|
Vulnerability Foundry Affected Foundry Networks Networking Devices Description Ofir Arkin found following. Foundry Networks networking devices will pad extra 12 bytes of data with their ICMP Port Unreachable Error messages. Our first example is with a ServerIron switch running software version 7.1.02T12 eliciting an ICMP Port Unreachable error message: [root@godfather]# hping2 -2 -c 1 y.y.y.y eth0 default routing interface selected (according to /proc) HPING y.y.y.y (eth0 y.y.y.y): udp mode set, 28 headers + 0 data bytes ICMP Port Unreachable from y.y.y.y (y.y.y.y) --- y.y.y.y hping statistic --- 1 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms [root@godfather]# 12:08:47.793503 eth0 > x.x.x.x.2498 > y.y.y.y.0: udp 0 (ttl 64, id 44437) 4500 001c ad95 0000 4011 885f xxxx xxxx yyyy yyyy 09c2 0000 0008 b13f 12:08:48.240208 eth0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 0 unreachable Offending pkt: x.x.x.x.2498 > y.y.y.y.0: udp 0 (ttl 51, id 44437) (ttl 51, id 17453) 4500 0044 442d 0000 3301 feaf yyyy yyyy xxxx xxxx 0303 739c 0000 0000 4500 001c ad95 0000 3311 955f xxxx xxxx yyyy yyyy 09c2 0000 0008 b13f dd2c 2a16 38e1 7646 7aaa 9d41 From the tcpdump trace we can see that the offending packet's IP header and the first 8 data bytes were echoed correctly. Right after those, 12 bytes were padded, that came from no where. The next example is with Foundry Networks BigIron 8000 running software version 6.6.05T51. With this test I have sent a UDP datagram with 80 bytes of data to a closed UDP port on the BigIron 8000: [root@godfather /root]# hping2 -2 -c 3 -d 80 y.y.y.y ppp0 default routing interface selected (according to /proc) HPING y.y.y.y (ppp0 y.y.y.y ): udp mode set, 28 headers + 80 data bytes ICMP Port Unreachable from y.y.y.y (y.y.y.y) ICMP Port Unreachable from y.y.y.y (y.y.y.y) ICMP Port Unreachable from y.y.y.y (y.y.y.y) --- y.y.y.y hping statistic --- 3 packets tramitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms [root@godfather /root]# 11:40:36.694235 ppp0 > x.x.x.x.2779 > y.y.y.y.0: udp 80 (ttl 64, id 25211) 4500 006c 627b 0000 4011 2e7a xxxx xxxx yyyy yyyy 0adb 0000 0058 3d09 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 5858 11:40:37.913018 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 0 unreachable Offending pkt: x.x.x.x.2779 > y.y.y.y.0: udp 80 (ttl 52, id 25211) (ttl 52, id 60504) 4500 0044 ec58 0000 3401 b0d4 yyyy yyyy xxxx xxxx 0303 edf3 0000 0000 4500 006c 627b 0000 3411 3a7a xxxx xxxx yyyy yyyy 0adb 0000 0058 3d09 1c1d 1e1f 2021 2223 2425 2627 Again, the offending packet's IP Header and the first 8 data bytes are quoted correctly. 12 data bytes are padded right after. A nice pattern that allows us to identify Foundry Networks networking devices. Solution Nothing yet.