lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Fri, 12 Dec 2003 12:32:16 -0500
From: Stephen Frost <sfrost@...wman.net>
To: Michal Zalewski <lcamtuf@...ttot.org>
Cc: bugtraq@...urityfocus.com, full-disclosure@...sys.com
Subject: Re: A new TCP/IP blind data injection technique?

* Michal Zalewski (lcamtuf@...ttot.org) wrote:
>    B. Although checksum is *NOT* optional in TCP packets (unlike with UDP), it
>       seems that there is a notable (albeit unidentified at the moment)
>       population of systems that do consider it to be optional when set to
>       zero, or do not verify it at all. I have conducted a quick check
>       as follows:
> 
>       - I have acquired a list of 300 most recent unique IPs that
>         had established a connection to a popular web server.
>       - I have sent a SYN packet with a correct TCP checksum to all
>         systems on the list, receiving 170 RST replies.
>       - I have sent a SYN packet with zero TCP checksum to all systems on
>         the list, receiving 12 RST replies (7% of the pool).
> 
>       As such, there seems to be a reason for some concern, even with
>       random IP IDs, since it only takes one RFC-ignorant party for the
>       attack against a session to succeed.

Is it possible the RSTs you're seeing are from firewalls which send an
RST due to rules in the firewall?  It could be that those 12 hosts
wouldn't actually accept a connection where the SYN packet has a zero
TCP checksum.  Admittedly, this is still RFC ignorance but it may not be
an actual attackable vector.  Could a test be made by modifying an
active web server to send SYN+ACK's w/ TCP checksum of 0 after having
received a SYN and see if any of the clients respond?  This would likely
make the server unreachable for most people, of course.  Perhaps
construct a setup where a SYN+ACK w/ an invalid TCP checksum is sent and
one with a valid TCP checksum and have some method to determine if the 0
checksum is accepted.

Just some thoughts.

	Stephen

Download attachment "signature.asc" of type "application/pgp-signature" (190 bytes)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ