[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031211103737.S66813@dekadens.coredump.cx>
Date: Thu, 11 Dec 2003 10:46:04 +0100 (CET)
From: Michal Zalewski <lcamtuf@...ttot.org>
To: Shachar Shemesh <fulldisc@....consumer.org.il>
Cc: bugtraq@...urityfocus.com, full-disclosure@...sys.com
Subject: Re: A new TCP/IP blind data injection technique?
On Thu, 11 Dec 2003, Shachar Shemesh wrote:
> This attack is timing sensitive, route sensitive, and is highly
> unreliable.
So is all session injection, but we have seen practical attacks in the
past. A very popular software to drop Windows 9x users from IRC servers by
performing a RST packet injection into an existing session worked
surprisingly well.
Although the problems you mention make some attacks very difficult, in
many other cases, this is not an issue. Server-to-server communications is
often either completely predictable, or can be user-induced (and still
benefit him in some way when compromised). In other cases, a low success
ratio is not a problem when you want to just disrupt communications at
some point, and do not care about the exact packet for which this happens
(for all sessions that last for a while).
> Those problems aside, however, there is a more fundemental problem. You
> need to time each and every fragmented packet you send to always arrive
> before or after (depending on receiving machine's IP stack) the
> corresponding legit fragment, yet before the entire packet is assembled.
Not really. You can just push a non-zero offset packet with no MF set, and
the reassembly will end immediately, without waiting for the remaining
chunks.
> Most TCP/IP connections employ PMTU discovery, and then split the stream
> at layer 4, rather then perform Layer 3 assembly.
It is a matter of OS configuration. Many systems indeed to deploy PMTU
recently. There is a catch, however: some routers, IP-over-nnn tunnels,
and some firewalls strip and/or ignore DF flag. This is not as uncommon as
we would like it to be. I actually have done some research to back this
claim while writing p0f and encountering some strange discrepancies in
observed signatures.
> Even if you found a victim that does not employ PMTU, fragmentation is
> still a rare occurance.
I would disagree, but the point of my post is not to get involved in a
pissing contest in making unfounded claims, but to open a discussion. I do
not think this is a threat one should lose sleep over, either, but the
fact is, it makes session data injection considerably easier than with ISN
guessing.
--
------------------------- bash$ :(){ :|:&};: --
Michal Zalewski * [http://lcamtuf.coredump.cx]
Did you know that clones never use mirrors?
--------------------------- 2003-12-11 10:37 --
http://lcamtuf.coredump.cx/photo/current/
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html
Powered by blists - more mailing lists