[18006] in bugtraq
Foundry Networks Networking Devices Padded Bytes with ICMP Port
daemon@ATHENA.MIT.EDU (Ofir Arkin)
Sun Dec 10 21:16:27 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="windows-1255"
Content-Transfer-Encoding: 8bit
Message-Id: <GDEIJDIGIGIFHEIILCALOEKECJAA.ofir@sys-security.com>
Date: Wed, 6 Dec 2000 17:28:37 +0100
Reply-To: ofir@sys-security.com
From: Ofir Arkin <ofir@SYS-SECURITY.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Foundry Networks networking devices will pad extra 12 bytes of data with
their ICMP Port Unreachable Error messages. Our first example is with a
ServerIron switch running software version 7.1.02T12 eliciting an ICMP Port
Unreachable error message:
[root@godfather]# hping2 -2 -c 1 y.y.y.y
eth0 default routing interface selected (according to /proc)
HPING y.y.y.y (eth0 y.y.y.y): udp mode set, 28 headers + 0 data bytes
ICMP Port Unreachable from y.y.y.y (y.y.y.y)
--- y.y.y.y hping statistic ---
1 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
[root@godfather]#
12:08:47.793503 eth0 > x.x.x.x.2498 > y.y.y.y.0: udp 0 (ttl 64, id 44437)
4500 001c ad95 0000 4011 885f xxxx xxxx
yyyy yyyy 09c2 0000 0008 b13f
12:08:48.240208 eth0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 0
unreachable Offending pkt: x.x.x.x.2498 > y.y.y.y.0: udp 0 (ttl 51, id
44437) (ttl 51, id 17453)
4500 0044 442d 0000 3301 feaf yyyy yyyy
xxxx xxxx 0303 739c 0000 0000 4500 001c
ad95 0000 3311 955f xxxx xxxx yyyy yyyy
09c2 0000 0008 b13f dd2c 2a16 38e1 7646
7aaa 9d41
From the tcpdump trace we can see that the offending packet�s IP header and
the first 8 data bytes were echoed correctly. Right after those, 12 bytes
were padded, that came from no where.
The next example is with Foundry Networks BigIron 8000 running software
version 6.6.05T51. With this test I have sent a UDP datagram with 80 bytes
of data to a closed UDP port on the BigIron 8000:
[root@godfather /root]# hping2 -2 -c 3 -d 80 y.y.y.y
ppp0 default routing interface selected (according to /proc)
HPING y.y.y.y (ppp0 y.y.y.y ): udp mode set, 28 headers + 80 data bytes
ICMP Port Unreachable from y.y.y.y (y.y.y.y)
ICMP Port Unreachable from y.y.y.y (y.y.y.y)
ICMP Port Unreachable from y.y.y.y (y.y.y.y)
--- y.y.y.y hping statistic ---
3 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
[root@godfather /root]#
11:40:36.694235 ppp0 > x.x.x.x.2779 > y.y.y.y.0: udp 80 (ttl 64, id 25211)
4500 006c 627b 0000 4011 2e7a xxxx xxxx
yyyy yyyy 0adb 0000 0058 3d09 5858 5858
5858 5858 5858 5858 5858 5858 5858 5858
5858 5858 5858 5858 5858 5858 5858 5858
5858 5858 5858 5858 5858 5858 5858 5858
5858 5858 5858 5858 5858 5858 5858 5858
5858 5858 5858 5858 5858 5858
11:40:37.913018 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 0
unreachable Offending pkt: x.x.x.x.2779 > y.y.y.y.0: udp 80 (ttl 52, id
25211) (ttl 52, id 60504)
4500 0044 ec58 0000 3401 b0d4 yyyy yyyy
xxxx xxxx 0303 edf3 0000 0000 4500 006c
627b 0000 3411 3a7a xxxx xxxx yyyy yyyy
0adb 0000 0058 3d09 1c1d 1e1f 2021 2223
2425 2627
Again, the offending packet�s IP Header and the first 8 data bytes are
quoted correctly. 12 data bytes are padded right after.
A nice pattern that allows us to identify Foundry Networks networking
devices.
Ofir Arkin
ofir@sys-security.com
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA
Copyright 2000 Sys-Security.com & Ofir Arkin All rights reserved
