From owner-freebsd-security Sat Oct 14 16:16:18 2000 Delivered-To: freebsd-security@freebsd.org Received: from cairo.anu.edu.au (cairo.anu.edu.au [150.203.224.11]) by hub.freebsd.org (Postfix) with ESMTP id DBB4437B66D for ; Sat, 14 Oct 2000 16:16:12 -0700 (PDT) Received: (from avalon@localhost) by cairo.anu.edu.au (8.9.3/8.9.3) id KAA05381 for freebsd-security@freebsd.org; Sun, 15 Oct 2000 10:16:09 +1100 (EST) From: Darren Reed Message-Id: <200010142316.KAA05381@cairo.anu.edu.au> Subject: FreeBSD 4.x Bug with ICMP Error Messages (fwd) To: freebsd-security@freebsd.org Date: Sun, 15 Oct 2000 10:16:09 +1100 (Australia/NSW) X-Mailer: ELM [version 2.5 PL1] MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7bit Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org Forwarded message: > From nmap-hackers-return-877-avalon=cheops.anu.edu.au@insecure.org Sun Oct 15 09:43 EST 2000 > Mailing-List: contact nmap-hackers-help@insecure.org; run by ezmlm > Precedence: bulk > Delivered-To: mailing list nmap-hackers@insecure.org > Delivered-To: moderator for nmap-hackers@insecure.org > From: "Ofir Arkin" > To: "Nmap-Hackers" > Subject: FreeBSD 4.x Bug with ICMP Error Messages > Date: Sat, 14 Oct 2000 23:09:51 +0200 > Message-ID: > MIME-Version: 1.0 > Content-Transfer-Encoding: 7bit > X-Priority: 3 (Normal) > X-MSMail-Priority: Normal > X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) > Importance: Normal > X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 > Content-Type: text/plain; > charset="windows-1255" > Content-Length: 1594 > > It is long known that FreeBSD uses a wrong IP Identification number > with its ICMP Error Messages. This fact was discovered by Fyodor > long ago. > > I wish to identify were the problem is. > > The next example is with FreeBSD 4.1: > > 00:52:19.055758 ppp0 > x.x.x.x.1393 > y.y.y.y.0: udp 0 [tos 0x8] > (ttl 64, id 58965) > 4508 001c e655 0000 4011 3f63 xxxx xxxx > yyyy yyyy 0571 0000 0008 a55c > > 00:52:19.464548 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 0 > unreachable Offending pkt: x.x.x.x.1393 > y.y.y.y.0: udp 0 [tos 0x8] > (ttl 47, id 21990, bad cksum 5063!) (ttl 238, id 27639) > 4500 0038 6bf7 0000 ee01 0bbd yyyy yyyy > xxxx xxxx 0303 87f3 0000 0000 4508 001c > 55e6 0000 2f11 5063 xxxx xxxx yyyy yyyy > 0571 0000 0008 0000 > > A udp datagram sent to a closed udp port (port 0, can be any port). > The original udp datagram used e655 hex as its IP Identification > field value. The echoed IP Header inside the ICMP Error message > states that this value was 55e6 (with the offending datagram). > > FreeBSD 4.x simply flips between the first 8bits to the second 8 > bits. > > This info was sent to bugtraq, > and submitted to FreeBSD GNATS bug system. > > > Ofir Arkin [ofir@itcon-ltd.com] > Senior Security Analyst > Chief of Grey Hats > ITcon, Israel. > http://www.itcon-ltd.com > > Personal Web page: http://www.sys-security.com > > "Opinions expressed do not necessarily > represent the views of my employer." > > > -------------------------------------------------- > For help using this (nmap-hackers) mailing list, send a blank email to > nmap-hackers-help@insecure.org . List run by ezmlm-idx (www.ezmlm.org). > > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message