lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: lcamtuf at ghettot.org (Michal Zalewski)
Subject: Core Internet Vulnerable - News at 11:00

On Tue, 20 Apr 2004, Crist J. Clark wrote:

> Does anyone know WTF they are trying to say in this AP article,
> "Core Internet Technology Is Vulnerable,"

http://www.uniras.gov.uk/vuls/2004/236929/index.htm

Just to have my $.02, I've posted a quick IMO piece about this to
vulndiscuss (just as, without doubt, dozens of others decided to do), but
I'm not sure it'll make it through.

Here it is, for your amusement:

/.../

This vulnerability report, in essence, states that data injection attacks
in TCP/IP sessions (and in particular, forcing connections to be dropped
by spoofing RST packets), do not require the attacker to guess the exact
sequence number, but rather operate within the range of sequence numbers
defined by window size / window scale parameters of the connection. This
report is based on Mr. Watson's presentation at CanSecWest this year.

I see this report comes from a reputable source and mentions, among
others, Steve Bellovin as one of folks involved in helping prepare it, but
I feel utterly confused and stumped by how it deserves being called a new
vulnerability. Although the original paper is valid, and it is definitely
a great conference speech material, I fail to see how this attack may be
even remotely considered a new vulnerability.

With just a quick google, I can find references going back to as early as
1996 IP spoofing paper that clearly mentions the ability to insert data
into processing buffer by merely fitting into the receive window:

  http://www.networkcommand.com/docs/ipspoof.txt

Similarly, CERT advisory released after Tim Newsham and I published our
TCP/IP ISN prediction papers (CA-2001-09) mentioned the very same
possibility. Countless other less or more specific references to this
common knowledge may be found across the web in no time, perhaps dating
back to even earlier years.

Connection dropping attacks are a specific case of data injection
(connection hijacking) blind spoof attacks - the most popular and most
commonly practiced case, that is. As such, I think there is both extensive
prior knowledge (and art) for this vulnerability, and branding a
subvariant of it a new attack is a tad misleading (shame on NISCC for not
researching the issue?).

That said, kudos to Watson: it is definitely good to see this problem
being finally discussed in broad daylight; I think it would be good to see
some kludges intended to mitigate it a bit.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2004-04-20 21:05 --

   http://lcamtuf.coredump.cx/photo/current/


Powered by blists - more mailing lists