Subject: Identifying PGP Corporate Desktop 7.1 with PGPfire Personal Desktop Firewall Installed (no need to be enabled) on Microsoft Windows Based OSs Author: Ofir Arkin (ofirat_private) Network Associates PGP Corporate Desktop version 7.1 alters the TCP/IP stack of the MS operating system it is installing its PGPfire Personal Desktop Firewall product on. This alternation occurs even if PGPfire is not being enabled. The type of alternation we have absorbed is with an ICMP Port Unreachable Error Messages received from a Microsoft Windows machine using the program. The following tcpdump trace was produced with Xprobe against a Microsoft Windows 2000 SP2 with the PRE-SP3 patches installed, based machine: [root@mavrick root]# tcpdump -xnvv tcpdump: listening on eth0 17:34:11.113066 192.168.1.100.64257 > 192.168.1.5.32132: udp 70 (DF) (ttl 250, id 28832, len 98) 4500 0062 70a0 4000 fa11 8c30 c0a8 0164 c0a8 0105 fb01 7d84 004e 0312 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 0000 17:34:11.113066 192.168.1.5 > 192.168.1.100: icmp: 192.168.1.5 udp port 32132 unreachable for 192.168.1.100.64257 > 192.168.1.5.32132: udp 70 (ttl 250, id 28832, len 98) (ttl 128, id 11150, len 56) 4500 0038 2b8e 0000 8001 8b7d c0a8 0105 c0a8 0164 0303 8116 0000 0000 4500 0062 70a0 0000 fa11 cc30 c0a8 0164 c0a8 0105 fb01 7d84 004e 0312 If you look at the ICMP Error message, look at the part, which it starts to echo the original message: 4500, 0062, 70a0 AND THAN 0000! This behavior is also common with ULTIX based machines. But it is very easy to differentiate the ULTRIX based machines from the traces produced against machines using Network Associates PGP Corporate Desktop 7.1 with PGPfire Personal Desktop Firewall installed (no need to be enabled). If we will examine the echoed UDP Header, for example, with the ULTRIX based machines this echoed field value will be zero, while with the machines running Microsoft Windows operating systems with Network Associates PGP Corporate Desktop 7.1 with the PGPfire Personal Desktop Firewall installed this field will be echoed correctly. Tested against machines running PGPfire Installed on: -Microsoft Windows 2000 Platforms (No-SP, SP1, SP2, Pre-SP3 Patches) -Microsoft Windows Millennium Dangers: Ability to pinpoint Microsoft Windows Operating Systems using Network Associates PGP Corporate Desktop 7.1 with the PGPfire Personal Desktop Firewall installed (no need to be enabled), since this type of echoing error integrity is almost unique. If the firewall is not being used, or if it is running in a not secure mode an attacker might use this information to maliciously attack a victim's machine. Vendor Response: Since this is an "Information Leakage" problem no patch will be released for version 7.1. This is already fixed on the upcoming PGP Corporate Desktop software version 7.5. Remedies: Just enable one of the PGPfire security policies of your choice, and check it does not allow ANY ICMP Error messages from your protected machine to the outside world. -- Ofir Arkin Managing Security Architect @stake, Limited. http://www.atstake.com email: ofirat_private
This archive was generated by hypermail 2b30 : Fri Jan 25 2002 - 13:37:48 PST