Monday, 12 November 2007

Exploiting Loose Source Routing

"Source routing is an IP option which allows the originator of a packet to specify what path that packet will take, and what path return packets sent back to the originator will take. Source routing is useful when the default route that a connection will take fails or is suboptimal for some reason, or for network diagnostic purposes."

For more information on source routing, see RFC791.

If we take that the normal traffic flow from the attacker to the server goes via "router a", "router b", "router c", a firewall and finally to the victim we have our standard scenario for routing traffic over the Internet.

By exploiting source routing, it should be plain and obvious that an attack from a trusted host would be more likely to succeed. To do this, many people think that you need to actually compromise the trusted host. With source routing this is not the case.

The routing could be made to go via "router a", "router b", "trusted host", the firewall and finally to the victim using the source IP of the trusted host.

If for instance, the external trusted host is allowed through the firewall ruleset based on source IP address, the attacker could bounce off this host in order to gain access to the internal network. This attack works as the Trusted host retransmits the packet using its own IP address as the source address.

But it gets worse. Traffic can be source routed directly to many low end firewalls, which then forward traffic to the internal network using their internal IP address as the new packet source.

Many of the low end "Nat Based Firewalls" available in the market are not true firewalls. Rather than setting up ACL's to filter traffic they rely on a combination of NAT and private IP addressing to protect the internal network. Many of these boxes will respond to lose source routing. That is they will forward packets that are received through source routing to their internal network. The most insidious part of this is that they will use the internal IP address of the firewall as the source address of the packet which may even enable them to bypass many host-based firewall rules.

Having to guess the internal network of the victim may slow the attacker down a little, but being that the majority of these boxes default to an internal network of 192.168.0.x or 192.168.1.x makes this easier. Further, as I have mentioned in a previous post, it is generally simple to have the router respond with its internal interface. This of course is a dead giveaway to the internal network.

Many tools (even NC - Netcat) support a source route option. This allows the attacker to select the path that is taken to the host and also the return path. So setting the attack up the attacker will source route to the trusted host which will be the last system outside the target's router or firewall .

Due to source routing, packets sent to the trusted host follow the reverse of the source route used to reach the trusted host and return to the attacker - even if they are using a "non-routed" public IP address.

Source route allows the packets to follow a set path. It does not require the standard routing protocols and is thus dangerous. Source routing is used in a number of multicast protocols (still) and many are loath to disable it.

There are two primary types of source routing - Loose Source Routing and Strict Source Routing. ISS has a good paper on this topic. Have a read of it.

No comments: