From: ers@ers.ibm.com Sent: Tuesday, September 21, 1999 4:42 AM To: client-firstusa@ers.ibm.com Subject: IBM-ERS Outside Advisory Redistribution: Network Associates, Inc. Security Advisory: Windows IP Source Routing Vulnerability -----BEGIN PGP SIGNED MESSAGE----- - ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE--- ======= ============ ====== ====== ======= ============== ======= ======= === === ==== ====== ====== === =========== ======= ======= === =========== === ======= === === === ==== === ===== === ======= ============== ===== === ===== ======= ============ ===== = ===== EMERGENCY RESPONSE SERVICE OUTSIDE ADVISORY REDISTRIBUTION 21 September 1999 08:30 GMT Number: ERS-OAR-E01-1999:145.1 =============================================================================== The IBM-ERS Outside Advisory Redistribution is designed to provide customers of the IBM Emergency Response Service with access to the security advisories sent out by other computer security incident response teams, vendors, and other groups concerned about security. IBM makes no representations and assumes no responsibility for the contents or accuracy of the advisories themselves. IBM-ERS is forwarding the following information from Network Associates, Inc. Contact information for Network Associates, Inc. is included in the forwarded text below; please contact them if you have any questions or need further information. =============================================================================== ********************** FORWARDED INFORMATION STARTS HERE ********************** - -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 ====================================================================== Network Associates, Inc. SECURITY ADVISORY September 20, 1999 Windows IP Source Routing Vulnerability BUGTRAQ ID: 646 ====================================================================== SYNOPSIS Windows TCP/IP stacks configured to disable IP forwarding or IP source routing, allow specific source routed datagrams to route between interfaces. Effectively, the Windows TCP/IP stack can not be configured to disable IP datagrams passing between networks if two network cards have been installed. ====================================================================== VULNERABLE HOSTS All versions of Windows NT (including Terminal Server Edition) are vulnerable to the attacks within this advisory, including hosts that have installed Service Pack 5 and enabled the following SP5 specific registry key to disable source routing: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Services\Tcpip\Parameters\DisableIPSourceRouting All versions of Windows 95 and Windows 98 are vulnerable. ====================================================================== TECHNICAL DETAILS Every IP stack is required to implement IP options, although they may or may not appear in each IP datagram. Options are variable in length, and generally contain a type, length and data associated with the option. The option type is divided into three fields: the copied flag, option class and the option number. The copied flag indicates that this option is copied into all fragments on fragmentation. The source route option provides routing information for gateways in the delivery of a datagram to its destination. There are two variations loose and strict routes. The loose source route (LSRR) allows any number of intermediate gateways to reach the next address in the route. The strict source route (SSRR) requires the next address in the source route to be on a directly connected network, otherwise the delivery of the datagram can not be completed. The source route options have a variable length, containing a series of IP addresses and an offset pointer indicating the next IP address to be processed. A source routed datagram completes its delivery when the offset pointer points beyond the last field, ie the pointer is greater than the length, and the address in the destination address has been reached. RFC 1122 states the option as received must be passed up to the transport layer (or to ICMP message processing). It is a common security measure to disable IP source routing. In this situation, if a source routed packet attempts to use a secure host as an intermediate router or to deliver its data to that hosts application layer then the datagram should be dropped, optionally delivering an ICMP unreachable - source route failed. It is important to note that the datagram would be dropped at the network layer prior to IP reassembly and before data is passed to the application layer. As with other operating systems (when configured to deny source routed packets), if a source routed datagram attempts to use a Windows host as an intermediate router, an ICMP source route failed message is sent. This implies that the offset pointer is not greater than the length and the destination IP address has not been reached. When a source routed datagram completes its delivery, the offset pointer is greater than the length and the destination has been reached. If a specially crafted IP packet, with source route options, has the offset pointer set greater than the length, Windows TCP/IP stacks will accept the source routed datagram (rather than dropping it), and pass the data to the application layer for processing. The source route is reversed, delivering the reply to this datagram to the first host in the reversed route. Since the source route can be manipulated by an attacker, the first host in the reversed source route can be set to a host on the second network (accessible via the second interface, i.e. the internal network). As a result, it is possible to pass data through all Windows stacks with two network interfaces. In addition to tunneling data, there are two scenarios which can allow an intruder to obtain information about the remote network while obscuring their origin. The first allows any Windows host to be used to identify non-Windows hosts that have source routing enabled. A source routed datagram is created with a false source address, containing the true source address of the request and the address of a host to be scanned in the option data. Delivering this datagram, with the correct offset, to a Windows host results in the route being reversed and routed to the scanned host. If this host has source routing enabled the true source of the request will then see a response returned. Secondly, by utilizing the above source routing technique, and masking their source address in the IP header, it is possible to scan a Windows host for open ports using standard port scanning techniques. ====================================================================== RESOLUTION Microsoft has issued a hotfix for this vulnerability, which can be obtained at the following address: ftp://ftp.microsoft.com /bussys/winnt/winnt-public/fixes/usa/nt40/Hotfixes-PostSP5/Spoof-fix Please note that the above URL has been seperated for formatting purposes. A fix for Windows 95 and Windows 98 based systems is in production and will follow. ====================================================================== CREDITS Discovery and documentation of this vulnerability was conducted by Anthony Osborne at the security labs of Network Associates. ====================================================================== ABOUT THE NETWORK ASSOCIATES SECURITY LABS The Security Labs at Network Associates hosts some of the most important research in computer security today. With over 30 security advisories published in the last 2 years, the Network Associates security auditing teams have been responsible for the discovery of many of the Internet's most serious security flaws. This advisory represents our ongoing commitment to provide critical information to the security community. For more information about the Security Labs at Network Associates, see our website at http://www.nai.com or contact us at . ====================================================================== NETWORK ASSOCIATES SECURITY LABS PGP KEY - - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP 5.5.5 mQGiBDXGgDsRBADVOnID6BtEhKlm2cNalho28YP0JAh+J4iRUIaiWshzI0tc0KPc fvs+0xYwiqjxmeHi2sdIEPQ7S+ltA3Dlp6/DFojWBr2XB9hfWy4uiKBUHqnsKYnB Gpkh6nIx7DIwn+u0PXMXbJCG3LYf8daiPVdzC2VFtbRvJL4wZc6NLQViFQCg/9uS DuH/0NE6mO8Cu4iVrUT5Wk8D/ArOpV5T5yIuXHZO1/ZBVeHccVVvHe8wHK4D9WUs FsB8fgYLNgdFMMjtam7QQSBY/P1KKBzaFqZhkfS4WVMAFEy94NHXG+KTCPhXkZzp OPPqwWqZgfvOg0Bm20O/GhzQkB6JfFJqcfR87Ej0+fcDKrTTxAELWHGS7c9Qdn6P bfwHA/4oLNwYrtgWNkjGcG018Pu2jKT7YuP9zBTMu28IBiWdPLGL9Wle4d5cdDVx Es4iVl8FMtxlgTWCgMnBLS4nyM3pCn1HF+8Gi+IVKUXWCkqt/rtBMsrOMfrOgEIu BWnTZcTR7kcWtH7xDFNyZ47U4pElLXwATVDty/FczAJnpeht2LQyTmV0d29yayBB c3NvY2lhdGVzIFNlY3VyaXR5IExhYnMgPHNlY2xhYnNAbmFpLmNvbT6JAEsEEBEC AAsFAjXGgDsECwMCAQAKCRCheCy6j9WBEtgDAKDpYMwQZP0Ipx7X0ivnTxxJkA/W vACg4LZv0lmWqmnd7XCe4OIJ05aT6hK5Ag0ENcaAOxAIAPZCV7cIfwgXcqK61qlC 8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh 01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscB qtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFst jvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISn CnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVeky CzsAAgIH/RZcJoRkhCf9O4Er+rciBNG3QqM3tek23oxGuVwqRxtGlGKuf+YaUDIA vZhARftupZYJf/+AM9pyjjsF7ON/Df5oIXXhqzrDySw47dNB3I1FG7vwAUBRfYgG NRP+zvf1nld+FgAXag1DIQteXYPtoMUJP8ZgvbELYVdZS2TapOHUv7r4rOY+UUjl U+FkQPp9KCNreaNux4NxwT3tzXl1KqqkliC8sYxvMCkJ+JO71TKGplO9dXsf3O8p 2r33+LngmLs4O7inrUlmAUKq3jmCK50J7RsZjd6PlK/0JwcjFkOZeYrxTguZzCR4 QYmo8nEHqEMSKQci0VUf9KH4lHf6xmGJAEYEGBECAAYFAjXGgDsACgkQoXgsuo/V gRK5LACgoAqLFk10kAMu6xb3ftO4+INJs14Ani+1hujlYRxYphN97c5ci8WtILNZ =L3C6 - - ---- - -----BEGIN PGP SIGNATURE----- Version: PGP 6.0.2 iQA/AwUBN+aLIKF4LLqP1YESEQIMowCgg5m54i4/SuSEfMy10hADCle78P4AoJi2 zZ/1QBgYJaQOwQULBxEOO0FF =+mMr - -----END PGP SIGNATURE----- *********************** FORWARDED INFORMATION ENDS HERE *********************** =============================================================================== IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based Internet security response service that includes computer security incident response and management, regular electronic verification of your Internet gateway(s), and security vulnerability alerts similar to this one that are tailored to your specific computing environment. By acting as an extension of your own internal security staff, IBM-ERS's team of Internet security experts helps you quickly detect and respond to attacks and exposures across your Internet connection(s). As a part of IBM's Business Recovery Services organization, the IBM Internet Emergency Response Service is a component of IBM's SecureWay(tm) line of security products and services. From hardware to software to consulting, SecureWay solutions can give you the assurance and expertise you need to protect your valuable business resources. To find out more about the IBM Internet Emergency Response Service, send an electronic mail message to ers-sales@ers.ibm.com, or call 1-800-599-9950. IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/. Visit the site for information about the service, copies of security alerts, team contact information, and other items. IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for security vulnerability alerts and other distributed information. The IBM-ERS PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html. "Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann. IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams (FIRST), a global organization established to foster cooperation and response coordination among computer security teams worldwide. The information in this document is provided as a service to customers of the IBM Emergency Response Service. Neither International Business Machines Corporation, nor any of its employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, complete- ness, or usefulness of any information, apparatus, product, or process contained herein, or represents that its use would not infringe any privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by IBM or its subsidiaries. The views and opinions of authors expressed herein do not necessarily state or reflect those of IBM or its subsidiaries, and may not be used for advertising or product endorsement purposes. - ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE--- -----BEGIN PGP SIGNATURE----- Version: 2.7.1 iQCVAwUBN+dEffWDLGpfj4rlAQHU6AQAzbReWmMSrhERaK+DWBSEZ/SjpP36w4Pn ssWwzN8TDeqvfvXMkVm97wscSuExkfgdslWlokNJyT4OTY8ZAAx9H43hZ2botZ7q qAq0e1E8SGgvHb3EPAd8Rixs0uCW8DgHPFhewA0UXxev6AOe5gTDTZtrIBUlRm5h 2JNl7DQ7xUw= =nrUj -----END PGP SIGNATURE-----