lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: 11 Dec 2003 15:58:47 -0500
From: stanislav shalunov <shalunov@...ernet2.edu>
To: Michael Wojcik <Michael.Wojcik@...rofocus.com>
Cc: bugtraq@...urityfocus.com
Subject: Re: A new TCP/IP blind data injection technique?


Michael Wojcik <Michael.Wojcik@...rofocus.com> writes:

> > From: Valdis.Kletnieks@...edu [mailto:Valdis.Kletnieks@...edu] 
> > However, it's a trivial matter to take the original text, the 
> > replacement text, and compute an original such that the checksum
> > comes out "the same".
> 
> True, but irrelevant to the problem at hand, where the attacker has neither
> the original checksum nor the original text.

There's clearly an attack here; the attacker can replace known bits in
some parts of the stream with bits of his choice.  This can be useful
to replace, e.g., a username here or there, or a predictable URL
(perhaps in a request for a news site to a proxy server).  It is a
weakness.

What mitigates the attack is that if pMTUd is used, it won't work
because all packets will have the DF bit set.  Practically all modern
OSes will use pMTUd.  Michal pointed out in private communication that
some broken firewalls will strip the DF bit off packets.  Some of
these same firewalls will also reduce MSS and do other things designed
to prevent fragmentation; it's not clear to me how frequently
fragmentation of TCP packets happens in practice.  But in any case,
``broken firewalls have negative net effect on security'' is not
exactly a newsflash; we knew that.  Broken firewalls can also hurt
performance badly and interfere with deployment of new features in the
IP protocol (think ECN) and new applications.

Now, UDP in its default state will not set DF and, in some cases,
systems and applications are intentionally (mis)configured to send
packets that will be fragmented.  NFS, with frequently used block size
of 4kB or 8kB, would be an important example.

P.S. Since IPv6 has no notion of en-route fragmentation, it is immune.
This is actually the first known to me example of a security issue
where IPv6 design actually improves security.

-- 
Stanislav Shalunov		http://www.internet2.edu/~shalunov/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ