[<prev] [next>] [day] [month] [year] [list]
Message-ID: <Pine.LNX.4.42.0209092007270.26057-100000@nimue.bos.bindview.com>
From: lcamtuf at ghettot.net (Michal Zalewski)
Subject: Strange Attractors and TCP/IP Sequence Number Analysis - One Year
Later
Hello,
Over a year ago, I published a paper that attempted to analyze the
randomness of PRNGs used in TCP/IP stacks on several operating systems.
The approach I've chosen resulted in detecting some non-trivial
dependencies in several generators, and some amusing 3D pictures. The
original RAZOR research is available here:
http://razor.bindview.com/publish/papers/tcpseq.html
Since then, I've received numerous requests to publish a follow-up
document that would review some more operating system, and address the way
vendors addressed problems reported previously. I'm cross-posting this to
BUGTRAQ and VulnWatch, because some of newly included or re-tested systems
turned out to have fairly weak ISNs, and I would expect some vendor
response soon.
The new review is available here:
http://lcamtuf.coredump.cx/newtcp/
To explain the reason I decided to write this - I have a strong feeling
that this problem is still important nowadays, even if often downplayed.
There are several attack scenarios to consider:
- high-profile information - website contents, e-mails, DNS zone
transfers, ftp data, etc - is typically exchanged without encryption;
the ability for an attacker to disrupt or modify the information flow
in those streams is generally a bad thing in the real world; and
weak ISNs make it much easier for a third party to accomplish this goal,
- many systems still rely on IP addresses to implement the first line
of defense; for example, limiting an access to a SSH or FTP
server to a specific set of IP addresses is a common practice; the
underlying service can become exposed if the system has weak ISNs,
- IP addresses logged for a completed TCP/IP handshake are typically
trusted by administrators for purposes such as tracking spam,
script kiddies, or detecting unauthorized access. The ability for
an attacker to act as an other system can mislead the administrator,
- most of crypto protocols turned out to be less than perfect;
susceptibility to MITM attacks is a pretty common problem,
sometimes caused by the implementation, often caused by the human
factor; blind spoofing makes it feasible to launch cerain MITM
attacks.
Note that I'm not trying to be alarmistic, the sky is not falling yet, but
it's certainly something worth looking at.
Well :-) Have fun.
--
Michal Zalewski
Got jobs?
Powered by blists - more mailing lists