Breaching dual homed hosts?

From: Marcus Haebler (mcwimp@gmail.com)
Date: Mon Feb 28 2005 - 02:56:43 EST


I am looking to traverse a dual homed host with "IP Forwarding"
DISABLED. Let's assume that the host implements the weak ES model
as defined by RFC1122. I am not looking (at this stage) to exploit
any applications on the dual homed itself but rather on hosts &
applications behind it via the dual the homed host.

I am connected to the interface which has the default route. For
clarity purposes I call the interface facing me is the WAN
interface. The other interface will be called the LAN interface.
All interfaces are Ethernet.

For starters I can send ICMP echo_reply packets out on the LAN interface
(if I know the IP address space) by spoofing the source address in an
ICMP echo request. All other ICMP req./reply based services will work
the same way. Similarly I could send/generate TCP SYN|ACKs, RSTs, UDP
app layer packets and ICMP port unreachables on the LAN by spoofing the
source address. With the exclusion of the UDP app layer, this does not
really do much except for being able to DoS hosts on the far end by
flooding them with packets. The UDP app layer has some pontential. If
UDP echo is enabled I could use that to introduce a single packet UDP
exploit (ala Slammer) on the LAN side.

If I am L2 connected to the system in some way, I can access
services running on the LAN side by L2 addressing the local
interface and L3 addressing the far side interface. This will fail
for strong ES model implementations.

What other attacks are possible in this case? The goal is to
get to the LAN network. Should ICMP redirects do anything for
me? Are there any papers on this topic?

Since I realize that a lot of attacks depend heavily on the OS network
stack implementation, the system I am looking at is a more or less stock
Solaris 9 installation w/o X11 & NFS.

Thanks,

Marcus



This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:54:17 EDT