[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <200312111706.hBBH6QKh011380@turing-police.cc.vt.edu>
Date: Thu, 11 Dec 2003 12:06:26 -0500
From: Valdis.Kletnieks@...edu
To: Nick Cleaton <nick@...aton.net>
Cc: Michal Zalewski <lcamtuf@...ttot.org>, bugtraq@...urityfocus.com
Subject: Re: A new TCP/IP blind data injection technique?
On Thu, 11 Dec 2003 07:37:02 GMT, Nick Cleaton said:
> Even if the attacker knows or controls every other byte in the packet
> and thus controls the checksum before the final 16 bits go in, the final
> checksum is as unpredictable as those 16 bits.
However, it's a trivial matter to take the original text, the replacement text,
and compute an original such that the checksum comes out "the same".
1) Read the RFCs on how to do incremental update of the checksum when decrementing
the TTL - that provides some big hints.
2) Walk across the old and new texts, computing the delta to the checksum.
3) Smash two spare bytes in the new text with the correct delta to make it come out the same.
Remember, it's a checksum, not a hash.
Content of type "application/pgp-signature" skipped
Powered by blists - more mailing lists