Security Basics mailing list archives

Re: ip id numbers

From: "crawford charles" <biv0uac17 () hotmail com>
Date: Wed, 12 Mar 2003 18:49:35 +0000

As regards how this might be leveraged as an exploit:

tricky, but you might be able to use it to inject data or hijack a session,but more inefficiently than using the TCP SEQ/ACK-exploits.

Predict the next IP-ID to be sent, send a packet with that ID, (and spoofedsource) TCP/UDP headers, etc., but set the fragment bit.The receiving IP-stack should try to re-assemble the fragmented packet usingthe crafted packet as the first fragment, followed by the "real" packet fromthe client/server. Or indeed, send the crafted opening/closing fragments"around" the "real" packet. With any luck, the "real packet" will getdropped, and your crafted data will be accepted in its stead.


But it is clumsy, target-stack-dependent, and VERY timing-dependent.

C.

From: Carlos Eduardo Pinheiro [mailto:cabeca () gmx net]
Sent: Tuesday, March 11, 2003 11:06 AM
To: security-basics () securityfocus com
Subject: Re: ip id numbers


Hi doug,

ID flag indicates which datagram fragments belong together so datagrams do
not get mismatched and sequence numbers are used to reassemble data in the
order in which it was
sent.


Carlos Eduardo Pinheiro - cabeca () gmx net - ICQ #: 134439332
http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xEC75A11D
2089 293E 6E35 72C2 BDED  06E5 58E7 E4FF EC75 A11D

----- Original Message -----
From: <dsax () syseng com>
To: <security-basics () securityfocus com>
Sent: Monday, March 10, 2003 1:16 PM
Subject: ip id numbers


>
>
> Hi,
> I'm new to posting on this list although i'm a long-time lurker. I'm

> familiar with tcp sequence number exploits. recently i've seenreferences

> to non-random ip id numbers and how they can be exploited. can anyone
> explain the difference between tcp sequence and ip id numbers?
> thanks,
> doug sax



_________________________________________________________________

Protect your PC - get McAfee.com VirusScan Onlinehttp://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963

Current thread:

ip id numbers dsax (Mar 10)
- Re: ip id numbers Paul Cardon (Mar 11)
- Re: ip id numbers Carlos Eduardo Pinheiro (Mar 12)
- <Possible follow-ups>
- Re: ip id numbers crawford charles (Mar 13)