TUCoPS :: Network Appliances :: foundry3.htm

Foundry Networks Networking Devices can be IDd by their error message padding
Vulnerability

    Foundry

Affected

    Foundry Networks Networking Devices

Description

    Ofir Arkin found following.   Foundry Networks networking  devices
    will pad extra 12 bytes  of data with their ICMP  Port Unreachable
    Error messages.   Our first  example is  with a  ServerIron switch
    running  software  version  7.1.02T12   eliciting  an  ICMP   Port
    Unreachable error message:

        [root@godfather]# hping2 -2 -c 1 y.y.y.y
        eth0 default routing interface selected (according to /proc)
        HPING y.y.y.y (eth0 y.y.y.y): udp mode set, 28 headers + 0 data bytes
        ICMP Port Unreachable from y.y.y.y (y.y.y.y)
        
        --- y.y.y.y hping statistic ---
        1 packets tramitted, 0 packets received, 100% packet loss
        round-trip min/avg/max = 0.0/0.0/0.0 ms
        [root@godfather]#
        
        
        12:08:47.793503 eth0 > x.x.x.x.2498 > y.y.y.y.0: udp 0 (ttl 64, id 44437)
			         4500 001c ad95 0000 4011 885f xxxx xxxx
			         yyyy yyyy 09c2 0000 0008 b13f
        
        12:08:48.240208 eth0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 0
        unreachable Offending pkt: x.x.x.x.2498 > y.y.y.y.0: udp 0 (ttl 51, id
        44437) (ttl 51, id 17453)
			         4500 0044 442d 0000 3301 feaf yyyy yyyy
			         xxxx xxxx 0303 739c 0000 0000 4500 001c
			         ad95 0000 3311 955f xxxx xxxx yyyy yyyy
			         09c2 0000 0008 b13f dd2c 2a16 38e1 7646
			         7aaa 9d41

    From the tcpdump trace we  can see that the offending  packet's IP
    header and the  first 8 data  bytes were echoed  correctly.  Right
    after those, 12 bytes were padded, that came from no where.

    The next  example is  with Foundry  Networks BigIron  8000 running
    software  version  6.6.05T51.  With  this  test  I have sent a UDP
    datagram with 80 bytes of data to a closed UDP port on the BigIron
    8000:

        [root@godfather /root]# hping2 -2 -c 3 -d 80 y.y.y.y
        ppp0 default routing interface selected (according to /proc)
        HPING y.y.y.y  (ppp0 y.y.y.y  ): udp mode set, 28 headers + 80 data bytes
        ICMP Port Unreachable from y.y.y.y  (y.y.y.y)
        ICMP Port Unreachable from y.y.y.y  (y.y.y.y)
        ICMP Port Unreachable from y.y.y.y  (y.y.y.y)
        
        --- y.y.y.y  hping statistic ---
        3 packets tramitted, 0 packets received, 100% packet loss
        round-trip min/avg/max = 0.0/0.0/0.0 ms
        [root@godfather /root]#
        
        
        11:40:36.694235 ppp0 > x.x.x.x.2779 > y.y.y.y.0: udp 80 (ttl 64, id 25211)
			         4500 006c 627b 0000 4011 2e7a xxxx xxxx
			         yyyy yyyy 0adb 0000 0058 3d09 5858 5858
			         5858 5858 5858 5858 5858 5858 5858 5858
			         5858 5858 5858 5858 5858 5858 5858 5858
			         5858 5858 5858 5858 5858 5858 5858 5858
			         5858 5858 5858 5858 5858 5858 5858 5858
			         5858 5858 5858 5858 5858 5858
        
        11:40:37.913018 ppp0 < y.y.y.y > x.x.x.x: icmp: y.y.y.y udp port 0
        unreachable Offending pkt: x.x.x.x.2779 > y.y.y.y.0: udp 80 (ttl 52, id
        25211) (ttl 52, id 60504)
			         4500 0044 ec58 0000 3401 b0d4 yyyy yyyy
			         xxxx xxxx 0303 edf3 0000 0000 4500 006c
			         627b 0000 3411 3a7a xxxx xxxx yyyy yyyy
			         0adb 0000 0058 3d09 1c1d 1e1f 2021 2223
			         2425 2627

    Again,  the  offending  packet's  IP  Header  and the first 8 data
    bytes are quoted correctly. 12 data bytes are padded right after.

    A  nice  pattern  that  allows  us  to  identify  Foundry Networks
    networking devices.

Solution

    Nothing yet.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH