This paper will highlight a potentially serious loophole in networks that rely
on dynamic IP assignment. More specifically, dial-up dynamic IP assignment
provided by almost every Internet Service Provider. This problem will allow
the unauthorized use of the previous host's connections, for instance, in
progress telnet and ftp control sessions. This issue is reminiscent of the
problem where terminal servers would sometimes provide an already logged in
session to a user lucky enough to call precisely after a forced disconnect due
to line noise or other outside factor.
----[ The Problem
To perform this feat we rely on some well know concepts, usually employed for
non-blind spoofing or session hijacking. First, we have to understand what
a connection looks like after an abrupt loss of service. The key point is
that the connection does not simply disappear, because there is no way for the
disconnected host to notify the remote end that it has lost its link. If the
remote end tries to send more data and there is no host available, the upstream
router will generate an ICMP unreachable and the connection will be terminated.
If another dial-up user connects before the remote end has sent any more data
the story is different. For a TCP based connection, the kernel will see a
packet going to an unconnected port, usually with PUSH and ACK set or simply
ACK, and will generate a RST, ending the connection. For an incident UDP
packet, an ICMP unreachable is generated. Either way the connection will
evaporate.
----[ The Solution
Solving the problem is twofold. We must first prevent the kernel from killing
the connections and second we must make sure the remote end knows we are still
alive, to prevent timeouts. For UDP the answer is very simple. As long as we
block outbound ICMP unreachable packets the remote end won't disconnect.
Application timeouts must be dealt with, of course. For TCP we have a bigger
problem, since the connections will die if not responded to. To prevent our
poisonous RST packets from reaching the remote side we simply block all
outbound TCP traffic. To keep the dialogue going, we simply ACK all incident
PUSH|ACK packets and increment the ACK and SEQ numbers accordingly. We
recover data from packets with the PUSH flag set. Additionally we can
send data back down the connection by setting the PUSH and ACK flags on
our outbound packets.
----[ Implementation
To stop our kernel from killing the latent connections, we first block all
outbound traffic. Under linux a command such as the following would be
effective:
/sbin/ipfwadm -O -a deny -S 0.0.0.0/0 -P all -W ppp0
Now, no RST packets or ICMP will get out. We are essentially turning off
kernel networking support and handling all the details ourselves. This will
not allow us to send using raw sockets, unfortunately. SOCK_PACKET could
be used, but in the interests of portability the firewall is simply opened
to send a packet and then closed. To be useful on a larger number of
platforms, libpcap 0.4 was used for pulling packets off the wire and
Libnet 0.8b was used for putting them back again. The program itself is
called pshack.c because that's basically all it does. Additionally, it will
allow you respond to in progress connections just in case you find a root
shell. It will also accept inbound connections, and allow you to reply to
them. Note, this will only work on Linux right now, due to the differences in
handling of the firewall. This is very minor and will be fixed soon. It
should compile without incident on RedHat 5.1 or 4.2 and on Slackware as well,
given one change to the ip firewall header file, namely taking out the
#include <linux/tcp.h> line.
----[ Conclusions
Using this program it is easy to scavenge telnet and ftp control sessions,
or basically any low traffic, idle connection. Grabbing ICQ sessions is a
good example of a UDP based scavenge. Obviously, streaming connections,
such as ftp data will be ICMP to death before they can be scavenged. It's
interesting to note that hosts that drop ICMP unreachable packets, for fear
of forged unreachable packets, are particularly vulnerable as they will not
lose the connection as quickly.
<++> scavenge/pshack.c
/* - PshAck.c - Attempts to scavenge connections when you dial up an ISP.
* Author: Seth McGann <smm@wpi.edu> / www.el8.org (Check papers section)
* Date: 11/29/98
* Greets: dmess0r,napster,awr,all things w00w00,#203
* Version: 0.3
*
* Usage:
* 1. Dial up your ISP and start pshack up.
* 2. If you are lucky you will see connections you did not
* make :)
* 3. Repeat the procedure.
* Options:
* -i: The interface
* -l: Link offset
* -s: Your source IP
*
* Compiling: 'gcc pshack.c -o pshack -lnet -lpcap' should work given you have
* libpcap and Libnet installed properly.
*
* libpcap 0.4 : ftp://ftp.ee.lbl.gov/libpcap.tar.Z
* Libnet 0.8b: http://www.infonexus.com/~daemon9/Projects/Libnet/
*
* Have fun!
*/
Vova
