Marcus Haebler (mcwimp_at_gmail.com)
Date: 02/28/05

  • Next message: robert_at_webappsec.org: "WASC-Articles: 'The Insecure Indexing Vulnerability - Attacks Against Local Search Engines' By Amit Klein" 
    Date: Mon, 28 Feb 2005 02:56:43 -0500
To: pen-test@securityfocus.com

    I am looking to traverse a dual homed host with "IP Forwarding"
    DISABLED. Let's assume that the host implements the weak ES model
    as defined by RFC1122. I am not looking (at this stage) to exploit
    any applications on the dual homed itself but rather on hosts &
    applications behind it via the dual the homed host.

    I am connected to the interface which has the default route. For
    clarity purposes I call the interface facing me is the WAN
    interface. The other interface will be called the LAN interface.
    All interfaces are Ethernet.

    For starters I can send ICMP echo_reply packets out on the LAN interface
    (if I know the IP address space) by spoofing the source address in an
    ICMP echo request. All other ICMP req./reply based services will work
    the same way. Similarly I could send/generate TCP SYN|ACKs, RSTs, UDP
    app layer packets and ICMP port unreachables on the LAN by spoofing the
    source address. With the exclusion of the UDP app layer, this does not
    really do much except for being able to DoS hosts on the far end by
    flooding them with packets. The UDP app layer has some pontential. If
    UDP echo is enabled I could use that to introduce a single packet UDP
    exploit (ala Slammer) on the LAN side.

    If I am L2 connected to the system in some way, I can access
    services running on the LAN side by L2 addressing the local
    interface and L3 addressing the far side interface. This will fail
    for strong ES model implementations.

    What other attacks are possible in this case? The goal is to
    get to the LAN network. Should ICMP redirects do anything for
    me? Are there any papers on this topic?

    Since I realize that a lot of attacks depend heavily on the OS network
    stack implementation, the system I am looking at is a more or less stock
    Solaris 9 installation w/o X11 & NFS.

    Thanks,

    Marcus

  • Next message: robert_at_webappsec.org: "WASC-Articles: 'The Insecure Indexing Vulnerability - Attacks Against Local Search Engines' By Amit Klein"

    Relevant Pages

    • Re: Which interface to pick for setting rules ?
      ... rules for Any Interface. ... Permit IP LAN -> Any host ... Drop TCP Any host port in-> Any host ... should I enable file and printer ...
      (comp.security.firewalls)
    • Re: Router stops routing after about two hours
      ... >perfectly, routing between our LAN, DMZ and the internet... ... interface where you will encounter b0rken windoze boxes who can't find ... the host itself (in which case if you look at the /sbin/ifconfig output, ...
      (alt.os.linux.redhat)
    • Re: ICS questions and confusion
      ... >>> has to be another subnet altogether. ... WHY does the LAN connection that connects my router to the ... >>host have to be on a different subnet than the 192.168.0.x one? ... >>where is that documented in all the how-to's on ICS, ...
      (microsoft.public.windowsxp.network_web)
    • Re: ng_one2many v.s. AFT (NIC Fault Tolerance/Fail Over/Redundancy Revisited)
      ... > hosts weren't seeing the usual warnings about MAC address changes. ... regardless of what network segment/port a host ... > physical interface ifconfig'd with the IP. ... > tree root and switch 1 is the backup spanning tree root. ...
      (freebsd-questions)
    • Re: Help on Cisco ASA 5510 VPN IPsec
      ... Inbound TCP connection denied from 10.100.7.245/22 to 10.100.5.10/1953 flags SYN ACK on interface lan ... mtu wan 1500 ...
      (comp.dcom.sys.cisco)