This morning, while I was testing a bug related to HTTP authentication in Google Chrome, I found an authentication bypass on D-Link 500G.
The original advisory is here.
Category Archives: Network
UPDATE 2009.08.20: I’ve almost completed the task of adding the ipfw support, but I’m not having enough free time lately, so I decided to share my patch and the TODO list. It has been published here.
I packaged two parts of the latest MiniUPnP version into distinct MacOSX frameworks, so developers can embed on their .app’s. The first, miniupnpc, is a client implementation of the Internet Gateway Device Protocol, and the second, libnatpmp, is a client implementation of the NAT Port Mapping Protocol (part of the Bonjour Protocol). I know the latest versions are NOT major releases, but it’s mainly to check people interest.
MiniUPnPc.framework is here.
NATPMP.framework is here.
These frameworks are universal, so they run on both PPC and x86.
Regarding to the server implementation (miniupnpd), it supports netfilter (iptables), packet filter (pf), ipfilter (ipf) and pfSense, but not ipfirewall (ipfw), so it needs considerable work to add this support preserving the API compatibilty. I would be doing that if my day had 72 hours… Anyway, I’ve already contacted the author about my interest.
Today I was studying MacOSX Internals, and found an interesting utility to view and change the network interfaces configuration. Its name is ipconfig. What? Correct, I agree that’s TOO Windows, but it’s worth reading the man-page, which IN FACT, discourages the use for purposes other than testing/debugging. But, as usual, I was curious.
So, ipconfig communicates with IPConfiguration agent, which is the brain behind the MacOS network configuration (more especifically, the ipconfigd), and depends on the following frameworks: CoreFoundation, SystemConfiguration, IOKit and Apple80211.
Let’s take a look at the DHCP response packet received from my router (10.1.1.1):
$ ipconfig getpacket en1
op = BOOTREPLY
htype = 1
flags = 0
hlen = 6
hops = 0
xid = 304987153
secs = 0
ciaddr = 0.0.0.0
yiaddr = 10.1.1.16
siaddr = 0.0.0.0
giaddr = 0.0.0.0
chaddr = <my-mac-address>
sname =
file =
options:
Options count is 9
dhcp_message_type (uint8): ACK 0x5
server_identifier (ip): 10.1.1.1
subnet_mask (ip): 255.255.255.0
lease_time (uint32): 0x76a700
router (ip_mult): {10.1.1.1}
domain_name_server (ip_mult): {<router-dns>}
domain_name (string): <router-domain>
interface_mtu (uint16): 0x5d4
end (none):
If you need to see ONLY ONE option from those listed above, you can simply use “ipconfig getoption (interface-name) (option-name | option-code)”, for example:
$ ipconfig getoption en1 router 10.1.1.1 $ ipconfig getoption en1 3 10.1.1.1
You can even consult an option for ALL your interfaces informing “” as the interface name.
And, as the man-page mentions, it’s intended to be useful for test and debugging, so if you’re experiencing problems with DHCP addressing or BOOTP, I suggest you to enable the verbose flag:
$ sudo ipconfig setverbose 1
After that, I forced a DHCP request by disabling and re-enabling my network interface:
$ sudo ifconfig en1 down $ sudo ifconfig en1 up
Then I checked the syslog and the packets dump:
$ tail -f /var/log/system.log
...
Jul 22 13:02:35 pharao configd[36]: service_publish_clear: Remove = {
Jul 22 13:02:35 pharao configd[36]: 0 : State:/Network/Service/LINKLOCAL-en1/IPv4
Jul 22 13:02:35 pharao configd[36]: 1 : State:/Network/Service/LINKLOCAL-en1/DNS
Jul 22 13:02:35 pharao configd[36]: 2 : State:/Network/Service/LINKLOCAL-en1/DHCP
Jul 22 13:02:35 pharao configd[36]: }
Jul 22 13:02:35 pharao configd[36]: LINKLOCAL en1: status = 'operation succeded'
Jul 22 13:02:35 pharao configd[36]: before_blocking: calling S_linklocal_elect
Jul 22 13:02:35 pharao configd[36]: subnet for 169.254/16 still good on interface en1
$ cat /var/log/com.apple.IPConfiguration.bootp
============================
2009/07/22 13:02:31.918077 [en1] Transmit 300 byte packet
op = BOOTREQUEST
htype = 1
flags = 0
hlen = 6
hops = 0
xid = 304987154
secs = 0
ciaddr = 0.0.0.0
yiaddr = 0.0.0.0
siaddr = 0.0.0.0
giaddr = 0.0.0.0
chaddr = <my-mac-address>
sname =
file =
options:
Options count is 8
dhcp_message_type (uint8): REQUEST 0x3
parameter_request_list (uint8_mult): {0x1, 0x3, 0x6, 0xf, 0x77, 0x5f, 0xfc, 0x2c, 0x2e, 0x2f}
max_dhcp_message_size (uint16): 0x5dc
client_identifier (uint8_mult): {<my-identifier>}
requested_ip_address (ip): 10.1.1.16
lease_time (uint32): 0x76a700
host_name (string): pharao
end (none):
----------------------------
2009/07/22 13:02:32.131373 [en1] Receive 548 byte packet
op = BOOTREPLY
htype = 1
flags = 0
hlen = 6
hops = 0
xid = 304987154
secs = 0
ciaddr = 0.0.0.0
yiaddr = 10.1.1.16
siaddr = 0.0.0.0
giaddr = 0.0.0.0
chaddr = <my-mac-address>
sname =
file =
options:
Options count is 9
dhcp_message_type (uint8): ACK 0x5
server_identifier (ip): 10.1.1.1
subnet_mask (ip): 255.255.255.0
lease_time (uint32): 0x76a700
router (ip_mult): {10.1.1.1}
domain_name_server (ip_mult): {<router-dns>}
domain_name (string): <router-domain>
interface_mtu (uint16): 0x5d4
end (none):
This also can be achieved by using tcpdump and dhcpdump together, or simply dhcp-sniff:
$ tcpdump -lenx -s 1500 port bootpc or port bootps | dhcpdump $ dhcp-sniff en1
Hey, don’t forget to disable the ipconfig’s verbose flag.
dscacheutil -cachedump -entries Host | grep "Key: " | \ sed 's/.*Key: .*:\(.*\) .*/\1/g' | sort -u
If you’re experiencing a serious network problem where you can’t connect to the Internet or even use your own network, possibly it’s related to TCP/IP corruption. Have you tried all methods to fix it?
Well, here goes one more thing to try:
netsh int ip reset resetlog.txt
It resets all network related configurations, and is equivalent to removing and reinstalling the protocol. I hope it solves the problem.
