lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Message-ID: <46195dce.2dd7132a.437a.3fb6@mx.google.com>
Date: Sun, 08 Apr 2007 18:24:59 -0300
From: Fernando Gont <fernando.gont@...il.com>
To: Valdis.Kletnieks@...edu,C Q <kyle.c.quest@...il.com>
Cc: funsec@...uxbox.org, Randall M <randallm@...mail.com>,
	full-disclosure@...ts.grok.org.uk
Subject: Re: [funsec] Vista Protected Processes  Bypassed

At 02:41 p.m. 08/04/2007, Valdis.Kletnieks@...edu wrote:

>Quite often, the *real* security issue is that the protection a given feature
>*actually* provides by design isn't the security that people *think* it
>provides.  For example, some of us may remember a while ago, when there was
>a whole flurry of activity regarding TCP sequence numbers and RST packets.
>
>Turned out that in fact, TCP has *always* worked that way, in that an RST
>doesn't have to match exactly, it only needs to be inside the window. When
>RTT*bandwidth products were low and windows were small, in a 2**32 sequence
>space, the distinction between "match" and "within 16K" was easily overlooked.
>The community just needed a slap upside the head, because with multi-megabyte
>windows on today's high-speed links, the distinction *is* important....

There are some interesting lessons around the RST stuff.

First, while everybody rushed for fancy mechanisms for preventing 
reset attacks (e.g., the one we are standardizing at the IETF), many 
vendors (still in 2007) do not yet implement TCP port randomization, 
which is an obvious mitigation for most attacks against TCP.

Second, in 2005 (a year later after the RST issues) I worked on ICMP 
attacks against TCP. One of the attacks had exactly the same impact 
as the TCP-based reset attack. However, it required much less effort 
on the side of the attacker (no need to guess TCP sequence 
numbers)... yet it was overlooked (even after being hit a year later 
by the TCP-based counterpart).

Third, regarding the protection people *thinks* that some mechanisms 
provide, probably two great examples are IPsec and the TCP MD5 
option. Everybody assumed that IPsec and TCP MD5 provided protection 
against ICMP-based attacks, when they really didn't, and still do not.

Finally, I'd say that probably the biggest problem with the security 
issues in TCP and other core protocols is that everybody assumes that 
they know by heart how these protocols work, and that any issues in 
them have already already been fixed. Recent history has shown that 
both of these assumptions are incorrect.

Kind regards,

-- 
Fernando Gont
e-mail: fernando@...t.com.ar || fgont@....org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ