ISIC -- IP Stack Integrity Checker

by Shu Xiao & Mike Frantzen

1)  Purpose
2)  Contributors
3)  History
4)  Accomplishments
5)  Copyright (BSD Style)




1)  Purpose

ISIC (and components) is intended to test the integrity of an IPv4 and IPv6 Stack
and its component stacks (TCP, UDP, ICMP et. al.)  It does this by generating
a controlled random packet (controlled randomness...  wacky huh?).  The user can
specify he/she/it [We are tempted to put 'it' before 'she' :-)] wants a stream of
TCP packets.  He/she/it suspects that the target has weak handling of IP Options
(aka Firewall-1).  So he/she/it does a 'tcpsic -s rand -d firewall -I100'.  And
observes the result.

A great use for ISIC would be to fire it through a firewall and see if the
firewall leaks packets.  But of course that would be illegal because Network
Associates owns a bogus patent on that :-)  You could do that by setting the
default route on the sending computer to the firewall.....  But that would be
illegal.  (But Mike couldn't legally have a beer so do you think he cared about
laws then?)

By far the most common use for these tools is testing IDS systems.  A day
after Mike took the source offline and moved it to a cvs server, a half dozen
people working on seperate home-grown IDS systems emailed requesting the
source be put back up.





2)  Contributors

Shu Xiao	<[email protected]>	    Current owner
Mike Frantzen	<[email protected]>	    Original creater

Matt Hargett	<[email protected]>		    Various patches
Dug Song	<[email protected]>	    Various patches
Kelly Yancey	<[email protected]>	    Various bug fix patches
Marcelo Goes	<[email protected]>	    Gcc 4 patch.
Todd Sherer	<[email protected]>	    Test on Redhat 7.3
Seth Bollinger	<[email protected]>   Multisic prototype
Alex Behar	<[email protected]>	    Gcc 4 patch
Marc Tardif	<[email protected]>	    Gcc 4 patch
Sheng Li	<[email protected]>	    Patch for flood control and 
					    unit/regression tests


The idea for ISIC came from two of Mike Frantzen co-workers during his 
summer job:

Kevin Kadow	<[email protected]>
Mike Scher	<[email protected]>




3)  History

Mike Frantzen wrote ISIC v.01 over a two week period on a Redhat 5.1 box.  Well, 
(huddle around kiddies)  one weekend he came back from work and turned on the 
monitor to discover loads of scsi errors.  He had the binaries compiled statically 
on a wee little Trinux floppy.  He was able to get the machine partially up and
running and got a little bit of the source off.  He yanked the harddrive and
dropped it in Mike Scher's box (Linux).  It fscked (sed s/s/u/g) the drive and
He grabbed the lost+found directory.  He got the source back.  Much to his suprise,
large (remarkably block sized) chunks were missing/rearranged across ALL the
files.  Every linux box he have ever had came back to bite him in the ass.

So over a weekend, Mike rewrote isic, tcpsic, and udpsic.  Icmpsic took a bit
longer... damn bugs.   Total time: 6 hours.   Total time on icmpsic after he
forgot to add the IP Header length to the pointer to the ip options, 3 hours.

Bah.  He fucked up in version 0.02.  His Makefile wasn't compatible with future
versions of Libnet....  Whoops...  Mike's fault.  Now we have version 0.03.

Hehe, somehow forgot to randomize the TCP flags in 0.03 ;) [Thanks Florian]

Mike stuck esic (ether frame spewer) into the package for 0.04.  He had it
kicking around so why not toss it in.  (Heh, had to redeem himself for the
TCP flags fuckup).

It had been long time no updates since the release of 0.05, the last one working
with Libnet 1.0.x. Then for whatever the unknown reason, our buddy Mike Schiffman, 
rewrote Libnet and now version 1.1.x is not back compatible :(.

In later 2004, Shu Xiao, working as a security testing engineer, sent patches to 
Mike Frantzen that made ISIC compiled with new Libnet ;) along with other fixes
(yes, it still has bugs).  This became a perfect time Mike shifted the
responsibility to Shu (Mike finally relieved :), and version 0.06 was born.

The package 0.07 is a kind of overdue release. Shu had the major changes for new 
IPv6 gears ready in middle of 2005, but got overwhelmed by diaper changes and
had no chance to finalize it till the end of 2006 (pushed by his co-worker
Sheng Li). Yet 0.07 release includes a few important fixes slipped from 0.06,
e.g. randomness for 32-bit data. It is supposed to singe more fur off your cat
:-!






4)  Accomplishments

If ISIC finds any vulnerabilities for you, please let me know.  we would love to
know the product and type of vulnerability.  We will withhold the information
from this list at your request.  If you give us permission to add it to this
list, you will get full credit.

If you manage a Bugtraq post, we appreciate finding our name in the list of
credits :-)

ISIC (v0.01)		Unreleased version.
	- During non-extensive testing, it failed to find a vulnerability
	  in Cisco's PIX (4.2?)				- Mike Frantzen


	- Logging vulnerability in Checkpoint Firewall-1 4.0
		Could predictably get a packet logged with a different source
		IP.  Unable to reliably and consistently reproduce.
		(NOT RELEASED)				- Mike Frantzen
	- IP Stack vulnerability in Checkpoint Firewall-1 4.0
		Wacky IP packets sometimes descended deep into the rulebase
		but got caught on drop all rule.  Unexploitable.
		(NOT RELEASED)				- Mike Frantzen


	- Panic of Gauntlet 5.5 Beta
		(NOT RELEASED)				- Mike Frantzen
	- Lock up Gauntlet 5.5 Beta
		(NOT RELEASED)				- Mike Frantzen
	- Frag DOS of Gauntlet 5.5 Beta
		(NOT RELEASED)				- Mike Frantzen


	- Lock up of Gauntlet 5.0
		ICMP Parameter Problem packets with IP Options in the
		encapsulated packet caused Gauntlet to lock up.
		(BUGTRAQ'd)				- Mike Frantzen

ISIC (v0.02) --
ISIC (v0.03)
	- Remote exploit of Raptor 6.x			- CERIAS
		(BUGTRAQ'd)

ISIC (v0.05)
	- NetBSD Panics when sent unaligned IP options (NHC20000504a.0)
				- NHC Research [www.newhackcity.net]

	- Remote Denial of Service against Be/OS
		The Be/OS Operating System version 5.0 have a 
		vulnerability in the tcp fragmentation which can 
		lock up the entire system, needing a cold reset to
		back work.
				- AUX Technologies [www.aux-tech.org]

	- Internet & Acceleration Server Event DoS
		Defcom Labs Advisory def-2001-16: If an alert action 
		has been chosen in the ISA server console, a malicious
		attacker can cause a Denial of Service situation on the
		ISA server.
				- Peter Grndl & Andreas Sandor

ISIC (v0.06)
	Various bugs leading to DoS (system crash, hang, freeze) found 
	by many vendors' internal tests using this version of ISIC. 






5)  Copyright  --  Modified BSD Source License

ISIC is Copyright (c) 1999-2007. 
Shu Xiao (San Jose, CA, USA) and Mike Frantzen (Chicago, IL, USA).
All rights reserved.


Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
   notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
   notice, this list of conditions and the following disclaimer in the
   documentation and/or other materials provided with the distribution.

THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
ARE DISCLAIMED.  IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
SUCH DAMAGE.