GEN:SID | 1:501 |
Message | MISC source route lssre |
Summary | This event is generated when a packet is discovered with loose source routing set in the IP options.
|
Impact | Loose source routing permits the dictation of a route to and from the destination rather than relying on standard dynamic routing.
|
Detailed Information | Loose source routing instructs the packet to traverse identified routers in transit to and from the desired destination. Normal routing sends a packet one hop at a time allowing each interim router to determine the next hop. This may permit an attacker to spoof a source IP yet receive the response by sniffing from a network associated with an identified loose source router. A vulnerability exist in Windows 95, 98, and NT hosts that permits a vulernable destination host to accept a specially crafted source routed packet even though the host has a registry setting to drop it.
|
Affected Systems | Unless loose source routing is disabled, all hosts can accept them.
|
Attack Scenarios | An attacker can craft a special source routed packet to cause Windows 95, 98, and NT hosts to accept them even though a registry setting exists to drop source routed packets.
|
Ease of Attack | Simple.
|
Corrective Action | Block all source routed (loose or strict) packets from entering your network.
|
Additional References | Bugtraq http://www.securityfocus.com/bid/646
CVE http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-1999-0909
Whitehats www.whitehats.com/info/IDS470
|
Rule References | bugtraq: 646
arachnids: 420
cve: 1999-0909
url: www.microsoft.com/technet/security/bulletin/MS99-038.mspx
|