Date: Sun, 15 Oct 2000 13:37:21 +0200 (CEST) From: volf@oasis.IAEhv.nl (Frank Volf) To: Darren Reed <avalon@coombs.anu.edu.au> Cc: freebsd-security@FreeBSD.ORG Subject: Re: FreeBSD 4.x Bug with ICMP Error Messages (fwd) Message-ID: <20001015113721.C0E201B@avalon.oasis.IAEhv.nl> In-Reply-To: <200010142316.KAA05381@cairo.anu.edu.au> "from Darren Reed at Oct 15, 2000 10:16:09 am"
next in thread | previous in thread | raw e-mail | index | archive | help
While I was working on IP Filter I came across the same problem. I entered a PR and the problem was fixed within a week by Ruslan Ermilov. The patch is in both CURRENT and 4-STABLE. I don't have the CVS rev. number at hand, but cvs log in sys/netinet is your friend. You may also have a look at PR 16240 and PR 20877. Frank Darren Reed wrote: > Forwarded message: > > From nmap-hackers-return-877-avalon=cheops.anu.edu.au@insecure.org Sun Oct 15 09:43 EST 2000 > > Mailing-List: contact nmap-hackers-help@insecure.org; run by ezmlm > > Precedence: bulk > > Delivered-To: mailing list nmap-hackers@insecure.org > > Delivered-To: moderator for nmap-hackers@insecure.org > > From: "Ofir Arkin" <ofir@itcon-ltd.com> > > To: "Nmap-Hackers" <nmap-hackers@insecure.org> > > Subject: FreeBSD 4.x Bug with ICMP Error Messages > > Date: Sat, 14 Oct 2000 23:09:51 +0200 > > Message-ID: <GDEIJDIGIGIFHEIILCALCEIPCGAA.ofir@itcon-ltd.com> > > MIME-Version: 1.0 > > Content-Transfer-Encoding: 7bit > > X-Priority: 3 (Normal) > > X-MSMail-Priority: Normal > > X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) > > Importance: Normal > > X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 > > Content-Type: text/plain; > > charset="windows-1255" > > Content-Length: 1594 > > > > It is long known that FreeBSD uses a wrong IP Identification number > > with its ICMP Error Messages. This fact was discovered by Fyodor > > long ago. > > > > I wish to identify were the problem is. > > > > The next example is with FreeBSD 4.1: > > > > 00:52:19.055758 ppp0 > x.x.x.x.1393 > y.y.y.y.0: udp 0 [tos 0x8] > > (ttl 64, id 58965) > > 4508 001c e655 0000 4011 3f63 xxxx xxxx > > yyyy yyyy 0571 0000 0008 a55c > > > > 00:52:19.464548 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 0 > > unreachable Offending pkt: x.x.x.x.1393 > y.y.y.y.0: udp 0 [tos 0x8] > > (ttl 47, id 21990, bad cksum 5063!) (ttl 238, id 27639) > > 4500 0038 6bf7 0000 ee01 0bbd yyyy yyyy > > xxxx xxxx 0303 87f3 0000 0000 4508 001c > > 55e6 0000 2f11 5063 xxxx xxxx yyyy yyyy > > 0571 0000 0008 0000 > > > > A udp datagram sent to a closed udp port (port 0, can be any port). > > The original udp datagram used e655 hex as its IP Identification > > field value. The echoed IP Header inside the ICMP Error message > > states that this value was 55e6 (with the offending datagram). > > > > FreeBSD 4.x simply flips between the first 8bits to the second 8 > > bits. > > > > This info was sent to bugtraq, > > and submitted to FreeBSD GNATS bug system. > > > > > > Ofir Arkin [ofir@itcon-ltd.com] > > Senior Security Analyst > > Chief of Grey Hats > > ITcon, Israel. > > http://www.itcon-ltd.com > > > > Personal Web page: http://www.sys-security.com > > > > "Opinions expressed do not necessarily > > represent the views of my employer." > > > > > > -------------------------------------------------- > > For help using this (nmap-hackers) mailing list, send a blank email to > > nmap-hackers-help@insecure.org . List run by ezmlm-idx (www.ezmlm.org). > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20001015113721.C0E201B>