Security Basics mailing list archives
Re: ip id numbers
From: "crawford charles" <biv0uac17 () hotmail com>
Date: Wed, 12 Mar 2003 18:49:35 +0000
As regards how this might be leveraged as an exploit:tricky, but you might be able to use it to inject data or hijack a session, but more inefficiently than using the TCP SEQ/ACK-exploits.
Predict the next IP-ID to be sent, send a packet with that ID, (and spoofed source) TCP/UDP headers, etc., but set the fragment bit. The receiving IP-stack should try to re-assemble the fragmented packet using the crafted packet as the first fragment, followed by the "real" packet from the client/server. Or indeed, send the crafted opening/closing fragments "around" the "real" packet. With any luck, the "real packet" will get dropped, and your crafted data will be accepted in its stead.
But it is clumsy, target-stack-dependent, and VERY timing-dependent. C.
From: Carlos Eduardo Pinheiro [mailto:cabeca () gmx net] Sent: Tuesday, March 11, 2003 11:06 AM To: security-basics () securityfocus com Subject: Re: ip id numbers Hi doug, ID flag indicates which datagram fragments belong together so datagrams do not get mismatched and sequence numbers are used to reassemble data in the order in which it was sent. Carlos Eduardo Pinheiro - cabeca () gmx net - ICQ #: 134439332 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xEC75A11D 2089 293E 6E35 72C2 BDED 06E5 58E7 E4FF EC75 A11D ----- Original Message ----- From: <dsax () syseng com> To: <security-basics () securityfocus com> Sent: Monday, March 10, 2003 1:16 PM Subject: ip id numbers > > > Hi, > I'm new to posting on this list although i'm a long-time lurker. I'm> familiar with tcp sequence number exploits. recently i've seen references> to non-random ip id numbers and how they can be exploited. can anyone > explain the difference between tcp sequence and ip id numbers? > thanks, > doug sax
_________________________________________________________________Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
Current thread:
- ip id numbers dsax (Mar 10)
- Re: ip id numbers Paul Cardon (Mar 11)
- Re: ip id numbers Carlos Eduardo Pinheiro (Mar 12)
- <Possible follow-ups>
- Re: ip id numbers crawford charles (Mar 13)