Forums before death by AOL, social media and spammers... "We can't have nice things"
| comp.protocols.tcp-ip | TCP and IP network protocols. | 14,669 messages |
[ << oldest | < older | list | newer > | newest >> ]
| Message 14,517 of 14,669 |
| skybuck2000 to All |
| Re: (RCE) Remote Code Execution bug/expl |
| 11 Feb 21 16:11:59 |
From: skybuck2000@hotmail.com
From the work around it can be determined that it has something to do with
"forwarding" and "routing".
Taking a look at windows nt 3.5 source code, iproute.c is my main suspect
containing the bug.
Most likely the bug is in this piece of source code:
"
//** IPForward - Forward a packet.
//
// The routine called when we need to forward a packet. We check if we're
supposed
// to act as a gateway, and if we are and the incoming packet is a bcast we
check
// and see if we're supposed to forward broadcasts. Assuming we're supposed to
// forward it, we will process any options. If we find some, we do some
validation
// to make sure everything is good. After that, we look up the next hop. If
we can't
// find one, we'll issue an error. Then we get a packet and buffers, and
send it.
//
// Input: SrcNTE - NTE for net on which we received this.
// Header - Pointer to received IPheader.
// HeaderLength - Length of header.
// Data - Pointer to data to be forwarded.
// BufferLength - Length in bytes available in the buffer.
// DestType - Type of destination.
//
// Returns: Nothing.
//
void
IPForward(NetTableEntry *SrcNTE, IPHeader UNALIGNED *Header, uint HeaderLength,
void *Data, uint BufferLength, NDIS_HANDLE LContext1, uint LContext2,
uchar DestType)
{
uchar *Options;
uchar OptLength;
OptIndex Index;
IPAddr DestAddr; // IP address we're routing towards.
uchar SendOnSource = FALSE;
IPAddr NextHop; // Next hop IP address.
PNDIS_PACKET Packet;
FWContext *FWC;
IPHeader *NewHeader; // New header.
NDIS_STATUS Status;
uint DataLength;
CTELockHandle TableHandle;
uchar ErrIndex;
IPAddr OutAddr; // Address of interface we're send out on.
Interface *IF; // Interface we're sending out on.
uint MTU;
if (ForwardPackets) {
DestAddr = Header->iph_dest;
// If it's a broadcast, see if we can forward it. We won't forward it
if broadcast
// forwarding is turned off, or the destination if the local (all
one's) broadcast,
// or it's a multicast (Class D address). We'll pass through subnet
broadcasts in
// case there's a source route. This would be odd - maybe we should
disable this?
if (IS_BCAST_DEST(DestType)) {
if (!ForwardBCast) {
if (DestType > DEST_REMOTE)
IPSInfo.ipsi_inaddrerrors++;
return;
}
if ((DestAddr == IP_LOCAL_BCST) ||
(DestAddr == IP_ZERO_BCST) ||
(DestType == DEST_SN_BCAST) ||
CLASSD_ADDR(DestAddr)) {
return;
}
} else
if (DestType == DEST_REMOTE) {
SrcNTE = BestNTEForIF(Header->iph_src, SrcNTE->nte_if);
if (SrcNTE == NULL) {
// Something bad happened.
CTEAssert(FALSE);
return;
}
}
// If the TTL would expire, send a message.
if (Header->iph_ttl <= 1) {
IPSInfo.ipsi_inhdrerrors++;
SendICMPErr(SrcNTE->nte_addr, Header, ICMP_TIME_EXCEED,
TTL_IN_TRANSIT,0);
return;
}
DataLength = net_short(Header->iph_length) - HeaderLength;
Index.oi_srtype = NO_SR; // So we know we don't have a
source route.
Index.oi_srindex = MAX_OPT_SIZE;
Index.oi_rrindex = MAX_OPT_SIZE;
Index.oi_tsindex = MAX_OPT_SIZE;
// Now check for options, and process any we find.
if (HeaderLength != sizeof(IPHeader)) {
IPOptInfo OptInfo;
OptInfo.ioi_options = (uchar *)(Header + 1);
OptInfo.ioi_optlength = HeaderLength - sizeof(IPHeader);
// Validate options, and set up indices.
if ((ErrIndex = ParseRcvdOptions(&OptInfo, &Index)) <
MAX_OPT_SIZE) {
IPSInfo.ipsi_inhdrerrors++;
SendICMPErr(SrcNTE->nte_addr, Header, ICMP_PARAM_PROBLEM,
PTR_VALID,
net_long((ulong)ErrIndex + sizeof(IPHeader)));
return;
}
Options = CTEAllocMem(OptInfo.ioi_optlength);
if (!Options) {
IPSInfo.ipsi_outdiscards++;
return; // Couldn't get an
} // option buffer,
return;
// Now copy into our buffer.
CTEMemCopy(Options, OptInfo.ioi_options, OptLength =
OptInfo.ioi_optlength);
// See if we have a source routing option, and if so we may need
to process it. If
// we have one, and the destination in the header is us, we need
to update the
// route and the header.
if (Index.oi_srindex != MAX_OPT_SIZE) {
if (DestType >= DEST_REMOTE) { // Not for us.
if (Index.oi_srtype == IP_OPT_SSRR) {
// This packet is strict source routed, but we're not
the destination!
// We can't continue from here - perhaps we should
send an ICMP, but
// I'm not sure which one it would be.
CTEFreeMem(Options);
IPSInfo.ipsi_inaddrerrors++;
return;
}
Index.oi_srindex = MAX_OPT_SIZE; // Don't need to
update this.
} else { // This came here, we need to update the
destination address.
uchar *SROpt = Options + Index.oi_srindex;
uchar Pointer;
Pointer = SROpt[IP_OPT_PTR] - 1; // Index starts from
one.
// Get the next hop address, and see if it's a broadcast.
DestAddr = *(IPAddr UNALIGNED *)&SROpt[Pointer];
DestType = GetAddrType(DestAddr); // Find address
type.
if (DestType == DEST_INVALID) {
SendICMPErr(SrcNTE->nte_addr, Header, IC
P_DEST_UNREACH, SR_FAILED, 0);
IPSInfo.ipsi_inhdrerrors++;
CTEFreeMem(Options);
return;
}
// If we came through here, any sort of broadcast needs to
be sent out
[continued in next message]
--- SoupGate-Win32 v1.05
* Origin: you cannot sedate... all the things you hate (1:229/2)
|
(c) 1994, bbs@darkrealms.ca