lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: exibar at thelair.com (Exibar)
Subject: Core Internet Vulnerable - News at 11:00

I agree that it's not new, or appears not to be new.  What bothers me about
it is that now it is *very* well known and the "kiddies" will start making
use of it for "fun and profit"....

 Ex


----- Original Message ----- 
From: "Michal Zalewski" <lcamtuf@...ttot.org>
To: <cjclark@...m.mit.edu>
Cc: <full-disclosure@...ts.netsys.com>
Sent: Tuesday, April 20, 2004 3:45 PM
Subject: Re: [Full-Disclosure] Core Internet Vulnerable - News at 11:00


> On Tue, 20 Apr 2004, Crist J. Clark wrote:
>
> > Does anyone know WTF they are trying to say in this AP article,
> > "Core Internet Technology Is Vulnerable,"
>
> http://www.uniras.gov.uk/vuls/2004/236929/index.htm
>
> Just to have my $.02, I've posted a quick IMO piece about this to
> vulndiscuss (just as, without doubt, dozens of others decided to do), but
> I'm not sure it'll make it through.
>
> Here it is, for your amusement:
>
> /.../
>
> This vulnerability report, in essence, states that data injection attacks
> in TCP/IP sessions (and in particular, forcing connections to be dropped
> by spoofing RST packets), do not require the attacker to guess the exact
> sequence number, but rather operate within the range of sequence numbers
> defined by window size / window scale parameters of the connection. This
> report is based on Mr. Watson's presentation at CanSecWest this year.
>
> I see this report comes from a reputable source and mentions, among
> others, Steve Bellovin as one of folks involved in helping prepare it, but
> I feel utterly confused and stumped by how it deserves being called a new
> vulnerability. Although the original paper is valid, and it is definitely
> a great conference speech material, I fail to see how this attack may be
> even remotely considered a new vulnerability.
>
> With just a quick google, I can find references going back to as early as
> 1996 IP spoofing paper that clearly mentions the ability to insert data
> into processing buffer by merely fitting into the receive window:
>
>   http://www.networkcommand.com/docs/ipspoof.txt
>
> Similarly, CERT advisory released after Tim Newsham and I published our
> TCP/IP ISN prediction papers (CA-2001-09) mentioned the very same
> possibility. Countless other less or more specific references to this
> common knowledge may be found across the web in no time, perhaps dating
> back to even earlier years.
>
> Connection dropping attacks are a specific case of data injection
> (connection hijacking) blind spoof attacks - the most popular and most
> commonly practiced case, that is. As such, I think there is both extensive
> prior knowledge (and art) for this vulnerability, and branding a
> subvariant of it a new attack is a tad misleading (shame on NISCC for not
> researching the issue?).
>
> That said, kudos to Watson: it is definitely good to see this problem
> being finally discussed in broad daylight; I think it would be good to see
> some kludges intended to mitigate it a bit.
>
> -- 
> ------------------------- bash$ :(){ :|:&};: --
>  Michal Zalewski * [http://lcamtuf.coredump.cx]
>     Did you know that clones never use mirrors?
> --------------------------- 2004-04-20 21:05 --
>
>    http://lcamtuf.coredump.cx/photo/current/
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>


Powered by blists - more mailing lists