I guess it all depends if you consider configuration errors "bugs". Assuming a router is correctly configured, non-routeable addresses should never leave *or* enter a network, but of course they can be routed internally.
Paul Schmehl Said:No, because non-routeable addresses are...well....non-routeable.
But Paul, I route non-routable addresses all the time. It is only internet routers that are usually configured to not route certain addresses. I go into many nets where the router is attempting to send out 192.168's 172.'s and 10's out the external interface. Now they don't get far since the ISP won't take them or just sinks them, but the routers will try to handle them.
Some routers (plenty won't) will probably try to "return" those ICMP's to the internal interface, thus providing your covert channel. Furthermore, you may be able to do some interesting things with the type and code fields to encode further information.
As an attacker, I would not design an exploit that *depended* upon private addresses being routed external to the victim's router unless I first verified that they were.
Paul Schmehl ([EMAIL PROTECTED]) Adjunct Information Security Officer The University of Texas at Dallas AVIEN Founding Member http://www.utdallas.edu _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
