OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Andrew Griffiths (andrewgtasmail.com)
Date: Sun Jan 20 2002 - 03:17:22 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    Greets: (in no particular order)

            Marty (and others for their brilliant work with Snort)
            Fyodor (for nmap)
            LBNL Network Research Group
            zen-parse [4] and jaguar for looking over this and suggesting
            improvements.

    It is possible to read parts of a remote machines memory. To be specific,
    it would have to be memory recently freed/swapped to disk. Consider this
    for example:

    int main(int argc, char **argv[], char **envp[])
    {
      char *ptr=0; /* We take a rather large chunk of memory and fill it with A's */
      int val, i;

      while(1) {
        sleep(1);
        val = 30000000; // ~ 30 M
        ptr = (char *)malloc(val);

        memset(ptr, 0x41, val-1);
        free(ptr);
      }
    }

    And then we modify nmap(1) (Around line 687) so it only transmits the
    first fragment out of a fragmented scan. This will illict a ICMP TTL
    Exceeded message. Due to Linux including a lot more of the packet than most
    other OS's, we have around 20 bytes to read. From memory, Solaris includes
    a little bit extra on ICMP messages.

    Let's look at a sniffer trace from snort(2):
      (Ignore the time stamps, as the machine this was originally done had a date
      in 1994...)

    12/11-00:34:34.290903 127.0.0.1 -> 127.0.0.1
    ICMP TTL:255 TOS:0xC0 ID:29812
    TTL EXCEEDED
    00 00 00 00 45 00 00 24 A2 15 20 00 3E 06 BC BC ....E..$.. .>...
    7F 00 00 01 7F 00 00 01 E1 C1 01 91 FB 73 6B E2 .............sk.
    00 00 00 00 50 02 08 00 41 41 41 41 41 41 41 41 ....P...AAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAA

    12/11-01:02:30.170720 127.0.0.1 -> 127.0.0.1
    CMP TTL:255 TOS:0xC0 ID:31185
    TTL EXCEEDED
    00 00 00 00 45 00 00 24 32 25 20 00 3B 06 2F AD ....E..$2% .;./.
    7F 00 00 01 7F 00 00 01 AA 1E 01 11 50 FE C6 45 ............P..E
    00 00 00 00 50 02 08 00 41 41 41 41 41 41 41 41 ....P...AAAAAAAA
    41 41 41 41 41 41 41 41 41 41 41 41 AAAAAAAAAAAA

    Also - to prove this is not Snort's fault I included a tcpdump(3) log.

    01:06:02.640246 lo < 127.0.0.1 > 127.0.0.1: icmp: ip reassembly time exceeded
    [tos 0xc0]
                             45c0 0054 7b85 0000 ff01 4161 7f00 0001
                             7f00 0001 0b01 77a3 0000 0000 4500 0024
                             d3e5 2000 3306 95ec 7f00 0001 7f00 0001
                             c027 055a 5fa5 73a5 0000 0000 5002 0800
                             4141 4141 4141 4141 4141 4141 4141 4141

    AFFECTED:

    I assume it would be any OS that includes more than the ipaddresses/ports.
     
    USAGES:

    The ramifications from this could be great. You may get fragments of the
    shadow file, various plaintext passwords (greatly depends...), pieces of code,
    urls, random memory.

    One specific use is for this could be identifying the endianness of a remote
    machine because of the addresses are in memory. (Reading from Linux Magazine
    November 2001, page 50, you have 0xef* for the stack on a big endian system as opposed to the 0xbf* on little endian. (linux-wise)).

    FIX:

      hrmm.... well.

      + Locking memory for important stuff (passwords etc.). I've forgotten the
          call to do that but it is possible. This will prevent swapping to disk
          which might make it better.

      + Modifying the kernel so in its idle loop (or whatever) it wipes some
        (unused!) memory. Could lead to a race though...

      + A small program to continues malloc()/zero/free() stuff. A little like the
          program above, but zeroing it instead. (You could always take the
          offensive stand by filling it with decoy data... that's left to the
          reader to implement. ;)

      + Make the network code zero out the packet before sending it. This would
          slow it down though, and make it even more obvious that you are running
          linux.

      + Filter out various icmp error messages, but as usual that breaks
        everything.

    (1). Nmap http://www.insecure.org/nmap

    (2). Snort http://www.snort.org
         snort -vd -i lo

    (3) tcpdump -lnx
    Lawrence Berkeley National Laboratory
    Network Research Group
    tcpdumpee.lbl.gov
    ftp://ftp.ee.lbl.gov/tcpdump.tar.Z

    (4) Make sure you visit Chapel of Stilled Voices
                           . . _ _ _ _ . . _ _ _ . .
     |_ _|_ _|_ _ . / / |\/| |_| _| | | ||\/| / | | ||_ | |
     | | | | |_|. / / | | | _|.|_ |_|| | / |_ |_| _| \/
                 |
    (5) Hey, there is no [5], so why are you reading this!?!

    --
    www.tasmail.com