Subject: Identifying Kernel 2.4.x based Linux machines using UDP Author: Ofir Arkin (ofirat_private) Linux Kernel 2.4.x has a bug with the UDP implementation which allows both active and passive fingerprinting of Linux machines based on the 2.4.x Kernel. The following is a simple nslookup query initiated from my Kernel 2.4.10 based Linux machine: 03/16-11:49:41.531642 192.168.1.200:1024 -> x.x.x.x:53 UDP TTL:64 TOS:0x0 ID:0 IpLen:20 DgmLen:63 DF Len: 43 BC 0D 01 00 00 01 00 00 00 00 00 00 03 77 77 77 .............www 03 63 6E 6E 03 63 6F 6D 05 6C 6F 63 61 6C 00 00 .cnn.com.local.. 01 00 01 ... The IP Identification field value with the UDP datagram is zero (0). The value will be constant and will not be changed for future UDP datagrams I will be sending. The problem is not only with generating UDP datagrams, but also with answering UDP queries. With the following example I have sent a UDP datagram to the ECHO service on a Linux 2.4.18 based machine: 03/16-12:13:17.388211 192.168.1.200:1775 -> y.y.y.y:7 UDP TTL:64 TOS:0x0 ID:28256 IpLen:20 DgmLen:28 Len: 8 03/16-12:13:17.547636 y.y.y.y:7 -> 192.168.1.200:1775 UDP TTL:50 TOS:0x0 ID:0 IpLen:20 DgmLen:28 DF Len: 8 The IP identification field value with the answer is zero (0). It will also be constant and will not changed if we further query the target. The biggest problem is the ability to use legitimate applications, such as DNS queries with nslookup, and by sending and receiving one packet only to have the ability to fingerprint the 2.4.x Kernel branch. The 2.2.x kernel branch seems not to be affected according to my tests. Combined with another fingerprinting method using ICMP this time (http://www.sys-security.com/archive/bugtraq/ofirarkin2001-03.txt), we are able to fingerprint the 2.4.x kernel branch and divide it into two groups - 2.4.0-2.4.4 kernels, and the 2.4.5-2.4.18 kernels. -- Ofir Arkin Managing Security Architect @stake, Limited. http://www.atstake.com email: ofirat_private
This archive was generated by hypermail 2b30 : Tue Mar 19 2002 - 12:42:41 PST