From owner-freebsd-security Sun Oct 15 4:40:29 2000 Delivered-To: freebsd-security@freebsd.org Received: from news.IAEhv.nl (news.IAE.nl [194.151.64.4]) by hub.freebsd.org (Postfix) with ESMTP id D85C937B502 for ; Sun, 15 Oct 2000 04:40:22 -0700 (PDT) Received: (from uucp@localhost) by news.IAEhv.nl (8.9.1/8.9.1) with IAEhv.nl id NAA07558; Sun, 15 Oct 2000 13:40:15 +0200 (MET DST) Received: from avalon.oasis.IAEhv.nl (avalon.oasis.IAEhv.nl [192.168.1.3]) by drawbridge.oasis.IAEhv.nl (Postfix) with ESMTP id 416343EB0; Sun, 15 Oct 2000 13:37:25 +0200 (CEST) Received: by avalon.oasis.IAEhv.nl (Postfix, from userid 226) id C0E201B; Sun, 15 Oct 2000 13:37:21 +0200 (CEST) Subject: Re: FreeBSD 4.x Bug with ICMP Error Messages (fwd) In-Reply-To: <200010142316.KAA05381@cairo.anu.edu.au> "from Darren Reed at Oct 15, 2000 10:16:09 am" To: Darren Reed Date: Sun, 15 Oct 2000 13:37:21 +0200 (CEST) Cc: freebsd-security@FreeBSD.ORG X-Mailer: ELM [version 2.4ME+ PL82 (25)] MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset=US-ASCII Message-Id: <20001015113721.C0E201B@avalon.oasis.IAEhv.nl> From: volf@oasis.IAEhv.nl (Frank Volf) Sender: owner-freebsd-security@FreeBSD.ORG Precedence: bulk X-Loop: FreeBSD.org While I was working on IP Filter I came across the same problem. I entered a PR and the problem was fixed within a week by Ruslan Ermilov. The patch is in both CURRENT and 4-STABLE. I don't have the CVS rev. number at hand, but cvs log in sys/netinet is your friend. You may also have a look at PR 16240 and PR 20877. Frank Darren Reed wrote: > Forwarded message: > > From nmap-hackers-return-877-avalon=cheops.anu.edu.au@insecure.org Sun Oct 15 09:43 EST 2000 > > Mailing-List: contact nmap-hackers-help@insecure.org; run by ezmlm > > Precedence: bulk > > Delivered-To: mailing list nmap-hackers@insecure.org > > Delivered-To: moderator for nmap-hackers@insecure.org > > From: "Ofir Arkin" > > To: "Nmap-Hackers" > > Subject: FreeBSD 4.x Bug with ICMP Error Messages > > Date: Sat, 14 Oct 2000 23:09:51 +0200 > > Message-ID: > > MIME-Version: 1.0 > > Content-Transfer-Encoding: 7bit > > X-Priority: 3 (Normal) > > X-MSMail-Priority: Normal > > X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0) > > Importance: Normal > > X-MimeOLE: Produced By Microsoft MimeOLE V5.00.2919.6700 > > Content-Type: text/plain; > > charset="windows-1255" > > Content-Length: 1594 > > > > It is long known that FreeBSD uses a wrong IP Identification number > > with its ICMP Error Messages. This fact was discovered by Fyodor > > long ago. > > > > I wish to identify were the problem is. > > > > The next example is with FreeBSD 4.1: > > > > 00:52:19.055758 ppp0 > x.x.x.x.1393 > y.y.y.y.0: udp 0 [tos 0x8] > > (ttl 64, id 58965) > > 4508 001c e655 0000 4011 3f63 xxxx xxxx > > yyyy yyyy 0571 0000 0008 a55c > > > > 00:52:19.464548 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 0 > > unreachable Offending pkt: x.x.x.x.1393 > y.y.y.y.0: udp 0 [tos 0x8] > > (ttl 47, id 21990, bad cksum 5063!) (ttl 238, id 27639) > > 4500 0038 6bf7 0000 ee01 0bbd yyyy yyyy > > xxxx xxxx 0303 87f3 0000 0000 4508 001c > > 55e6 0000 2f11 5063 xxxx xxxx yyyy yyyy > > 0571 0000 0008 0000 > > > > A udp datagram sent to a closed udp port (port 0, can be any port). > > The original udp datagram used e655 hex as its IP Identification > > field value. The echoed IP Header inside the ICMP Error message > > states that this value was 55e6 (with the offending datagram). > > > > FreeBSD 4.x simply flips between the first 8bits to the second 8 > > bits. > > > > This info was sent to bugtraq, > > and submitted to FreeBSD GNATS bug system. > > > > > > Ofir Arkin [ofir@itcon-ltd.com] > > Senior Security Analyst > > Chief of Grey Hats > > ITcon, Israel. > > http://www.itcon-ltd.com > > > > Personal Web page: http://www.sys-security.com > > > > "Opinions expressed do not necessarily > > represent the views of my employer." > > > > > > -------------------------------------------------- > > For help using this (nmap-hackers) mailing list, send a blank email to > > nmap-hackers-help@insecure.org . List run by ezmlm-idx (www.ezmlm.org). > > > > > > > > To Unsubscribe: send mail to majordomo@FreeBSD.org > with "unsubscribe freebsd-security" in the body of the message > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-security" in the body of the message