Re: Borderware predictable initial TCP sequence numbers

[sullivan () SECLAB COM (Gigi Sullivan)]

Hello there,

This can be applied also to Firewall-1 (CheckPoint) running on an
HP-UX 10.X series.


bye bye


                        -- gg sullivan

--
Lorenzo Cavallaro
Intesis SECURITY LAB            Phone: +39-2-671563.1
Via Settembrini, 35             Fax: +39-2-66981953
I-20124 Milano  ITALY           Email: sullivan () seclab com


On Tue, 1 Sep 1998, Roy Hills wrote:

> Date: Tue, 1 Sep 1998 09:55:24 +0100
> From: Roy Hills <Roy.Hills () NTA-MONITOR COM>
> To: BUGTRAQ () NETSPACE ORG
> Subject: Borderware predictable initial TCP sequence numbers
>
> While performing an Internet security scan (aka penetration test) for a UK
> corporate customer, I've discovered that version 5 of Borderware Firewall
> generates predictable initial TCP sequence numbers in response to incoming
> SYNs.  The observed pattern is the familiar "64k increments" often seen
> on older Unix kernels.  This allows TCP connections to be established
> with a spoofed source address.

[snip]

> --
> Roy Hills                                    Tel:   01634 721855
> NTA Monitor Ltd                              FAX:   01634 721844
> 6 Beaufort Court, Medway City Estate,        Email: Roy.Hills () nta-monitor com
> Rochester, Kent ME2 4FB, UK                  WWW:   http://www.nta-monitor.com/