It is long known that FreeBSD uses a wrong IP Identification number
with its ICMP Error Messages. This fact was discovered by Fyodor
long ago.
I wish to identify were the problem is.
The next example is with FreeBSD 4.1:
00:52:19.055758 ppp0 > x.x.x.x.1393 > y.y.y.y.0: udp 0 [tos 0x8]
(ttl 64, id 58965)
4508 001c e655 0000 4011 3f63 xxxx xxxx
yyyy yyyy 0571 0000 0008 a55c
00:52:19.464548 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 0
unreachable Offending pkt: x.x.x.x.1393 > y.y.y.y.0: udp 0 [tos 0x8]
(ttl 47, id 21990, bad cksum 5063!) (ttl 238, id 27639)
4500 0038 6bf7 0000 ee01 0bbd yyyy yyyy
xxxx xxxx 0303 87f3 0000 0000 4508 001c
55e6 0000 2f11 5063 xxxx xxxx yyyy yyyy
0571 0000 0008 0000
A udp datagram sent to a closed udp port (port 0, can be any port).
The original udp datagram used e655 hex as its IP Identification
field value. The echoed IP Header inside the ICMP Error message
states that this value was 55e6 (with the offending datagram).
FreeBSD 4.x simply flips between the first 8bits to the second 8
bits.
This info was sent to bugtraq,
and submitted to FreeBSD GNATS bug system.
Ofir Arkin [ofir_at_itcon-ltd.com]
Senior Security Analyst
Chief of Grey Hats
ITcon, Israel.
http://www.itcon-ltd.com
Personal Web page: http://www.sys-security.com
"Opinions expressed do not necessarily
represent the views of my employer."
--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to
nmap-hackers-help_at_insecure.org . List run by ezmlm-idx (www.ezmlm.org).
Received on Oct 14 2000
Intro
