ICMP Node Information Query Information Disclosure

2010-04-01T00:00:00
ID ICMP_NIQ.NASL
Type nessus
Reporter This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.
Modified 2010-04-01T00:00:00

Description

The remote host answers to an ICMPv6 Node Information Query and responds with its DNS name, the list of IPv4 addresses and the list of IPv6 addresses to which it is bound.

An attacker can use this information to understand how the network is architected, which may help him bypass filters.

                                        
                                            #TRUSTED 06998574637fb770844f22822181390358e06052df9278dea8b842f47f5b32515c29d03b696d193b52ff192a1fb1ee937ce64fb139261e66bc88303b640d726ec8039c32a31d18ef318a63eb817f8140e7eed44fed1dcb4cfc01db1b9f7ee0e27f23f3a8976632276a37887193b9f1874aa7b0316f136da4f71043ff6329909bd2df1368a8adad896192a8eee6425f881fa9ae84dd884f7324f5e5a6c1ab6311fa1ebff41318e6116dfeb67e3105b7ecefd8ff203ede264a9bf01c189fdc74fb1cdb4a9a0754078a19ef543e7fb3549c99ae625a3a5d843441665df171563256b98a977985ed3bf038c4149685851dc54e096fb8f2b668cb7ca504d5db45767a11b95793ba9a1d05b0e2316dc5733f96987d4d1978600512aa5cd4a142d81ecebc749eca09a01d4ae6401029b02cf41aebd0023f773acc4cee0f97a46ca50feebb4f225aa810aba2c7bc8f1b89d3ac057761f6872ab21704496be8f888d23efc886ece14df5c26cd8062dd3b5d20c56495d311cfd006afff5f87089705f250505f4abd5c1f42d33673bf87775a55a4d923a66630bb0163acc164f442e4e623179080a9512d9083505e68aaa3a860f2963a10370cd177392e72d01cccf7c44969504c575d81bd1c1acb50ddef6dafe0f8bb3e89110776313587a318b14c20f942f9692682c630f76a7d47b92697726aa6639cf81ebfea74a1c814751bd3ef5489
#
# (C) Tenable Network Security, Inc.
#


include("compat.inc");

if(description)
{
 script_id(45399);
 script_version("1.5");
 script_set_attribute(attribute:"plugin_modification_date", value:"2019/03/06"); 

 script_name(english:"ICMP Node Information Query Information Disclosure");
 script_summary(english:"Sends an ICMP_NIQ");

 script_set_attribute(attribute:"synopsis", value:
"The remote host is affected by an information disclosure
vulnerability." );
 script_set_attribute(attribute:"description", value:
"The remote host answers to an ICMPv6 Node Information Query and
responds with its DNS name, the list of IPv4 addresses and the list of
IPv6 addresses to which it is bound. 

An attacker can use this information to understand how the network is
architected, which may help him bypass filters.");
 script_set_attribute(attribute:"solution", value:
"Reconfigure the remote host so that it does not answer to these
requests.  Set up filters that deny ICMP packets of type 139." );
 script_set_attribute(attribute:"risk_factor", value:"None" );
 script_set_attribute(attribute:"plugin_publication_date", value: "2010/04/01");
 script_set_attribute(attribute:"plugin_type", value:"remote");
 script_end_attributes();

 script_category(ACT_GATHER_INFO);
 script_copyright(english:"This script is Copyright (C) 2010-2019 Tenable Network Security, Inc.");
 script_family(english:"General");
 
 exit(0);
}


include('raw.inc');

if ( ! TARGET_IS_IPV6 ) exit(0, "The target is not accessed via IPv6.");

function mk_icmp_niq(csum, nonce, qtype)
{
 local_var icmp;

 icmp = mkbyte(139) + # type
       mkbyte(0)   + # Code
       mkword(csum)   + # Checksum
       mkword(qtype) + # Query Type
       mkword(0x003e) + # Flags
       nonce + 
       get_host_raw_ip();
 return icmp;
}

function csum()
{
 return inet_sum(this_host_raw() +
            get_host_raw_ip() +
           '\0\0' +                     
           mkword(strlen(_FCT_ANON_ARGS[0])) +     
           '\0\0\0' +                   
           mkbyte(58) +    
           _FCT_ANON_ARGS[0]);
}

function icmp_niq()
{
 local_var i, rep;
 local_var pkt;
 local_var nonce, icmp;
 local_var qtype;

 qtype = _FCT_ANON_ARGS[0];
 nonce = mkdword(rand()) + mkdword(rand());
 icmp = mk_icmp_niq(qtype:qtype, csum:0, nonce:nonce);
 icmp = mk_icmp_niq(qtype:qtype, csum:csum(icmp), nonce:nonce);
 pkt = mkpacket(ip6(ip6_nxt:0x3a), payload(icmp));
 for ( i = 0 ; i < 3 ; i ++ )
 {
  rep = inject_packet(packet:link_layer() + pkt, filter:"ip6 and icmp6 and src " + get_host_ip() + " and dst " + compat::this_host(), timeout:2);
  if ( isnull(rep) ) continue;
  if ( strlen(rep) < 40 + strlen(link_layer())) continue;
  if ( ord(rep[40 + strlen(link_layer())]) == 140 ) break;
  rep = NULL;
 }
 if ( rep == NULL ) exit(0); # Not supported
 if ( ord(rep[41 + strlen(link_layer())]) != 0 ) return NULL;
 if ( strlen(rep) <= 56 + strlen(link_layer())) return NULL;
 return substr(rep, 56 + strlen(link_layer()), strlen(rep) - 1 );
}

function ip6_addr()
{
 local_var str;
 local_var i;
 local_var oct;
 local_var ret;

 str = _FCT_ANON_ARGS[0];
 for ( i = 0 ; i < strlen(str) ; i += 4 )
 {
  if ( strlen(ret) > 0 ) ret += ":";
  oct = substr(str, i, i + 3);
  while ( strlen(oct) && oct[0] == "0" ) oct = substr(oct, 1, strlen(oct) - 1);
  if ( oct == "0" ) oct = "";
  ret += oct;
 }
 ret = ereg_replace(pattern:"::+", replace:"::", string:ret);
 return ret;
}

function ip4_addr()
{
 local_var ip;
 ip = _FCT_ANON_ARGS[0];
 return strcat(ord(ip[0]), '.', ord(ip[1]), '.', ord(ip[2]), '.', ord(ip[3]));
}


DNS = 2;
IP6 = 3;
IP4 = 4;

if ( isnull(link_layer()) ) exit(0, "Can not use packet forgery over this interface.");

rep = icmp_niq(DNS);
report = "";
if ( rep != NULL )
{
 pos = 4;
 name = "";
 while ( pos < strlen(rep) )
 {
  if ( pos + 1 >= strlen(rep) ) break;
  len = getbyte(blob:rep, pos:pos);
  pos ++;
  if ( len == 0 ) break;
  if ( strlen(name) ) name += ".";
  if ( pos + len >= strlen(rep) ) break;
  name += substr(rep, pos,  pos + len - 1);
  pos += len;
 }
 if ( strlen(name) ) report += '\n+ The DNS name of the remote host is :\n\n' + name + '\n';
 dns_name = name;
}

rep = icmp_niq(IP6);
if ( rep != NULL )
{
 pos = 0;
 ip6 = "";
 while ( pos < strlen(rep) )
 {
  if ( pos + 4 >= strlen(rep) ) break;
  ttl = getdword(blob:rep, pos:pos);
  pos += 4; 
  if ( pos + 16 > strlen(rep) ) break;
  addr = substr(rep, pos, pos + 15);
  pos += 16; 
  set_kb_item(name:"Host/ICMP/NIQ/IP6Addrs", value:ip6_addr(hexstr(addr)));
  ip6 += ip6_addr(hexstr(addr)) + " (TTL " + ttl + ')\n';
 }
  if ( strlen(ip6) ) report += '\n+ The remote host is bound to the following IPv6 addresses :\n\n' + ip6 + '\n';
}
rep = icmp_niq(IP4);
if ( rep != NULL )
{
 pos = 0;
 ip4 = "";
 if ( strlen(dns_name) && dns_name >!< rep ) # Mac OS X bug
 {
 while ( pos <= strlen(rep) ) 
  {
   if ( pos + 4 >= strlen(rep) ) break;
   ttl = getdword(blob:rep, pos:pos);
   pos += 4;
   if ( pos + 4 > strlen(rep) ) break;
   set_kb_item(name:"Host/ICMP/NIQ/IP4Addrs", value:ip4_addr(substr(rep, pos, pos + 3)));
   ip4 += ip4_addr(substr(rep, pos, pos + 3)) + ' (TTL ' + ttl + ')\n';
   pos += 4;
  }
  if ( strlen(ip4) ) report += '\n+ The remote host is bound to the following IPv4 addresses :\n\n' + ip4 + '\n';
 }
}

if ( strlen(report) ) security_note(port:0, proto:'icmp', extra:report);