IRDP Security Vulnerability in Windows2003.03.29 16:04 by Philip
The ICMP Router Discovery Protocol (IRDP, RFC 1256) comes enabled by default on DHCP clients that are running MS Windows9x, Windows ME and Windows2000 machines. Using router discovery, clients dynamically discover routers and can switch to backup routers if a network failure or administrative change is needed. However, by spoofing IRDP Router advertisements, a potential attacker can remotely add default route entries on a remote system. The default route entry added by the attacker will be preferred over the default route obtained from the DHCP server on Windows 9x/ME systems. The problem is not in IRDP itself, but rather that MS platforms use it even when DHCP is enabled and the DHCP setup specifies router information. To disable this vulnerability, you need to add the following entry to the Registry. This is intended for advanced users, please backup your Registry before making any changes.
Windows 9x / ME:
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesClassNetTrans00n (Where "000n" is your TCP/IP protocol. It contains "TCP/IP" assigned to the "DriverDesc" Value)
Note: Although according to Microsoft's documentation the value should be DWORD, they have moved to string values for most TCP/IP related Registry entries in Windows 98, so the documentation on the value type could be wrong.
Note: IRDP support is disabled by default on NT4, and enabled on Windows 2000.