From owner-freebsd-security  Wed Dec 16 12:17:02 1998
Return-Path: <owner-freebsd-security@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id MAA04449
          for freebsd-security-outgoing; Wed, 16 Dec 1998 12:17:02 -0800 (PST)
          (envelope-from owner-freebsd-security@FreeBSD.ORG)
Received: from cheops.anu.edu.au (cheops.anu.edu.au [150.203.149.24])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id MAA04444
          for <freebsd-security@FreeBSD.ORG>; Wed, 16 Dec 1998 12:16:59 -0800 (PST)
          (envelope-from avalon@cheops.anu.edu.au)
Received: (from avalon@localhost)
	by cheops.anu.edu.au (8.9.1/8.9.1) id HAA25754;
	Thu, 17 Dec 1998 07:15:57 +1100 (EDT)
From: Darren Reed <avalon@coombs.anu.edu.au>
Message-Id: <199812162015.HAA25754@cheops.anu.edu.au>
Subject: Re: Detecting remote host type and so on..
To: fygrave@tigerteam.net (CyberPsychotic)
Date: Thu, 17 Dec 1998 07:15:56 +1100 (EDT)
Cc: jkb@best.com, robert+freebsd@cyrus.watson.org,
        freebsd-security@FreeBSD.ORG
In-Reply-To: <Pine.LNX.4.05.9812161826060.392-100000@gizmo.kyrnet.kg> from "CyberPsychotic" at Dec 16, 98 06:38:19 pm
X-Mailer: ELM [version 2.4 PL23]
Content-Type: text
Sender: owner-freebsd-security@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.org

In some mail from CyberPsychotic, sie said:
[...]
>  This is linux implementation, but I guess it could be ported to BSD's bpf
> instead of RAW_SOCK platform as well. I also had an idea, that you could
> defeat various OS probes using the same toy by spoofing various OS
> dependent responces and thus confuse such toys as nmap or queso.

If everyone fixed theirs up, it would also be much harder.

Whilst looking at the NetBSD ICMP code, I noticed some fields don't get
converted back into network byte order for ICMP replies.  You may want
to try the patch below (with some finger work required) to fix this
problem.

Darren

*** ip_icmp.c.orig	Sun Dec  6 17:04:21 1998
--- ip_icmp.c	Sun Dec  6 17:46:24 1998
***************
*** 159,165 ****
  	m = m_gethdr(M_DONTWAIT, MT_HEADER);
  	if (m == NULL)
  		goto freeit;
! 	icmplen = oiplen + min(8, oip->ip_len);
  	m->m_len = icmplen + ICMP_MINLEN;
  	MH_ALIGN(m, m->m_len);
  	icp = mtod(m, struct icmp *);
--- 159,165 ----
  	m = m_gethdr(M_DONTWAIT, MT_HEADER);
  	if (m == NULL)
  		goto freeit;
! 	icmplen = oiplen + min(8, oip->ip_len - oiplen);
  	m->m_len = icmplen + ICMP_MINLEN;
  	MH_ALIGN(m, m->m_len);
  	icp = mtod(m, struct icmp *);
***************
*** 183,188 ****
--- 183,191 ----
  			icp->icmp_nextmtu = htons(destifp->if_mtu);
  	}
  
+ 	HTONS(oip->ip_id);
+ 	HTONS(oip->ip_off);
+ 	HTONS(oip->ip_len);
  	icp->icmp_code = code;
  	bcopy((caddr_t)oip, (caddr_t)&icp->icmp_ip, icmplen);
  	nip = &icp->icmp_ip;
*** ip_input.c.orig	Sun Aug  9 21:11:14 1998
--- ip_input.c	Sun Dec  6 17:26:31 1998
***************
*** 1139,1145 ****
  		m_freem(m);
  		return;
  	}
- 	HTONS(ip->ip_id);
  	if (ip->ip_ttl <= IPTTLDEC) {
  		icmp_error(m, ICMP_TIMXCEED, ICMP_TIMXCEED_INTRANS, dest, 0);
  		return;
--- 1139,1144 ----
***************
*** 1186,1201 ****
  		if (rt->rt_ifa &&
  		    (ip->ip_src.s_addr & ifatoia(rt->rt_ifa)->ia_subnetmask) ==
  		    ifatoia(rt->rt_ifa)->ia_subnet) {
! 		    if (rt->rt_flags & RTF_GATEWAY)
! 			dest = satosin(rt->rt_gateway)->sin_addr.s_addr;
! 		    else
! 			dest = ip->ip_dst.s_addr;
! 		    /* Router requirements says to only send host redirects */
! 		    type = ICMP_REDIRECT;
! 		    code = ICMP_REDIRECT_HOST;
  #ifdef DIAGNOSTIC
! 		    if (ipprintfs)
! 		    	printf("redirect (%d) to %x\n", code, (u_int32_t)dest);
  #endif
  		}
  	}
--- 1185,1201 ----
  		if (rt->rt_ifa &&
  		    (ip->ip_src.s_addr & ifatoia(rt->rt_ifa)->ia_subnetmask) ==
  		    ifatoia(rt->rt_ifa)->ia_subnet) {
! 			if (rt->rt_flags & RTF_GATEWAY)
! 				dest = satosin(rt->rt_gateway)->sin_addr.s_addr;
! 			else
! 				dest = ip->ip_dst.s_addr;
! 			/* Router requirements says only send host redirects */
! 			type = ICMP_REDIRECT;
! 			code = ICMP_REDIRECT_HOST;
  #ifdef DIAGNOSTIC
! 			if (ipprintfs)
! 				printf("redirect (%d) to %x\n", code,
! 				       (u_int32_t)dest);
  #endif
  		}
  	}
*** ip_output.c.orig	Sun Aug  9 21:11:14 1998
--- ip_output.c	Sun Dec  6 17:26:11 1998
***************
*** 172,177 ****
--- 172,178 ----
  		ipstat.ips_localout++;
  	} else {
  		hlen = ip->ip_hl << 2;
+ 		HTONS(ip->ip_id);
  	}
  	/*
  	 * Route packet.
***************
*** 368,375 ****
  	 * If small enough for mtu of path, can just send directly.
  	 */
  	if ((u_int16_t)ip->ip_len <= mtu) {
! 		ip->ip_len = htons((u_int16_t)ip->ip_len);
! 		ip->ip_off = htons((u_int16_t)ip->ip_off);
  		ip->ip_sum = 0;
  		ip->ip_sum = in_cksum(m, hlen);
  		error = (*ifp->if_output)(ifp, m, sintosa(dst), ro->ro_rt);
--- 369,376 ----
  	 * If small enough for mtu of path, can just send directly.
  	 */
  	if ((u_int16_t)ip->ip_len <= mtu) {
! 		HTONS(ip->ip_len);
! 		HTONS(ip->ip_off);
  		ip->ip_sum = 0;
  		ip->ip_sum = in_cksum(m, hlen);
  		error = (*ifp->if_output)(ifp, m, sintosa(dst), ro->ro_rt);
***************
*** 437,443 ****
  		}
  		m->m_pkthdr.len = mhlen + len;
  		m->m_pkthdr.rcvif = (struct ifnet *)0;
! 		mhip->ip_off = htons((u_int16_t)mhip->ip_off);
  		mhip->ip_sum = 0;
  		mhip->ip_sum = in_cksum(m, mhlen);
  		ipstat.ips_ofragments++;
--- 438,444 ----
  		}
  		m->m_pkthdr.len = mhlen + len;
  		m->m_pkthdr.rcvif = (struct ifnet *)0;
! 		HTONS(mhip->ip_off);
  		mhip->ip_sum = 0;
  		mhip->ip_sum = in_cksum(m, mhlen);
  		ipstat.ips_ofragments++;
***************
*** 451,457 ****
  	m_adj(m, hlen + firstlen - (u_int16_t)ip->ip_len);
  	m->m_pkthdr.len = hlen + firstlen;
  	ip->ip_len = htons((u_int16_t)m->m_pkthdr.len);
! 	ip->ip_off = htons((u_int16_t)(ip->ip_off | IP_MF));
  	ip->ip_sum = 0;
  	ip->ip_sum = in_cksum(m, hlen);
  sendorfree:
--- 452,459 ----
  	m_adj(m, hlen + firstlen - (u_int16_t)ip->ip_len);
  	m->m_pkthdr.len = hlen + firstlen;
  	ip->ip_len = htons((u_int16_t)m->m_pkthdr.len);
! 	ip->ip_off |= IP_MF;
! 	HTONS(ip->ip_off);
  	ip->ip_sum = 0;
  	ip->ip_sum = in_cksum(m, hlen);
  sendorfree:
***************
*** 1222,1229 ****
  		 * than the interface's MTU.  Can this possibly matter?
  		 */
  		ip = mtod(copym, struct ip *);
! 		ip->ip_len = htons((u_int16_t)ip->ip_len);
! 		ip->ip_off = htons((u_int16_t)ip->ip_off);
  		ip->ip_sum = 0;
  		ip->ip_sum = in_cksum(copym, ip->ip_hl << 2);
  		(void) looutput(ifp, copym, sintosa(dst), NULL);
--- 1224,1231 ----
  		 * than the interface's MTU.  Can this possibly matter?
  		 */
  		ip = mtod(copym, struct ip *);
! 		HTONS(ip->ip_len);
! 		HTONS(ip->ip_off);
  		ip->ip_sum = 0;
  		ip->ip_sum = in_cksum(copym, ip->ip_hl << 2);
  		(void) looutput(ifp, copym, sintosa(dst), NULL);
*** udp_usrreq.c.orig	Wed Jan 14 01:41:37 1998
--- udp_usrreq.c	Sun Dec  6 17:44:53 1998
***************
*** 303,308 ****
--- 303,309 ----
  			/* It was a debugger connect packet, just drop it now */
  				goto bad;
  #endif
+ 			ip->ip_len += ip->ip_hl << 2;
  			icmp_error(m, ICMP_UNREACH, ICMP_UNREACH_PORT, 0, 0);
  			return;
  		}

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-security" in the body of the message