Results 1 to 6 of 6

Thread: Vulnerability: Linux 2.4 UDP Constant IP Identification Field Fingerprinting

  1. #1
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584

    Exclamation Vulnerability: Linux 2.4 UDP Constant IP Identification Field Fingerprinting

    A fingerprinting threat has been reported in some versions of the 2.4 Linux kernel IP stack implementation. UDP packets are transmitted with a constant IP Identification field of 0.


    An attacker may be able to exploit this weakness to discover the operating system and approximate kernel version of the vulnerable system. The ability to fingerprint operating systems based on minor differences in network implementations is well known, and not limited to Linux based systems.

    Remote: Yes

    Exploit: No

    Source: http://www.xatrix.org/modules.php?op...thread&order=1

  2. #2
    AntiOnline Senior Member souleman's Avatar
    Join Date
    Oct 2001
    Location
    Flint, MI
    Posts
    2,883
    I have seen this someplace else, but I can't remember where.

    Heres the thing though. Almost any system will be fingerprinted. There is always slight differences. So whats the big deal? If you take care of the security on your site, You should be able to give out the os, evey daemnon running, and every possible login, and not have anything to worry about. (If you maintain a good password policy that is).

    I have been having real problems with xantix.org lately. I have seen them post hoaxes as fact. Now they make a fingerprint look like a vulnerablity. Its just kinda stupid if you ask me.
    \"Ignorance is bliss....
    but only for your enemy\"
    -- souleman

  3. #3
    str34m3r
    Guest
    souleman is correct - if your box is secure, then you shouldn't need to worry if they know you have a linux box.

    In addition to his post, I heard a very good explanation of why they _intentionally_ coded it this way. The simplest way to create a packet is to simply set aside a section of memory for the packet and start filling in the necessary fields. For something like a UDP packet, there are some spaces in the packet that just aren't normally used. So if the field is left alne, is simply contains some data from whatever was stored in that section of memory previously. So instead of leaving those sections alone, they intentionally zeroed out the unused fields (such as the IP identification field) so that when the packet gets sent out, it doesn't give out any information that may have been laying around in memory.

  4. #4
    Senior Member
    Join Date
    Oct 2001
    Posts
    638
    Heres the thing though. Almost any system will be fingerprinted. There is always slight differences. So whats the big deal? If you take care of the security on your site, You should be able to give out the os, evey daemnon running, and every possible login, and not have anything to worry about.
    Very true but what about poor IIS users. Advertising the fact that you are running MS IIS is like waving a white flag and screaming "Please hack me, I don't care!" .
    OpenBSD - The proactively secure operating system.

  5. #5
    str34m3r
    Guest
    You're absolutely correct smirc. Sometimes I forget that there are still people out there using IIS. My instinct of course is to question their sanity, but then I have to remind myself that a lot of times upper management tells them they have to use M$ products and they just have to obey.

  6. #6
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255

    Re: Vulnerability: Linux 2.4 UDP Constant IP Identification Field Fingerprinting

    Originally posted here by s0nIc
    A fingerprinting threat has been reported in some versions of the 2.4 Linux kernel IP stack implementation. UDP packets are transmitted with a constant IP Identification field of 0.


    An attacker may be able to exploit this weakness to discover the operating system and approximate kernel version of the vulnerable system. The ability to fingerprint operating systems based on minor differences in network implementations is well known, and not limited to Linux based systems.

    Remote: Yes

    Exploit: No

    Source: http://www.xatrix.org/modules.php?op...thread&order=1
    Actually, this isn't really a 'vulnerability' per se, Fyodor (of NMAP fame) had some very interesting comments on the discussion via bugtraq:

    On Tue, Mar 19, 2002, Ofir Arkin (ofir@stake.com) wrote:
    >
    > Linux Kernel 2.4.x has a bug with the UDP implementation which allows
    > both active and passive fingerprinting of Linux machines based on the
    > 2.4.x Kernel.

    Actually, as Crist Clark noted, this is a feature with both security
    and efficiency benefits. It also isn't specific to UDP -- you'll find
    similar TCP behavior. Nor is it exclusive to Linux 2.4 kernels --
    Some (all?) Cisco IOS 12.0 - 12.3 devices and various Linksys
    broadband routers do this.

    I agree that that this is useful for remote OS detection. In fact,
    the Nmap Security Scanner has been using this OS detection technique
    for more than a year (since 2.54BETA20). You can grab a copy at
    http://www.insecure.org/nmap/ .

    > 03/16-11:49:41.531642 192.168.1.200:1024 -> x.x.x.x:53 UDP TTL:64
    > TOS:0x0 ID:0 IpLen:20 DgmLen:63 DF
    > Len: 43
    > BC 0D 01 00 00 01 00 00 00 00 00 00 03 77 77 77 .............www
    > 03 63 6E 6E 03 63 6F 6D 05 6C 6F 63 61 6C 00 00 .cnn.com.local..
    > 01 00 01 ...
    >
    > The IP Identification field value with the UDP datagram is zero (0). The
    > value will be constant and will not be changed for future UDP datagrams
    > I will be sending.

    Last year I added a feature to Nmap which automates this IPID
    classification. Give the Nmap arguments "-v -O" against the host
    above and it should say "IPID Sequence Generation: All zeros". Other
    IPID classes Nmap understands include "incremental" (most machines),
    "duplicated IPID" (mostly stupid devices like printers), "Broken
    little-endian incremental" (Windows), "Randomized" (OpenBSD), and
    "Random positive increments". The XML output will provide the actual
    ID numbers in case you want to do your own analysis.

    A more recent IPID-related Nmap feature is the Idlescan (-sI). This
    clever method (discovered by Antirez) allows for a truly blind TCP
    port scan -- no packets are sent to the target from your real IP
    address. Instead, a unique side-channel attack exploits predictable
    IPID sequences on a chosen "zombie" host to glean information about
    open ports on the target network. IDS systems will report the scan as
    coming from the zombie. Besides being extraordinarily stealthy (due
    to its blind nature), this scan type permits mapping out IP-based
    trust relationships between machines.

    Please excuse my blatant Nmap promoting, but IPID analysis is one of
    my favorite reconnaissance techniques. The methods are subtle, but
    can provide a wealth of information to potential attackers.
    Fortunately, recent versions of Linux, Solaris, and OpenBSD (among
    others) address most of the issues. Lets hope that other vendors
    follow their lead.

    Cheers,
    Fyodor
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •