[prev in list] [next in list] [prev in thread] [next in thread]
List: bleeding-sigs
Subject: Re: [Bleeding-sigs] Rule Submit: Microsoft Windows DHCP ClientService
From: "M. Shirk" <shirkdog_list () hotmail ! com>
Date: 2006-09-14 2:47:17
Message-ID: BAY108-F33F412FD6D0F987B07F76E95290 () phx ! gbl
[Download RAW message or body]
>From my favorite site NetworkSorcery.com
BOOTP/DHCP options. Variable length.
The first four bytes contain the (decimal) values 99, 130, 83 and 99. This
is the same magic cookie as has been defined for BOOTP. The remainder of the
field consists of a list of tagged parameters that are called options. All
of the vendor extensions used by BOOTP are also DHCP options.
So how many different options??
http://www.networksorcery.com/enp/default0801.htm
When I was pissing around with this, I could not get by the option 15
length, then cutoff at the next tag because of the options having byte
values anywhere from 0x00-0xFF.
http://www.networksorcery.com/enp/protocol/bootp/option015.htm
http://www.networksorcery.com/enp/protocol/bootp/option015.htm#Domain%20name
The domain name length max is 255 0xFF, which is the same in the PoC. The
PoC was not working for me on a Windows XP SP1a box when issuing the DHCP
request. So you have a length value for the option 15, that at its max, is
still technically a normal packet, but suspicious :-)
Shirkdog
http://www.shirkdog.us
>From: Erik Fichtner <emf@obfuscation.org>
>To: Blake Hartstein <bhartstein@demarc.com>
>CC: bleeding-sigs@bleedingsnort.com
>Subject: Re: [Bleeding-sigs] Rule Submit: Microsoft Windows DHCP
>ClientService Buffer Overflow
>Date: Wed, 13 Sep 2006 20:10:31 -0400
>
>Blake Hartstein wrote:
>
> > Perhaps I need to specify the packets I intend to detect are of type
> > Boot Reply?
> > The message-type for dhcp typically occurs in the first few bytes of the
> > payload, is there another field in the options that has this value also?
> > Because all of the samples I have captured do not display this behavior.
>
>uh-uh. Read the DHCP RFC's again. BOOTREPLY is part of the BOOTP legacy
>portion.. yes, you need to have a bootreply flavor packet, but you also
>need a DHCP option 53 field to say that it's a DHCPACK (and your xid should
>match the request, but hey, why pick nits.)
>
> >
> > Just so we are clear the 0xFA option is the one I was referring to which
> > corresponds to the 250 option you mentioned. The original rule does a
> > byte_jump which skips the first option and checks the second option in
> > the packet.
>
>right, but the "first option" in the packet is typically option 53.
>
> >
> > The packet capture I am using to test with has a option length
> > associated with that first option which is the value used to jump, then
> > the next option happens to be "Option 250: Private (255 bytes)", it is
> > not so much guesswork as you are suggesting above.
>
>I know.. you're using a PoC payload similar to the one in the CYBSEC
>writeup
>of the issue. That's not how DHCP really looks on the wire.
>
>
> > Please let me know your thoughts on this, or whether its a lost cause.
>
>I consider it a lost cause to handle in a legacy snort rule. Doing it
>in a shared object rule, on the other hand, gives you enough power to do
>what you need to do.
>
>--
>Erik Fichtner; Unix Ronin
>
>"Our politicians help the terrorists every time they use fear
>as a campaign tactic." - Bruce Schneier
> www.schneier.com/blog/archives/2006/08/what_the_terror.html
><< signature.asc >>
>_______________________________________________
>Bleeding-sigs mailing list
>Bleeding-sigs@bleedingsnort.com
>http://lists.bleedingsnort.com/mailman/listinfo/bleeding-sigs
_________________________________________________________________
Windows Live Spaces is here! It’s easy to create your own personal Web site.
http://spaces.live.com/signup.aspx
_______________________________________________
Bleeding-sigs mailing list
Bleeding-sigs@bleedingsnort.com
http://lists.bleedingsnort.com/mailman/listinfo/bleeding-sigs
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic