diff options
Diffstat (limited to 'informationals/teso-i0023.txt')
| -rw-r--r-- | informationals/teso-i0023.txt | 156 |
1 files changed, 156 insertions, 0 deletions
diff --git a/informationals/teso-i0023.txt b/informationals/teso-i0023.txt new file mode 100644 index 0000000..b21eb1c --- /dev/null +++ b/informationals/teso-i0023.txt | |||
| @@ -0,0 +1,156 @@ | |||
| 1 | 0023 2000/04/16 Information on BinTec Router DoS | ||
| 2 | |||
| 3 | ==== TESO Informational ======================================================= | ||
| 4 | This piece of information is to be kept confidential. | ||
| 5 | =============================================================================== | ||
| 6 | |||
| 7 | Description ..........: By filling the NAT table of a BinTec Router one can | ||
| 8 | force the machine to reboot because of memory shortage | ||
| 9 | Date .................: 2000/04/16 00:00 | ||
| 10 | Author ...............: rookie | ||
| 11 | Publicity level ......: unknown | ||
| 12 | Affected .............: BinTec Router (BRICK-XS1/4 tested) | ||
| 13 | Firmware 4.9.3 has fixed this bug by deleting | ||
| 14 | Table entries, the 'Final Release' 5.1.2 reintroduced | ||
| 15 | the bug again | ||
| 16 | Type of entity .......: | ||
| 17 | Type of discovery ....: | ||
| 18 | Severity/Importance ..: low, stupid DoS, easy to use | ||
| 19 | Found by .............: rookie | ||
| 20 | |||
| 21 | =============================================================================== | ||
| 22 | |||
| 23 | BinTec Router will reboot automatically when memory is short, so the perfect | ||
| 24 | DoS is to fill up the memory. | ||
| 25 | |||
| 26 | A common setup especially for workgroup and small business Access Router to | ||
| 27 | connect many computers over one or two ISDN lines is NAT (Network Adress | ||
| 28 | Translation). However, NAT is also considered to be a 'security feature' | ||
| 29 | because it acts like a stateful transparent proxy for private networks, so it | ||
| 30 | can be found on other setups, too. | ||
| 31 | |||
| 32 | Due to this behaviour a router doing NAT has to manage a table with the | ||
| 33 | following information for every connection: | ||
| 34 | |||
| 35 | internal network ip & port -> router external port -> target ip & port | ||
| 36 | |||
| 37 | |||
| 38 | a.) | ||
| 39 | |||
| 40 | Example from an XS Router (Firmware 5.1.2): | ||
| 41 | |||
| 42 | cass:system> ipNatTable | ||
| 43 | |||
| 44 | inx IfIndex(*ro) Protocol(*ro) IntAddr(*ro) IntPort(*ro) | ||
| 45 | ExtAddr(ro) ExtPort(ro) RemoteAddr(ro) RemotePort(ro) | ||
| 46 | Direction(ro) Age(ro) | ||
| 47 | |||
| 48 | 00 10001 tcp 192.168.0.100 1112 | ||
| 49 | 195.202.39.137 32824 212.3.152.130 50005 | ||
| 50 | outgoing 0 00:00:02.00 | ||
| 51 | |||
| 52 | |||
| 53 | b.) | ||
| 54 | |||
| 55 | A packet with SYN flag establishes an entry: | ||
| 56 | |||
| 57 | raven:~# nmap -sS www.ccc.de -p 12345 | ||
| 58 | |||
| 59 | 08 10001 tcp 192.168.0.100 63072 | ||
| 60 | 195.202.39.137 33016 195.21.255.248 12345 | ||
| 61 | outgoing 0 00:00:02.00 | ||
| 62 | |||
| 63 | |||
| 64 | c.) | ||
| 65 | |||
| 66 | However the table entry is deleted for that connection if a RST, FIN or | ||
| 67 | ICMP Error is received: | ||
| 68 | |||
| 69 | cass:ipExtIfTable> ipextifnatrmvfin | ||
| 70 | |||
| 71 | inx NatRmvFin(rw) | ||
| 72 | |||
| 73 | 00 yes /* ethernet 1*/ | ||
| 74 | |||
| 75 | 01 yes /* ethernet 2*/ | ||
| 76 | |||
| 77 | 02 yes /* dial up line */ | ||
| 78 | |||
| 79 | |||
| 80 | d.) | ||
| 81 | |||
| 82 | For idle connections there is a timeout of 1 hour for TCP and 30 | ||
| 83 | seconds for icmp and udp: | ||
| 84 | |||
| 85 | cass:ipExtIfTable> ipextifnattcptimeout | ||
| 86 | |||
| 87 | inx NatTcpTimeout(rw) | ||
| 88 | |||
| 89 | 00 3600 | ||
| 90 | |||
| 91 | 01 3600 | ||
| 92 | |||
| 93 | 02 3600 | ||
| 94 | |||
| 95 | cass:ipExtIfTable> ipextifnatothertimeout | ||
| 96 | |||
| 97 | inx NatOtherTimeout(rw) | ||
| 98 | |||
| 99 | 00 30 | ||
| 100 | |||
| 101 | 01 30 | ||
| 102 | |||
| 103 | 02 30 | ||
| 104 | |||
| 105 | |||
| 106 | Notice: Setting down the timeout won't help much, you can force the machine | ||
| 107 | to reboot with nmap -sS down to about 2 seconds *with* RSTet | ||
| 108 | connections. With anything below 30 seconds the router will kill any | ||
| 109 | telnet, IRC and whatsoever idle connection. | ||
| 110 | |||
| 111 | Conclusion: Rebooting the machine from the masqueraded network is trivial by | ||
| 112 | sending lots of SYN packets from different source IPs and ports to | ||
| 113 | an external IP that does not send RST packets back (however even | ||
| 114 | thenn the router memory might overflow) | ||
| 115 | |||
| 116 | e.) | ||
| 117 | |||
| 118 | Very often a forward rule is implemented to allow services from the outside | ||
| 119 | through NAT. | ||
| 120 | |||
| 121 | The default behaviour is to reject connections from the outside: | ||
| 122 | |||
| 123 | Apr 19 23:39:18 cass INET: NAT: refused incoming session on ifc 10001 prot 6 | ||
| 124 | 195.202.39.137:113 <- 128.176.216.234:1046 | ||
| 125 | |||
| 126 | However a forward rule can be defined: | ||
| 127 | |||
| 128 | Service user defined | ||
| 129 | Protocol tcp | ||
| 130 | Port (-1 for any) 113 | ||
| 131 | Destination 192.168.0.100 | ||
| 132 | |||
| 133 | The identd request goes through: | ||
| 134 | |||
| 135 | Apr 20 00:39:28 raven tcplogd: auth connection attempt from | ||
| 136 | HOTSPOT2.UNI-MUENSTER.DE [128.176.216.234] | ||
| 137 | |||
| 138 | |||
| 139 | f.) | ||
| 140 | |||
| 141 | Entry in the NAT Table: | ||
| 142 | |||
| 143 | cass:ipNatTable> ipNatTable | ||
| 144 | |||
| 145 | inx IfIndex(*ro) Protocol(*ro) IntAddr(*ro) IntPort(*ro) | ||
| 146 | ExtAddr(ro) ExtPort(ro) RemoteAddr(ro) RemotePort(ro) | ||
| 147 | Direction(ro) Age(ro) | ||
| 148 | |||
| 149 | 05 10001 tcp 192.168.0.100 113 | ||
| 150 | 195.202.39.137 113 128.176.216.234 1049 | ||
| 151 | incoming 0 00:00:05.00 | ||
| 152 | |||
| 153 | Conclusion: Rebooting from the outside is simple if a forward rule has been | ||
| 154 | defined (very likely). | ||
| 155 | |||
| 156 | =============================================================================== | ||
