发布时间 :1999-08-11 00:00:00
修订时间 :2008-09-09 00:00:00

[原文]DHCP clients with ICMP Router Discovery Protocol (IRDP) enabled allow remote attackers to modify their default routes.

[CNNVD]Multiple Vendor IRDP 漏洞(CNNVD-199908-020)


- CVSS (基础分值)

CVSS分值: 7.5 [严重(HIGH)]
机密性影响: PARTIAL [很可能造成信息泄露]
完整性影响: PARTIAL [可能会导致系统文件被修改]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-16 [配置]

- CPE (受影响的平台与产品)

cpe:/o:microsoft:windows_2000Microsoft Windows 2000
cpe:/o:microsoft:windows_98seMicrosoft windows 98_se

- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BID  578;%5BLN%5D;Q216141
(UNKNOWN)  MSKB  Q216141

- 漏洞信息

Multiple Vendor IRDP 漏洞
高危 其他
1999-08-11 00:00:00 2005-05-02 00:00:00

- 公告与补丁

         The Microsoft Knowledge Base contains an article that gives info on how to disable IRDP. It can be found at:
         Configure your host to obtain a default gateway through DHCP, static routes, or via the /etc/defaultrouter file. For more information on IRDP refer to in.rdisc's man-page.
         Block all ICMP Type 9 & Type 10 packets. This should protect against remote Denial of Service attacks.

- 漏洞信息 (19451)

Microsoft Windows 98 a/98 b/98SE,Solaris 2.6 IRDP Vulnerability (EDBID:19451)
multiple remote
1999-08-11 Verified
0 L0pth
N/A [点击下载]

[This discussion is verbatim from the LHI Advisory referenced in the "Reference Section" of this vulnerability entry with very few changes]

The ICMP Router Discovery Protocol (IRDP) comes enabled by default on DHCP clients that are running Microsoft Windows95 (w/winsock2), Windows95b, Windows98, Windows98se, and Windows2000 machines. By spoofing IRDP Router Advertisements, an attacker can remotely add default route entries on a remote system. The default route entry added by the attacker will be preferred over the default route obtained from the DHCP server. This results in higher susceptibility to denial of service, passive snooping and man in the middle attacks. While Windows 2000 does indeed have IRDP enabled by default, it is less vulnerable as it is impossible to give it a route that is preferred over the default route obtained via DHCP.

SunOS systems will also intentionally use IRDP under specific conditions. For Solaris2.6, the IRDP daemon, in.rdisc, will be started if the following conditions are met:

The system is a host, not a router.
The system did not learn a default gateway from a DHCP server.
The system does not have any static routes.
The system does not have a valid /etc/defaultrouter file. 

L0pht (LHI) has made available Proof-of-Concept code that will let individuals test their systems & firewalls.

Usage is as follows:

Usage: rdp -v -l -s -d <delay> -p <pref> -t <lifetime> -i <dev>
-S <src> -D <dst> -R <rtr> -r <optional 2nd rtr>

-v verbose
-l listen mode
-s send mode
-d <delay time between sending packets>
-n <number of rdp packets to send>
-I <ID value to place in IP packet>
-p <preference level>
-t <lifetime>
-i <interface to use for sniffing>
-S <source address to put in outgoing rdp packet>
-D <destination address to put in outgoing rdp packet>
-R <router address to advertise in rdp packet>
-r <optional 2nd router address to advertise in rdp packet>

Misc software notes:

Listen Mode: Software listens for ICMP Router Solicitations. If the '-s' flag is specified as well, the software will answer the Solicitations with ICMP Router Advertisements.

Preference: If the preference is not specified, it will use a default of 1000, which will give the default route a metric of 0 on affected Windows systems.

2nd Router Addr: By using the '-r' flag and specifying a second router address entry, the packet can contain a bogus source address and still be processed for correct gateway entries by the end host.

- 漏洞信息

Multiple Vendor IRDP Remote Gateway Modification
Remote / Network Access Input Manipulation
Loss of Integrity Workaround
Exploit Public Uncoordinated Disclosure

- 漏洞描述

- 时间线

1999-08-11 Unknow
1999-08-11 Unknow

- 解决方案


Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete