Date: Wed, 11 Aug 1999 05:03:40 -0500
From: "Paul S. Cosis" <[email protected]>
To: [email protected]Subject: ICMP Router Discovery Advisory
L0pht Security Advisory
Release date: August 11, 1999
Vulnerable: Microsoft Windows95a (w/winsock2), Windows95b
Windows98, Windows98se and Sun Microsystems
SunOS & Solaris operating systems.
Severity: Attackers can remotely add default route entries
on the victims host.
Status: Microsoft contacted, fix provided.
Author: [email protected]
URL: http://www.L0pht.com/advisories.html
Source code: http://www.l0pht.com/advisories/rdp.tar.gz
code written by Silicosis & Mudge
I. Problem
----------
The ICMP Router Discovery Protocol (IRDP) comes enabled by default on
DHCP clients that are running Microsoft Windows95 (w/winsock2),
Windows95b, Windows98, Windows98se, and Windows2000 machines. By
spoofing IRDP Router Advertisements, an attacker can remotely add default
route entries on a remote system. The default route entry added by the
attacker will be preferred over the default route obtained from the DHCP
server. While Windows2000 does indeed have IRDP enabled by default, it
less vulnerable as it is impossible to give it a route that is preferred
over the default route obtained via DHCP.
SunOS systems will also intentionally use IRDP under specific
conditions. For Solaris2.6, the IRDP daemon, in.rdisc, will be started
if the following conditions are met:
. The system is a host, not a router.
. The system did not learn a default gateway from a
DHCP server.
. The system does not have any static routes.
. The system does not have a valid /etc/defaultrouter
file.
II. Risks
---------
The ICMP Router Discovery Protocol does not have any form of
authentication, making it impossible for end hosts to tell whether or not
the information they receive is valid. Because of this, attackers
can perform a number of attacks:
Passive monitoring: In a switched environment, an attacker
can use this to re-route the outbound traffic of
vulnerable systems through them. This will allow
them to monitor or record one side of the
conversation.
* For this to work, and attacker must be on the
* same network as the victim.
Man in the Middle: Taking the above attack to the next level, the
attacker would also be able to modify any of the
outgoing traffic or play man in the middle.
By sitting in the middle, the attacker can act as
a proxy between the victim and the end host. The
victim, while thinking that they are connected directly
to the end host, they are actually connected to the
attacker, and the attacker is connected to the end
host and is feeding the information through. If
the connection is to a secure webserver that uses SSL,
by sitting in the middle, the attacker would be able
to intercept the traffic, unencrypted.
A good example of this risk is on-line banking;
an attacker playing man-in-the-middle would be able
to intercept all of the banking information that
is relayed, without the victim's knowledge.
* For this to work, and attacker must be on the
* same network as the victim.
Denial of Service: Remote attackers can spoof these ICMP packets and
remotely add bad default-route entries into a
victims routing table. Because the victim's
system would be forwarding the frames to the
wrong address, it will be unable to reach other
networks.
Unfortunately, DHCP has quickly become popular and is
relied upon in most companies. In some cases, such as
cable & *DSL modems, users are required to use DHCP.
Because of the large number of vulnerable systems,
and the fact that this attack will penetrate firewalls
that do not stop incoming ICMP packets, this Denial
of Service attack can become quite severe.
It should be noted that the above attacks are documented in Section 7,
of RFC 1256. However, the RFC states states that the attacks are
launched by an attacker on the same network as the victim. In the Denial
of Service attack, this is not the case; an attacker can spoof IRDP
packets and corrupt the routing tables on systems that are on remote
networks.
While these attacks are not new, the fact that Windows95/98 DHCP
clients have been vulnerable for years, is. On systems running SunOS &
Solaris, it is easy to find documentation on IRDP by looking at the
startup scripts or manpages. On Windows95/98, however, information
has only become recently available in the Knowledge Bank.
III. Technical Details
----------------------
Upon startup, a system running MS Windows95/98 will always send 3 ICMP
Router Solicitation packets to the 224.0.0.2 multicast address. If the
machine is NOT configured as a DHCP client, it ignores any Router
Advertisements sent back to the host.
However, if the Windows machine is configured as a DHCP client, any
Router Advertisements sent to the machine will be accepted and processed.
Once an Advertisement is received, Windows checks to see how many Gateway
entries the packet contains. If the packet contains only 1 entry, it
checks to make sure the IP source address of the Advertisement is inside
the hosts subnet. If it is, the Router Address entry inside the
advertisement is checked to see that it is also within the host's subnet.
If so, a new default route entry is added. If the address is outside the
subnet, it the advertisement is silently ignored.
If a host receives a Router Advertisment that contains 2 or more Router
Addresses, the host will processes the packet even though the IP source
address is not local. If the host finds a Router Address inside the
advertisement that is inside the host's subnet, it will add a default
route entry for it.
Because the host does not care about the IP source address of the
Advertisement as long as it has more than one entry, attackers can now
create bogus IRDP packets that will bypass anti-spoofing filters.
Before the host can add a new default route entry, it has to determine
the route metric. On Windows95/98, normal default route entries obtained
from a DHCP server have a metric of 1. In order to determine the metric
for the default route entry obtained via IRDP, the Windows host subtracts
the Advertisement's Preference value from 1000. By creating an ICMP
Router Advertisement with a preference of 1000, the default gateway route
added will have a metric of 0, making it the preferred default route.
By adjusting the Lifetime value in the advertisement, an attacker can
adjust how many seconds the gateways are valid for.
IV. Fixes / Work-arounds
------------------------
Firewall / Routers:
Block all ICMP Type 9 & Type 10 packets. This should protect
against remote Denial of Service attacks.
Windows95/98:
The Microsoft Knowledge Base contains an article that gives info
on how to disable IRDP. It can be found at:
http://support.microsoft.com/support/kb/articles/q216/1/41.asp
Brief Summary of article:
IRDP can be disabled manually by adding "PerformRouterDiscovery"
value name and setting it to a dword value of 0, under the
following registry key(s):
HKLM\System\CurrentControlSet\Services\Class\NetTrans\####
Where #### is the binding for TCP/IP. More than one TCP/IP
binding may exist.
Solaris:
Configure your host to obtain a default gateway through DHCP,
static routes, or via the /etc/defaultrouter file. For more
information on IRDP refer to in.rdisc's man-page.
V. Detection
-------------
L0pht has released a NFR Intrusion Detection Module to detect both
Router Solicitations and Advertisements. You can find it at:
http://www.l0pht.com/NFR
NFR information can be found at http://www.nfr.net
VI. Source Code
-----------
L0pht is making available Proof-of-Concept code that will let individuals
test their systems & firewalls.
The source code can be found at: http://www.l0pht.com/advisories/rdp.tar.gz
Usage is fairly straight forward:
Usage: rdp -v -l -s -d <delay> -p <pref> -t <lifetime> -i <dev>
-S <src> -D <dst> -R <rtr> -r <optional 2nd rtr>
-v verbose
-l listen mode
-s send mode
-d <delay time between sending packets>
-n <number of rdp packets to send>
-I <ID value to place in IP packet>
-p <preference level>
-t <lifetime>
-i <interface to use for sniffing>
-S <source address to put in outgoing rdp packet>
-D <destination address to put in outgoing rdp packet>
-R <router address to advertise in rdp packet>
-r <optional 2nd router address to advertise in rdp packet>
Misc software notes:
Listen Mode: Software listens for ICMP Router Solicitations. If the
'-s' flag is specified as well, the software will answer
the Solicitations with ICMP Router Advertisements.
Preference: If the preference is not specified, it will use a default
of 1000, which will give the default route a metric of 0
on affected Windows systems.
2nd Router Addr: By using the '-r' flag and specifying a second router address
entry, the packet can contain a bogus source address and still
be processed for correct gateway entries by the end host.
