From: ers@ers.ibm.com
Sent: Tuesday, September 21, 1999 4:42 AM
To: client-firstusa@ers.ibm.com
Subject: IBM-ERS Outside Advisory Redistribution: Network Associates,
Inc. Security Advisory: Windows IP Source Routing Vulnerability

-----BEGIN PGP SIGNED MESSAGE-----

- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---

                  =======  ============    ======       ======
                  =======  ==============  =======     =======
                    ===      ===     ====    ======   ======
                    ===      ===========     ======= =======
                    ===      ===========     === ======= ===
                    ===      ===     ====    ===  =====  ===
                  =======  ==============  =====   ===   =====
                  =======  ============    =====    =    =====

                           EMERGENCY RESPONSE SERVICE
			OUTSIDE ADVISORY REDISTRIBUTION

21 September 1999 08:30 GMT                      Number: ERS-OAR-E01-1999:145.1
===============================================================================

The IBM-ERS Outside Advisory Redistribution is designed to provide customers
of the IBM Emergency Response Service with access to the security advisories
sent out by other computer security incident response teams, vendors, and
other groups concerned about security.

IBM makes no representations and assumes no responsibility for the contents or
accuracy of the advisories themselves.

IBM-ERS is forwarding the following information from Network Associates,
Inc.  Contact information for Network Associates, Inc. is included in the
forwarded text below; please contact them if you have any questions or need
further information.

===============================================================================

********************** FORWARDED INFORMATION STARTS HERE **********************

- -----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

======================================================================

                      Network Associates, Inc.
                        SECURITY ADVISORY
                        September 20, 1999

             Windows IP Source Routing Vulnerability

                         BUGTRAQ ID: 646

======================================================================

SYNOPSIS

Windows TCP/IP stacks configured to disable IP forwarding or IP
source routing, allow specific source routed datagrams to route
between interfaces.  Effectively, the Windows TCP/IP stack can
not be configured to disable IP datagrams passing between
networks if two network cards have been installed.


======================================================================

VULNERABLE HOSTS

All versions of Windows NT (including Terminal Server Edition)
are vulnerable to the attacks within this advisory, including hosts
that have installed Service Pack 5 and enabled the following SP5
specific registry key to disable source routing:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
 \Services\Tcpip\Parameters\DisableIPSourceRouting

All versions of Windows 95 and Windows 98 are vulnerable.

======================================================================

TECHNICAL DETAILS

Every IP stack is required to implement IP options, although they
may or may not appear in each IP datagram.  Options are variable
in length, and generally contain a type, length and data associated
with the option.  The option type is divided into three fields:
the copied flag, option class and the option number.  The copied
flag indicates that this option is copied into all fragments on
fragmentation.

The source route option provides routing information for gateways
in the delivery of a datagram to its destination.  There are two
variations loose and strict routes.  The loose source route (LSRR)
allows any number of intermediate gateways to reach the next
address in the route.  The strict source route (SSRR) requires the
next address in the source route to be on a directly connected
network, otherwise the delivery of the datagram can not be
completed.

The source route options have a variable length, containing a
series of IP addresses and an offset pointer indicating the next
IP address to be processed.  A source routed datagram completes
its delivery when the offset pointer points beyond the last field,
ie the pointer is greater than the length, and the address in
the destination address has been reached.  RFC 1122 states the
option as received must be passed up to the transport layer (or
to ICMP message processing).

It is a common security measure to disable IP source routing.  In
this situation, if a source routed packet attempts to use a
secure host as an intermediate router or to deliver its data to that
hosts application layer then the datagram should be dropped,
optionally delivering an ICMP unreachable - source route failed.
It is important to note that the datagram would be dropped at the
network layer prior to IP reassembly and before data is passed to
the application layer.

As with other operating systems (when configured to deny source
routed packets), if a source routed datagram attempts to use a
Windows host as an intermediate router, an ICMP source route
failed message is sent.  This implies that the offset pointer
is not greater than the length and the destination IP address
has not been reached.

When a source routed datagram completes its delivery, the offset
pointer is greater than the length and the destination has been
reached.

If a specially crafted IP packet, with source route options, has
the offset pointer set greater than the length, Windows TCP/IP
stacks will accept the source routed datagram (rather than
dropping it), and pass the data to the application layer for
processing.  The source route is reversed, delivering the reply
to this datagram to the first host in the reversed route.  Since
the source route can be manipulated by an attacker, the first
host in the reversed source route can be set to a host on the
second network (accessible via the second interface, i.e. the
internal network).

As a result, it is possible to pass data through all Windows
stacks with two network interfaces.

In addition to tunneling data, there are two scenarios which
can allow an intruder to obtain information about the remote
network while obscuring their origin.

The first allows any Windows host to be used to identify
non-Windows hosts that have source routing enabled.  A source
routed datagram is created with a false source address, containing
the true source address of the request and the address of a host
to be scanned in the option data.  Delivering this datagram,
with the correct offset, to a Windows host results in the route
being reversed and routed to the scanned host.  If this host
has source routing enabled the true source of the request
will then see a response returned.

Secondly, by utilizing the above source routing technique, and
masking their source address in the IP header, it is possible to
scan a Windows host for open ports using standard port scanning
techniques.

======================================================================

RESOLUTION

Microsoft has issued a hotfix for this vulnerability, which can be
obtained at the following address:

ftp://ftp.microsoft.com

/bussys/winnt/winnt-public/fixes/usa/nt40/Hotfixes-PostSP5/Spoof-fix

Please note that the above URL has been seperated for formatting
purposes.

A fix for Windows 95 and Windows 98 based systems is in production
and will follow.

======================================================================

CREDITS

Discovery and documentation of this vulnerability was conducted
by Anthony Osborne <Anthony_Osborne@nai.com> at the security labs
of Network Associates.

======================================================================

ABOUT THE NETWORK ASSOCIATES SECURITY LABS

The Security Labs at Network Associates hosts some of the most
important research in computer security today.  With over 30
security advisories published in the last 2 years, the Network
Associates security auditing teams have been responsible for the
discovery of many of the Internet's most serious security flaws.
This advisory represents our ongoing commitment to provide
critical information to the security community.

For more information about the Security Labs at Network
Associates, see our website at http://www.nai.com or contact us
at <seclabs@nai.com>.

======================================================================

NETWORK ASSOCIATES SECURITY LABS PGP KEY

- - -----BEGIN PGP PUBLIC KEY BLOCK-----
Version: PGP 5.5.5

mQGiBDXGgDsRBADVOnID6BtEhKlm2cNalho28YP0JAh+J4iRUIaiWshzI0tc0KPc
fvs+0xYwiqjxmeHi2sdIEPQ7S+ltA3Dlp6/DFojWBr2XB9hfWy4uiKBUHqnsKYnB
Gpkh6nIx7DIwn+u0PXMXbJCG3LYf8daiPVdzC2VFtbRvJL4wZc6NLQViFQCg/9uS
DuH/0NE6mO8Cu4iVrUT5Wk8D/ArOpV5T5yIuXHZO1/ZBVeHccVVvHe8wHK4D9WUs
FsB8fgYLNgdFMMjtam7QQSBY/P1KKBzaFqZhkfS4WVMAFEy94NHXG+KTCPhXkZzp
OPPqwWqZgfvOg0Bm20O/GhzQkB6JfFJqcfR87Ej0+fcDKrTTxAELWHGS7c9Qdn6P
bfwHA/4oLNwYrtgWNkjGcG018Pu2jKT7YuP9zBTMu28IBiWdPLGL9Wle4d5cdDVx
Es4iVl8FMtxlgTWCgMnBLS4nyM3pCn1HF+8Gi+IVKUXWCkqt/rtBMsrOMfrOgEIu
BWnTZcTR7kcWtH7xDFNyZ47U4pElLXwATVDty/FczAJnpeht2LQyTmV0d29yayBB
c3NvY2lhdGVzIFNlY3VyaXR5IExhYnMgPHNlY2xhYnNAbmFpLmNvbT6JAEsEEBEC
AAsFAjXGgDsECwMCAQAKCRCheCy6j9WBEtgDAKDpYMwQZP0Ipx7X0ivnTxxJkA/W
vACg4LZv0lmWqmnd7XCe4OIJ05aT6hK5Ag0ENcaAOxAIAPZCV7cIfwgXcqK61qlC
8wXo+VMROU+28W65Szgg2gGnVqMU6Y9AVfPQB8bLQ6mUrfdMZIZJ+AyDvWXpF9Sh
01D49Vlf3HZSTz09jdvOmeFXklnN/biudE/F/Ha8g8VHMGHOfMlm/xX5u/2RXscB
qtNbno2gpXI61Brwv0YAWCvl9Ij9WE5J280gtJ3kkQc2azNsOA1FHQ98iLMcfFst
jvbzySPAQ/ClWxiNjrtVjLhdONM0/XwXV0OjHRhs3jMhLLUq/zzhsSlAGBGNfISn
CnLWhsQDGcgHKXrKlQzZlp+r0ApQmwJG0wg9ZqRdQZ+cfL2JSyIZJrqrol7DVeky
CzsAAgIH/RZcJoRkhCf9O4Er+rciBNG3QqM3tek23oxGuVwqRxtGlGKuf+YaUDIA
vZhARftupZYJf/+AM9pyjjsF7ON/Df5oIXXhqzrDySw47dNB3I1FG7vwAUBRfYgG
NRP+zvf1nld+FgAXag1DIQteXYPtoMUJP8ZgvbELYVdZS2TapOHUv7r4rOY+UUjl
U+FkQPp9KCNreaNux4NxwT3tzXl1KqqkliC8sYxvMCkJ+JO71TKGplO9dXsf3O8p
2r33+LngmLs4O7inrUlmAUKq3jmCK50J7RsZjd6PlK/0JwcjFkOZeYrxTguZzCR4
QYmo8nEHqEMSKQci0VUf9KH4lHf6xmGJAEYEGBECAAYFAjXGgDsACgkQoXgsuo/V
gRK5LACgoAqLFk10kAMu6xb3ftO4+INJs14Ani+1hujlYRxYphN97c5ci8WtILNZ
=L3C6
- - ----

- -----BEGIN PGP SIGNATURE-----
Version: PGP 6.0.2

iQA/AwUBN+aLIKF4LLqP1YESEQIMowCgg5m54i4/SuSEfMy10hADCle78P4AoJi2
zZ/1QBgYJaQOwQULBxEOO0FF
=+mMr
- -----END PGP SIGNATURE-----

*********************** FORWARDED INFORMATION ENDS HERE ***********************

===============================================================================

IBM's Internet Emergency Response Service (IBM-ERS) is a subscription-based
Internet security response service that includes computer security incident
response and management, regular electronic verification of your Internet
gateway(s), and security vulnerability alerts similar to this one that are
tailored to your specific computing environment.  By acting as an extension
of your own internal security staff, IBM-ERS's team of Internet security
experts helps you quickly detect and respond to attacks and exposures across
your Internet connection(s).

As a part of IBM's Business Recovery Services organization, the IBM Internet
Emergency Response Service is a component of IBM's SecureWay(tm) line of
security products and services.  From hardware to software to consulting,
SecureWay solutions can give you the assurance and expertise you need to
protect your valuable business resources.  To find out more about the IBM
Internet Emergency Response Service, send an electronic mail message to
ers-sales@ers.ibm.com, or call 1-800-599-9950.

IBM-ERS maintains a site on the World Wide Web at http://www.ers.ibm.com/.
Visit the site for information about the service, copies of security alerts,
team contact information, and other items.

IBM-ERS uses Pretty Good Privacy* (PGP*) as the digital signature mechanism for
security vulnerability alerts and other distributed information.  The IBM-ERS
PGP* public key is available from http://www.ers.ibm.com/team-info/pgpkey.html.
"Pretty Good Privacy" and "PGP" are trademarks of Philip Zimmermann.

IBM-ERS is a Member Team of the Forum of Incident Response and Security Teams
(FIRST), a global organization established to foster cooperation and response
coordination among computer security teams worldwide.

The information in this document is provided as a service to customers of
the IBM Emergency Response Service.  Neither International Business Machines
Corporation, nor any of its employees, makes any warranty, express or implied,
or assumes any legal liability or responsibility for the accuracy, complete-
ness, or usefulness of any information, apparatus, product, or process
contained herein, or represents that its use would not infringe any privately
owned rights.  Reference herein to any specific commercial products, process,
or service by trade name, trademark, manufacturer, or otherwise, does not
necessarily constitute or imply its endorsement, recommendation or favoring
by IBM or its subsidiaries.  The views and opinions of authors expressed
herein do not necessarily state or reflect those of IBM or its subsidiaries,
and may not be used for advertising or product endorsement purposes.

- ---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---EXTERNAL RELEASE---

-----BEGIN PGP SIGNATURE-----
Version: 2.7.1

iQCVAwUBN+dEffWDLGpfj4rlAQHU6AQAzbReWmMSrhERaK+DWBSEZ/SjpP36w4Pn
ssWwzN8TDeqvfvXMkVm97wscSuExkfgdslWlokNJyT4OTY8ZAAx9H43hZ2botZ7q
qAq0e1E8SGgvHb3EPAd8Rixs0uCW8DgHPFhewA0UXxev6AOe5gTDTZtrIBUlRm5h
2JNl7DQ7xUw=
=nrUj
-----END PGP SIGNATURE-----
