[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <46195dce.2dd7132a.437a.3fb6@mx.google.com>
Date: Sun, 08 Apr 2007 18:24:59 -0300
From: Fernando Gont <fernando.gont@...il.com>
To: Valdis.Kletnieks@...edu,C Q <kyle.c.quest@...il.com>
Cc: funsec@...uxbox.org, Randall M <randallm@...mail.com>,
full-disclosure@...ts.grok.org.uk
Subject: Re: [funsec] Vista Protected Processes Bypassed
At 02:41 p.m. 08/04/2007, Valdis.Kletnieks@...edu wrote:
>Quite often, the *real* security issue is that the protection a given feature
>*actually* provides by design isn't the security that people *think* it
>provides. For example, some of us may remember a while ago, when there was
>a whole flurry of activity regarding TCP sequence numbers and RST packets.
>
>Turned out that in fact, TCP has *always* worked that way, in that an RST
>doesn't have to match exactly, it only needs to be inside the window. When
>RTT*bandwidth products were low and windows were small, in a 2**32 sequence
>space, the distinction between "match" and "within 16K" was easily overlooked.
>The community just needed a slap upside the head, because with multi-megabyte
>windows on today's high-speed links, the distinction *is* important....
There are some interesting lessons around the RST stuff.
First, while everybody rushed for fancy mechanisms for preventing
reset attacks (e.g., the one we are standardizing at the IETF), many
vendors (still in 2007) do not yet implement TCP port randomization,
which is an obvious mitigation for most attacks against TCP.
Second, in 2005 (a year later after the RST issues) I worked on ICMP
attacks against TCP. One of the attacks had exactly the same impact
as the TCP-based reset attack. However, it required much less effort
on the side of the attacker (no need to guess TCP sequence
numbers)... yet it was overlooked (even after being hit a year later
by the TCP-based counterpart).
Third, regarding the protection people *thinks* that some mechanisms
provide, probably two great examples are IPsec and the TCP MD5
option. Everybody assumed that IPsec and TCP MD5 provided protection
against ICMP-based attacks, when they really didn't, and still do not.
Finally, I'd say that probably the biggest problem with the security
issues in TCP and other core protocols is that everybody assumes that
they know by heart how these protocols work, and that any issues in
them have already already been fixed. Recent history has shown that
both of these assumptions are incorrect.
Kind regards,
--
Fernando Gont
e-mail: fernando@...t.com.ar || fgont@....org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists