ICMP time exceeded DNAT info leak ?

Phil (biondi@cartel-securite.fr)
Tue, 2 Apr 2002 17:42:54 +0200 (CEST)


Hi all,

I've just seen that a if a linux 2.4 router does DNAT for a port (for ex.)
the ICMP time exceeded packet will take the mangled tcp packet as a
citation and won't un-DNAT the ICMP citation, so that the real IP and port
behind the gateway are revealed.

Ex:

Let's take a machine that does DNAT :
<spoiler>
iptables -t nat -A PREROUTING -p tcp --dport 666 -j DNAT --to 172.16.3.26:22
</spolier>

Then if a host send one side :
hping -t 1 --syn -p 666 172.16.1.40

This is the icmp packet we get
17:07:46.709230 172.16.1.40 > 172.16.1.28: icmp: time exceeded in-transit [tos
0xc0]
0x0000 45c0 0044 eaa6 0000 ff01 75f1 ac10 0128 E..D......u....(
0x0010 ac10 0118
0b00 516d 0000 0000
4500 0028 ......Qm....E..(
0x0020 b0f3 0000 0106 ac8a ac10 0118 ac10 031a <-+ ................
0x0030 04bd 0016 3206 3ec0 0490 00b4 5002 0200 | ....2.>.....P...
0x0040 d6b2 00^0 | ....
| 172.16.3.26
+-- port 22

I think it should not behave like this. I know some routers does not
see this kind of ICMP packets as related to the connection that trigerred
this error (for obvious reasons).
I've not taken the time to look into the sources yet.

I've just discovered that when making a patch to nmap today to implement a
"ttl scan" (as I've never heard about that technique before, that's how
I called it), so that I complemented the patch to automate this :

pbi@exchange1:~$ sudo ./nmap -sS -P0 mymachine -p 22,23,666,667 -t 9

Starting nmap V. 2.54BETA32 ( www.insecure.org/nmap/ )
Interesting ports on mymachine:
Port State Service
22/tcp open ssh
23/tcp filtered telnet
666/tcp UNfiltered doom DNAT to 192.168.8.10:22
667/tcp UNfiltered unknown DNAT to 192.168.26.10:22

Nmap run completed -- 1 IP address (1 host up) scanned in 2 seconds

-- 
Philippe Biondi <biondi@ cartel-securite.fr> Cartel Sécurité
Security Consultant/R&D                      http://www.cartel-securite.fr
Phone: +33 1 44 06 97 94                     Fax: +33 1 44 06 97 99
PGP KeyID:3D9A43E2  FingerPrint:C40A772533730E39330DC0985EE8FF5F3D9A43E2

- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/