Windows TCP/IP stacks configured to disable IP forwarding or IP
source routing, allow specific source routed datagrams to route
between interfaces. Effectively, the Windows TCP/IP stack can
not be configured to disable IP datagrams passing between
networks if two network cards have been installed.
All versions of Windows NT (including Terminal Server Edition)
are vulnerable to the attacks within this advisory, including hosts
that have installed Service Pack 5 and enabled the following SP5
specific registry key to disable source routing:
Every IP stack is required to implement IP options, although they
may or may not appear in each IP datagram. Options are variable
in length, and generally contain a type, length and data associated
with the option. The option type is divided into three fields:
the copied flag, option class and the option number. The copied
flag indicates that this option is copied into all fragments on
fragmentation.
The source route option provides routing information for gateways
in the delivery of a datagram to its destination. There are two
variations loose and strict routes. The loose source route (LSRR)
allows any number of intermediate gateways to reach the next
address in the route. The strict source route (SSRR) requires the
next address in the source route to be on a directly connected
network, otherwise the delivery of the datagram can not be
completed.
The source route options have a variable length, containing a
series of IP addresses and an offset pointer indicating the next
IP address to be processed. A source routed datagram completes
its delivery when the offset pointer points beyond the last field,
ie the pointer is greater than the length, and the address in
the destination address has been reached. RFC 1122 states the
option as received must be passed up to the transport layer (or
to ICMP message processing).
It is a common security measure to disable IP source routing. In
this situation, if a source routed packet attempts to use a
secure host as an intermediate router or to deliver its data to that
hosts application layer then the datagram should be dropped,
optionally delivering an ICMP unreachable - source route failed.
It is important to note that the datagram would be dropped at the
network layer prior to IP reassembly and before data is passed to
the application layer.
As with other operating systems (when configured to deny source
routed packets), if a source routed datagram attempts to use a
Windows host as an intermediate router, an ICMP source route
failed message is sent. This implies that the offset pointer
is not greater than the length and the destination IP address
has not been reached.
When a source routed datagram completes its delivery, the offset
pointer is greater than the length and the destination has been
reached.
If a specially crafted IP packet, with source route options, has
the offset pointer set greater than the length, Windows TCP/IP
stacks will accept the source routed datagram (rather than
dropping it), and pass the data to the application layer for
processing. The source route is reversed, delivering the reply
to this datagram to the first host in the reversed route. Since
the source route can be manipulated by an attacker, the first
host in the reversed source route can be set to a host on the
second network (accessible via the second interface, i.e. the
internal network).
As a result, it is possible to pass data through all Windows
stacks with two network interfaces.
In addition to tunneling data, there are two scenarios which
can allow an intruder to obtain information about the remote
network while obscuring their origin.
The first allows any Windows host to be used to identify
non-Windows hosts that have source routing enabled. A source
routed datagram is created with a false source address, containing
the true source address of the request and the address of a host
to be scanned in the option data. Delivering this datagram,
with the correct offset, to a Windows host results in the route
being reversed and routed to the scanned host. If this host
has source routing enabled the true source of the request
will then see a response returned.
Secondly, by utilizing the above source routing technique, and
masking their source address in the IP header, it is possible to
scan a Windows host for open ports using standard port scanning
techniques.
Discovery and documentation of this vulnerability was conducted
by Anthony Osborne <Anthony_Osborne@nai.com> at the security labs
of Network Associates.
The Security Labs at Network Associates hosts some of the most
important research in computer security today. With over 30
security advisories published in the last 2 years, the Network
Associates security auditing teams have been responsible for the
discovery of many of the Internet's most serious security flaws.
This advisory represents our ongoing commitment to provide
critical information to the security community.
For more information about the Security Labs at Network
Associates, see our website at http://www.nai.com or contact us
at <seclabs@nai.com>.
