Buffer Overflows (sort of)

Posted on September 16, 2004 by GregJ

This goes back to a question Danny was asking me earlier today. I don’t think this is exactly a buffer overflow, but it’s an interesting way of abusing a TCP/IP stack to make the OS allow things it shouldn’t. Note to The Man, we are only trying to learn these things as good responsible citizens, and with no harm. Also note that I’m only citing references that are already in the public domain.

Packet Fragmentation Attack
Packet fragmentation can be utilized to get around blocking rules on some firewalls.

This is done by cheating with the value of the Fragment Offset. The trick is to set the value of the Fragment Offset on the second packet so low that instead of appending the second packet to the first packet, it actually overwrites the data and part of the TCP header of the first packet.

Let’s say you want to `telnet` into a network where TCP port 23 is blocked by a packet filtering firewall. However, SMTP port 25 is allowed into that network.

What you would do is to send two packets:

The first packet would:
Have a Fragmentation Offset of 0.
Have the DF bit equal to 0 to mean “May Fragment” and the MF bit equal to 1 to mean “More Fragments.”

Have a Destination Port in the TCP header of 25. TCP port 25 is allowed, so the firewall would allow that packet to enter the network.

The second packet would:
Have a Fragmentation Offset of 1. This means that the second packet would actually overwrite everything but the first 8 bits of the first packet.

Have the DF bit equal to 0 to mean “May Fragment” and the MF bit equal to 0 to mean “Last Fragment.”

Have a Destination Port in the TCP header of 23. This would normally be blocked, but will not be in this case!

The packet filtering firewall will see that the Fragment Offset is greater than zero on the second packet. From this data, it will deduce that the second packet is a fragment of another packet and it will not check the second packet against the rule set.

When the two packets arrive at the target host, they will be reassembled. The second packet will overwrite most of the first packet and the contents of the combined packet will go to port 23.

source: http://www.linuxsecurity.com/docs/Hack-FAQ/data-networks/packet-fragmentation.shtml

There’s a good explanation on that page about the contents of the IP headers and an example of fragmentation.

This entry was posted in computers/programming. Bookmark the permalink.

1 Response to Buffer Overflows (sort of)

  1. Danny says:
    September 26, 2004 at 4:02 pm

    Thanks for the info- I “get it” in a basic fashion. Interesting indeed. I might set up a honeypot machine on my own network to play with.

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *