L0pht Security Advisory Release date: August 11, 1999 Vulnerable: Microsoft Windows95a (w/winsock2), Windows95b Windows98, Windows98se and Sun Microsystems SunOS & Solaris operating systems. Severity: Attackers can remotely add default route entries on the victims host. Status: Microsoft contacted, fix provided. Author: sili@l0pht.com URL: http://www.L0pht.com/advisories.html Source code: http://www.l0pht.com/advisories/rdp.tar.gz code written by Silicosis & Mudge I. Problem ---------- The ICMP Router Discovery Protocol (IRDP) comes enabled by default on DHCP clients that are running Microsoft Windows95 (w/winsock2), Windows95b, Windows98, Windows98se, and Windows2000 machines. By spoofing IRDP Router Advertisements, an attacker can remotely add default route entries on a remote system. The default route entry added by the attacker will be preferred over the default route obtained from the DHCP server. While Windows2000 does indeed have IRDP enabled by default, it less vulnerable as it is impossible to give it a route that is preferred over the default route obtained via DHCP. SunOS systems will also intentionally use IRDP under specific conditions. For Solaris2.6, the IRDP daemon, in.rdisc, will be started if the following conditions are met: . The system is a host, not a router. . The system did not learn a default gateway from a DHCP server. . The system does not have any static routes. . The system does not have a valid /etc/defaultrouter file. It should be noted that the important point of this advisory is not that ICMP Router Solicitation and Advertisement packets have no authentication properties. Yes, this is a problem but it has long been known. The dangerous aspect comes in various MS platforms enabling this protocol and believing it _even when the DHCP setup specifies router information_ (ie the operating system does this even though you believe you are telling it NOT TO). The tool provided with this advisory is the basis of what would be used for everything from web page hacks, stealing credentials, modifying or altering data, etc. involving vulnerable systems. We believe most cable modem DHCP clients and large internal organizations are at risk. II. Risks --------- The ICMP Router Discovery Protocol does not have any form of authentication, making it impossible for end hosts to tell whether or not the information they receive is valid. Because of this, attackers can perform a number of attacks: Passive monitoring: In a switched environment, an attacker can use this to re-route the outbound traffic of vulnerable systems through them. This will allow them to monitor or record one side of the conversation. * For this to work, and attacker must be on the * same network as the victim. Man in the Middle: Taking the above attack to the next level, the attacker would also be able to modify any of the outgoing traffic or play man in the middle. By sitting in the middle, the attacker can act as a proxy between the victim and the end host. The victim, while thinking that they are connected directly to the end host, they are actually connected to the attacker, and the attacker is connected to the end host and is feeding the information through. If the connection is to a secure webserver that uses SSL, by sitting in the middle, the attacker would be able to intercept the traffic, unencrypted. A good example of this risk is on-line banking; an attacker playing man-in-the-middle would be able to intercept all of the banking information that is relayed, without the victim's knowledge. * For this to work, and attacker must be on the * same network as the victim. Denial of Service: Remote attackers can spoof these ICMP packets and remotely add bad default-route entries into a victims routing table. Because the victim's system would be forwarding the frames to the wrong address, it will be unable to reach other networks. Unfortunately, DHCP has quickly become popular and is relied upon in most companies. In some cases, such as cable & *DSL modems, users are required to use DHCP. Because of the large number of vulnerable systems, and the fact that this attack will penetrate firewalls that do not stop incoming ICMP packets, this Denial of Service attack can become quite severe. It should be noted that the above attacks are documented in Section 7, of RFC 1256. However, the RFC states states that the attacks are launched by an attacker on the same network as the victim. In the Denial of Service attack, this is not the case; an attacker can spoof IRDP packets and corrupt the routing tables on systems that are on remote networks. While these attacks are not new, the fact that Windows95/98 DHCP clients have been vulnerable for years, is. On systems running SunOS & Solaris, it is easy to find documentation on IRDP by looking at the startup scripts or manpages. On Windows95/98, however, information has only become recently available in the Knowledge Bank. III. Technical Details ---------------------- Upon startup, a system running MS Windows95/98 will always send 3 ICMP Router Solicitation packets to the 224.0.0.2 multicast address. If the machine is NOT configured as a DHCP client, it ignores any Router Advertisements sent back to the host. However, if the Windows machine is configured as a DHCP client, any Router Advertisements sent to the machine will be accepted and processed. Once an Advertisement is received, Windows checks to see how many Gateway entries the packet contains. If the packet contains only 1 entry, it checks to make sure the IP source address of the Advertisement is inside the hosts subnet. If it is, the Router Address entry inside the advertisement is checked to see that it is also within the host's subnet. If so, a new default route entry is added. If the address is outside the subnet, it the advertisement is silently ignored. If a host receives a Router Advertisment that contains 2 or more Router Addresses, the host will processes the packet even though the IP source address is not local. If the host finds a Router Address inside the advertisement that is inside the host's subnet, it will add a default route entry for it. Because the host does not care about the IP source address of the Advertisement as long as it has more than one entry, attackers can now create bogus IRDP packets that will bypass anti-spoofing filters. Before the host can add a new default route entry, it has to determine the route metric. On Windows95/98, normal default route entries obtained from a DHCP server have a metric of 1. In order to determine the metric for the default route entry obtained via IRDP, the Windows host subtracts the Advertisement's Preference value from 1000. By creating an ICMP Router Advertisement with a preference of 1000, the default gateway route added will have a metric of 0, making it the preferred default route. By adjusting the Lifetime value in the advertisement, an attacker can adjust how many seconds the gateways are valid for. IV. Fixes / Work-arounds ------------------------ Firewall / Routers: Block all ICMP Type 9 & Type 10 packets. This should protect against remote Denial of Service attacks. Windows95/98: The Microsoft Knowledge Base contains an article that gives info on how to disable IRDP. It can be found at: http://support.microsoft.com/support/kb/articles/q216/1/41.asp Brief Summary of article: IRDP can be disabled manually by adding "PerformRouterDiscovery" value name and setting it to a dword value of 0, under the following registry key(s): HKLM\System\CurrentControlSet\Services\Class\NetTrans\#### Where #### is the binding for TCP/IP. More than one TCP/IP binding may exist. Solaris: Configure your host to obtain a default gateway through DHCP, static routes, or via the /etc/defaultrouter file. For more information on IRDP refer to in.rdisc's man-page. V. Detection ------------- L0pht has released a NFR Intrusion Detection Module to detect both Router Solicitations and Advertisements. You can find it at: http://www.l0pht.com/NFR NFR information can be found at http://www.nfr.net VI. Source Code ----------- L0pht is making available Proof-of-Concept code that will let individuals test their systems & firewalls. The source code can be found at: http://www.l0pht.com/advisories/rdp.tar.gz Usage is fairly straight forward: Usage: rdp -v -l -s -d -p -t -i -S -D -R -r -v verbose -l listen mode -s send mode -d -n -I -p -t -i -S -D -R -r Misc software notes: Listen Mode: Software listens for ICMP Router Solicitations. If the '-s' flag is specified as well, the software will answer the Solicitations with ICMP Router Advertisements. Preference: If the preference is not specified, it will use a default of 1000, which will give the default route a metric of 0 on affected Windows systems. 2nd Router Addr: By using the '-r' flag and specifying a second router address entry, the packet can contain a bogus source address and still be processed for correct gateway entries by the end host.