Vulnerability Development mailing list archives

Re: arp packet payload

From: "Dave Korn" <davek_throwaway () hotmail com>
Date: Mon, 03 Nov 2003 15:39:45 +0000

----- Original Message -----
From: "Russell Harding" <hardingr () cunap com>
To: "sebastian" <reitenba () fh-brandenburg de>
Cc: <vuln-dev () securityfocus com>
Sent: Friday, October 31, 2003 10:42 PM
Subject: Re: arp packet payload

Hello,

  I encountered similar data while wirless sniffing.

However, this is not an accidental uninitialized padding. These packets
are part of XP's Upnp service.

No, you're wrong. It absolutely IS an ARP packet, with un-zeroed trailerpadding which I agree IS from a UPnP multicast datagram, but the packetitself is ARP. Notice how the http request is truncated, for goodness sake!Bear in mind the ethernet header is not displayed in the packet dump here,so don't be thrown off by that 0x0800: that is NOT an ethernet frame typefield.

> 00:44:36.309866 arp who-has 192.168.5.254 tell 192.168.5.164
> 0x0000   0001 0800 0604 0001 00c0 9f20 d3cd c0a8        ................
> 0x0010   05a4 0000 0000 0000 c0a8 05fe 4d2d 5345        ............M-SE
> 0x0020   4152 4348 202a 2048 5454 502f 312e             ARCH.*.HTTP/1.


0x0001 = ARP hardware type = ethernet
0x0800 = ARP protocol type = 0x0800 indicating ARP for IP addresses
0x06    = ARP hardware address size - six for ethernet MAC
0x04    = ARP protocol address size - four for IP address length...
0x0001 = ARP operation: 1 = arp REQUEST.

followed by

6 bytes sender MAC 00-c0-9f-20-d3-cd, 4 bytes sender IP c0.a8.05.a4

6 bytes target MAC 00-00-00-00-00-00 (unknown), 4 bytes target IPc0.a8.05.fe

The rest is padding to the ethernet minimum frame size (60 bytes), less 14bytes header = packet body size of 46. As you say, the padding comes from aUPnP request, but it absolutely IS padding.


And in reply to the OP:

On Fri, 31 Oct 2003, sebastian wrote:

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> hi list,
>
> don't know wheater it's mentioned anywhere or old news but here we go:
>
> captured following arp packet last night:
>
>

> nice packet, but what makes me curious is the payload. where is it takenfrom?

> are there also passwords and other "secret" things, which may be
> unintentionally sent out to the.
> i think the source is a windows xp box.
>
> cheers
> sebastian

Yep, it's well known, and has been for years. See messages 1 and 26 inthis thread from December last year:


http://groups.google.com/groups?hl=en&lr=&ie=UTF-8&threadm=Xns92DBCB57DB3D8IWishIWas%40marashouse.org&rnum=2&prev=/groups%3Fq%3Dhackers%2Bmalicious%2Bpop%2Bquiz%26ie%3DISO-8859-1%26hl%3Den

and also this post from May 2001

http://www.tcpdump.org/lists/workers/2001/05/msg00056.html

as well as the 'Etherleak' advisory from @stake earlier this year.

       DaveK

_________________________________________________________________

Sign-up for a FREE BT Broadband connection today!http://www.msn.co.uk/specials/btbroadband

Current thread:

Re: arp packet payload Bram Matthys (Syzop) (Nov 01)
- <Possible follow-ups>
- Re: arp packet payload Russell Harding (Nov 01)
- Re: arp packet payload Dave Korn (Nov 03)