lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <20031211103737.S66813@dekadens.coredump.cx>
From: lcamtuf at ghettot.org (Michal Zalewski)
Subject: A new TCP/IP blind data injection technique?

On Thu, 11 Dec 2003, Shachar Shemesh wrote:

> This attack is timing sensitive, route sensitive, and is highly
> unreliable.

So is all session injection, but we have seen practical attacks in the
past. A very popular software to drop Windows 9x users from IRC servers by
performing a RST packet injection into an existing session worked
surprisingly well.

Although the problems you mention make some attacks very difficult, in
many other cases, this is not an issue. Server-to-server communications is
often either completely predictable, or can be user-induced (and still
benefit him in some way when compromised).  In other cases, a low success
ratio is not a problem when you want to just disrupt communications at
some point, and do not care about the exact packet for which this happens
(for all sessions that last for a while).

> Those problems aside, however, there is a more fundemental problem. You
> need to time each and every fragmented packet you send to always arrive
> before or after (depending on receiving machine's IP stack) the
> corresponding legit fragment, yet before the entire packet is assembled.

Not really. You can just push a non-zero offset packet with no MF set, and
the reassembly will end immediately, without waiting for the remaining
chunks.

> Most TCP/IP connections employ PMTU discovery, and then split the stream
> at layer 4, rather then perform Layer 3 assembly.

It is a matter of OS configuration. Many systems indeed to deploy PMTU
recently. There is a catch, however: some routers, IP-over-nnn tunnels,
and some firewalls strip and/or ignore DF flag. This is not as uncommon as
we would like it to be. I actually have done some research to back this
claim while writing p0f and encountering some strange discrepancies in
observed signatures.

> Even if you found a victim that does not employ PMTU, fragmentation is
> still a rare occurance.

I would disagree, but the point of my post is not to get involved in a
pissing contest in making unfounded claims, but to open a discussion. I do
not think this is a threat one should lose sleep over, either, but the
fact is, it makes session data injection considerably easier than with ISN
guessing.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-12-11 10:37 --

   http://lcamtuf.coredump.cx/photo/current/


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ