Date: Fri, 25 Jan 2002 19:47:36 +0000
From: Ofir Arkin <ofir@stake.com.>
To: [email protected]Subject: Identifying PGP Corporate Desktop 7.1 with PGPfire Personal Desktop Firewall Installed (no need to be enabled) on Microsoft Windows Based OSsSubject: Identifying PGP Corporate Desktop 7.1 with PGPfire Personal
Desktop Firewall Installed (no need to be enabled) on Microsoft Windows
Based OSs
Author: Ofir Arkin ([email protected])
Network Associates PGP Corporate Desktop version 7.1 alters the TCP/IP
stack of the MS operating system it is installing its PGPfire Personal
Desktop Firewall product on.
This alternation occurs even if PGPfire is not being enabled.
The type of alternation we have absorbed is with an ICMP Port
Unreachable Error Messages received from a Microsoft Windows machine
using the program.
The following tcpdump trace was produced with Xprobe against a Microsoft
Windows 2000 SP2 with the PRE-SP3 patches installed, based machine:
[root@mavrick root]# tcpdump -xnvv
tcpdump: listening on eth0
17:34:11.113066 192.168.1.100.64257 > 192.168.1.5.32132: udp 70 (DF)
(ttl 250, id 28832, len 98)
4500 0062 70a0 4000 fa11 8c30 c0a8 0164
c0a8 0105 fb01 7d84 004e 0312 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000
17:34:11.113066 192.168.1.5 > 192.168.1.100: icmp:
192.168.1.5 udp port 32132 unreachable for 192.168.1.100.64257 >
192.168.1.5.32132: udp 70 (ttl 250, id 28832, len 98) (ttl 128, id
11150, len 56)
4500 0038 2b8e 0000 8001 8b7d c0a8 0105
c0a8 0164 0303 8116 0000 0000 4500 0062
70a0 0000 fa11 cc30 c0a8 0164 c0a8 0105
fb01 7d84 004e 0312
If you look at the ICMP Error message, look at the part, which it starts
to echo the original message:
4500, 0062, 70a0 AND THAN 0000!
This behavior is also common with ULTIX based machines. But it is very
easy to differentiate the ULTRIX based machines from the traces produced
against machines using Network Associates PGP Corporate Desktop 7.1 with
PGPfire Personal Desktop Firewall installed (no need to be enabled). If
we will examine the echoed UDP Header, for example, with the ULTRIX
based machines this echoed field value will be zero, while with the
machines running Microsoft Windows operating systems with Network
Associates PGP Corporate Desktop 7.1 with the PGPfire Personal Desktop
Firewall installed this field will be echoed correctly.
Tested against machines running PGPfire Installed on:
-Microsoft Windows 2000 Platforms (No-SP, SP1, SP2, Pre-SP3 Patches)
-Microsoft Windows Millennium
Dangers:
Ability to pinpoint Microsoft Windows Operating Systems using Network
Associates PGP Corporate Desktop 7.1 with the PGPfire Personal Desktop
Firewall installed (no need to be enabled), since this type of echoing
error integrity is almost unique.
If the firewall is not being used, or if it is running in a not secure
mode an attacker might use this information to maliciously attack a
victim's machine.
Vendor Response: Since this is an "Information Leakage" problem no patch
will be released for version 7.1. This is already fixed on the upcoming
PGP Corporate Desktop software version 7.5.
Remedies: Just enable one of the PGPfire security policies of your
choice, and check it does not allow ANY ICMP Error messages from your
protected machine to the outside world.
--
Ofir Arkin
Managing Security Architect
@stake, Limited.
http://www.atstake.com
email:
[email protected]
