RE: ipforwarding enabled, what can I do

From: Yonatan Bokovza (Yonatanat_private)
Date: Mon Aug 20 2001 - 10:53:48 PDT

  • Next message: Alfred Huger: "Subject: Beta Testers Needed, Part II"

    OK, time to clear some smoke:
    The IP protocol was designed a long long time ago (September 1981
    according to the RFC:
    http://www.ietf.org/rfc/rfc0791.txt), and several archaic feature that
    were probably considered "cool" at that time.
    
    Source routing divides to two features:
    Loose source routing- means you set "Loose Source Routing"
    and add 1 to 8 IPs in the IP-options. The reason you can only use
    8 hops is due to IP header size limitations. Your IP packet will travel
    to the first IP first, and then to the second IP and on until it travels
    through all the IPs you defined, and then it will head toward the
    Destination. See traceroute -g.
    
    Strict Source Routing- is quite the same, only it means setting
    a different flag, and that the packet _must_ travel through _only_
    the hops you wrote. Since you can only specify 8 hops this option
    is of little use nowadays.
    
    Another relevant option is "Record Route"- Another flag needs to
    be set in the header, and every hop the packet goes through will
    write it's IP in the header, hence you can get traceroute-like
    capabilities with one packet. -R to ping will do that for you.
    
    How do I attack a machine/network with this?
    Suppose you have stupid firewall with LAN and DMZ, you _might_
    be able to pose as the DMZ if you send a packet to the LAN with
    IP of a DMZ server in Loose Source Routing mode.
    
    Real Life?
    All these options are deprecated. Any good firewall should drop
    packets with these flags, and any such packet should be treated
    like an attack by an IDS. There are lots of TCP/IP 
    implementations out there that don't support that, and many
    routers that just drop that.
    
    Since you've sucked your target's SNMP data, why don't you
    look for more lenient weaknesses?
    
    Best Regards, 
    
    Yonatan Bokovza
    IT Security Consultant
    Xpert Systems
    
    
    > Vladimir Parkhaev wrote:
    > > 
    > > I am doing a vulnerability assesment for one of our clients. One
    > > of their boxes is a multihomed Solaris server with 
    > ipforwarding enabled.
    > > IP addresses are available via snmp with default community string.
    > > 
    > > I tried to use this box as a gateway to internal network coming
    > > from the Internet without success.  I also looked at source
    > > routing but did not find any tools (Net::RawIP does not seem
    > > to support IP options).
    > > 
    > > Does anybody know how I can use this box to do routing for me?
    > > 
    > > Thanks.
    > 
    
    > 
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
    Service. For more information on SecurityFocus' SIA service which
    automatically alerts you to the latest security vulnerabilities please see:
    https://alerts.securityfocus.com/
    



    This archive was generated by hypermail 2b30 : Mon Aug 20 2001 - 12:08:21 PDT