Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Hackers: Novell Netware Echoing Integrity Bug with ICMP Fragment Reassembly Time Exceeded

Novell Netware Echoing Integrity Bug with ICMP Fragment Reassembly Time Exceeded

From: Ofir Arkin <ofir_at_itcon-ltd.com>
Date: Thu, 23 Nov 2000 09:13:58 +0200

Novell Netware operating systems have a unique pattern with ICMP Fragment
Reassembly Time Exceeded error messages they produce.

In general, when an ICMP error message is produced, the offending packet's
IP Header + at least 8 bytes of data are echoed with the error message. If
we examine closely the next example, we can see that the Offending packet's
IP TTL field value echoed back is zero. We expect this value to decrement
from the value initially assigned, but not to be zero. Since this value
should change from one hop to another, the Checksum need to be recalculated
each time. With the error message we can see that the Checksum echoed is
miscalculated.

...And again this is a Fragment Reassembly Time Exceeded ICMP error message
and not ICMP Time Exceeded in Transit error message.

The next example is with Novell Netware 5.1:

[root_at_godfather bin]# hping2 -c 1 -x -y y.y.y.y
ppp0 default routing interface selected (according to /proc)
HPING y.y.y.y (ppp0 y.y.y.y): NO FLAGS are set, 40 headers + 0 data bytes

--- y.y.y.y hping statistic ---
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
[root_at_godfather bin]#

The Trace:

20:12:28.008893 ppp0 > x.x.x.x.1865 > y.y.y.y.0: . 687160929:687160929(0)
win 512 (frag 58586:20_at_0+) (DF) (ttl 64)
                         4500 0028 e4da 6000 4006 c236 xxxx xxxx
                         yyyy yyyy 0749 0000 28f5 3e61 669e 9f15
                         5000 0200 c5d2 0000

20:12:41.313202 ppp0 < y.y.y.y > x.x.x.x: icmp: ip reassembly time exceeded
Offending pkt: [|tcp] (frag 58586:20_at_0+) (DF) [ttl 0] (bad cksum d336!) (ttl
111, id 9591)
                         4500 0038 2577 0000 6f01 b28f yyyy yyyy
                         xxxx xxxx 0b01 b55f 0000 0000 4500 0028
                         e4da 6000 0006 d336 xxxx xxxx yyyy yyyy
                         0749 0000 28f5 3e61

This unique pattern enable us to determine if the operating system in
question is a Novell Netware or other with one datagram only.

The information was sent to Novell.

I would like to thank Simple Nomad for verifying this info.

This info was submitted to Bugtraq as well.

Ofir Arkin [ofir_at_itcon-ltd.com]
Senior Security Analyst
Chief of Grey Hats
ITcon, Israel.
http://www.itcon-ltd.com

Founder
http://www.sys-security.com

"Opinions expressed do not necessarily
represent the views of my employer."

--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to
nmap-hackers-help_at_insecure.org . List run by ezmlm-idx (www.ezmlm.org).
Received on Nov 24 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos