website statistics
What can happen when you think that only Windows system needs to be patched - Yuri Diogenes's Blog - Site Home - TechNet Blogs

Yuri Diogenes's Blog

Thoughts from a Senior Content Developer @ Microsoft Data Center, Devices & Enterprise Client – CSI (Enterprise Mobility Team)

What can happen when you think that only Windows system needs to be patched

What can happen when you think that only Windows system needs to be patched

  • Comments 1
  • Likes

This post could easily be called “Slow Internet through ISA Server”, but I decided to change the title and the focus. I’m doing that for a simple reason: people still thinking that only Windows system needs to be patched. What an untrue statement this is and how I’m convinced more and more that if you don’t think secure in all layers you soon or later will be owned.

 

This post is about of a phone call with a friend of mine that was supposed to be just 10 minutes but it took one hour to finish. He was having a problem on his network and as usual “nothing change” but “Internet access stopped to work”. Believe or not this is one of the rare scenarios where this was true. Nothing really change on his network, on his ISA Server but suddenly his ISA  was timing out for all Internet access request.

 

His topology was like this here:

 

 

 

ISA Server was only in use for proxy/cache purpose, all the web proxy clients were pointing to this ISA box to have internet access. According to some tests that were done if we point directly to his edge firewall as gateway he was able to access Internet.

 

The Problem

 

After capturing a simple netmon while client was trying to access Internet I could see a very interesting behavior:

 

16:56:53.121      192.168.1.1 192.168.1.10      ICMP  ICMP:Redirect Message

16:56:53.121      192.168.1.1 192.168.1.10      ICMP  ICMP:Redirect Message

16:56:53.121      192.168.1.1 192.168.1.10      ICMP  ICMP:Redirect Message

16:56:53.121      192.168.1.1 192.168.1.10      ICMP  ICMP:Redirect Message

16:56:53.121      192.168.1.1 192.168.1.10      ICMP  ICMP:Redirect Message

16:56:53.136      192.168.1.1 192.168.1.10      ICMP  ICMP:Redirect Message

16:56:53.136      192.168.1.1 192.168.1.10      ICMP  ICMP:Redirect Message

16:56:53.136      192.168.1.1 192.168.1.10      ICMP  ICMP:Redirect Message

16:56:53.136      192.168.1.1 192.168.1.10      ICMP  ICMP:Redirect Message

16:56:53.136      192.168.1.1 192.168.1.10      ICMP  ICMP:Redirect Message

16:56:53.152      192.168.1.1 192.168.1.10      ICMP  ICMP:Redirect Message

16:56:53.168      192.168.1.1 192.168.1.10      ICMP  ICMP:Redirect Message

 

There were tons of those ICMP Redirect packages from the router to the ISA Server while the communication was happening. This was a déjà vu for me, those ICMP packages flowing in the network makes me remember the old times where Windows NT was vulnerable to ICMP Attack and we had lots of server hanging issues. Anyway, by opening the ICMP Package it was possible to see an even more interesting detail:

 

+ Ipv4: Src = 192.168.1.1, Dest = 172.16.4.80, Next Protocol = ICMP, Packet ID = 43969, Total IP Length = 56

- Icmp: Redirect Message

    Type: Redirect Message, 5(0x5)

    Code: Redirec datagrams for the host 1(0x1)

    Checksum: 43532 (0xAA0C)

    GatewayIPAddress: 192.168.1.111

 

The gateway address in red is explained in RFC 792 as “Address of the gateway to which traffic for the network specified in the internet destination network field of the original datagram's data should be sent.”

 

Looking to the diagram you might be thinking: who is 192.168.1.111? Well that’s was exactly my question.  For my surprise, it was a workstation!! We unplugged this workstation from the network, disabled ICMP Redirect in the router (#no ip icmp redirect), restarted the router and everything started to work just fine.  Hum, not ISA Server again right? Exactly!!

 

Conclusion

 

His old Cisco router was completely out of date and vulnerable to Cisco IOS Route Manipulation via ICMP Redirects. That’s an old vulnerability that was already fixed, but as I said in the beginning of the post: people sometimes think that only Windows system needs to be patched.  Although this is a buddy of mine I told him that he forgot to do his homework on this case and that was pretty much his fault. The next course of action for him was to scan that network and to see if there was any kind of malware on it and also update the router and switches.

 

Comments
Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment