On Wed, 12 Nov 2003, Paul Johnston wrote: > Hi, > > I'm trying to understand this plugin a bit better. Is this analysis > reasonable? > > It sends six icmp echo requests, with 18 bytes of "X" data is the > payload. These packets have the "more fragments" flag set, and the same > ipid. It then listens on quite a long timeout for an icmp "ip reassembly > time exceeded" message. Windows appears to always respond with a 56-byte > packet, which is what I think is correct (IP header + ICMP header + > original IP header + 8 bytes original data). But other OSs respond with > longer messages, where the excess should be entirely made of the "X" > payload. Sometimes it isn't, and the plugin fires. > > So - in theory this plugin should never false positive...? > > Just one thing I noticed - the plugin waits 31 seconds for the response, > but I notice Windows 2000 default fragment timeout is 60 seconds. Also, > there's a CVE for the vulnerability - CAN-2003-0001
The vulnerability is described here : http://www.secdev.org/adv/CARTSA-20030314-icmpleak.txt with a frame capture included. As this is a linux 2.0 vulnerability, it is normal to focus on the Linux icmp reassembly timeout, even though it will never hurt to look if windows boxes have the same vulnerability. Moreover, the CVE is CAN-2003-0418. CAN-2003-0001 is etherleak. It is not the same vuln (but very close, though). -- Philippe Biondi <phil@ secdev.org> SecDev.org Security Consultant/R&D http://www.secdev.org PGP KeyID:3D9A43E2 FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2
