Bugtraq mailing list archives
unused bit attack alert
From: archiver () DB GEOCRAWLER COM (LigerTeam)
Date: Mon, 21 Feb 2000 07:43:54 -0800
This message was sent from Geocrawler.com by "LigerTeam" <ligerteam () hotmail com> Be sure to reply to that address. LigerTeam Advisory "unused bit attack" Our Team discovered one problem, in some case it's simple, but it could be serious problem of security in the programming related with tcp/ip. In fact, TCP header is 6 kinds of tcp flag (SYN, ACK, PSH, RST, FIN, URG). problem is the flag value in TCP header approaches to 1byte variable of u_char type. ex)see tcp.h file The flag value Each one correspond to 1 bit, but it have unused 2 bit. |unused|unused|URG|ACK|PSH|RST|SYN|FIN| Understanding of the very problem is simple. Let's compare the two codes. ex)SYN Scan detecter program several code type i) if ( flag == TH_SYN ) ii) if ( flag & TH_SYN ) (TH_SYN->SYN flag) The i) code is true, only when the syn flag bit is set at 1. So the flag value is 0x2, and |0|0|0|0|0|0|1|0| in bit. The next ii) code is true, only when SYN flag bit, the TH_SYN value in flags, is set at 1, and the other bit state is not influential. Eventually, we can easily know a very important thing. If hackers use the two higher bit(unused bit) one or all, to set at 1, ii) code type has false value, but i) code type last true value. and hackers avoid scan detecter When the highest bit is set at 1, so syn flag bit is 1, and the flag variable is |1|0|0|0|0|0|1| = 130 But this cause mismatching with TH_SYN value by the rule of tcp/ip code, and if sentence has false value. More over, as tcp/ip code has the type of bit computing system, it accept the flags of syn flag bit, only one, still set at 1. Conclusion: When the flags variable in tcp header is adjusted totally with given value, higher two bit(unused bit) must be cleared and set at 0. Solution: LigerTeam, strongly propose inserting of solution code before the computing of flag variable. flag = flags & 0x3f; Weak program : At this time, the main technical papers from the RTSD (Real Time Scan Detecter) spread by CERT-KR show a representative weak case. It said, when (only) syn packet of tcp is captured, the condition is tcp[13]== 2 (SYN). This is the very point. We thought that other syn packet sensing tools had fallen in similar situation. We have simply tested several firewalls which would contain that kinds of problem and have gotten some result that there was no problem in our view. All TCP/IP related security programusing the previous i) code pattern is weak. if (flag==(TH_SYN | TH_ACK)) etc. Ps: IP is one more bit not used. Straightly saying, not defined. http://liger.fnetwork.com Contact us: ligerteam () hotmail com -The Security LigerTeam 2000 Korea- Geocrawler.com - The Knowledge Archive
Current thread:
- Re: snmp problems still alive..., (continued)
- Re: snmp problems still alive... Gus Huber (Feb 15)
- cisco/ascend snmp config tool or exploit? -- Re: snmp problems still alive monti (Feb 17)
- Sun Internet Mail Server Michal Krzysztofowicz (Feb 19)
- flex license manager tempfile predictable name... sp00n (Feb 21)
- Re: flex license manager tempfile predictable name... Roelof JT Jonkman (Feb 22)
- Re: flex license manager tempfile predictable name... David Evans (Feb 23)
- cisco/ascend snmp config tool or exploit? -- Re: snmp problems still alive monti (Feb 17)
- FreeBSD Security Advisory: FreeBSD-SA-00:03.asmon Kris Kennaway (Feb 19)
- Re: cisco/ascend snmp config tool or exploit? -- Re: snmp problems still alive Michal Zalewski (Feb 20)
- Patch Available for "VM File Reading" Vulnerability Microsoft Product Security (Feb 19)
- Re: cisco/ascend snmp config tool or exploit? -- Re: snmp problems still alive Michal Zalewski (Feb 20)
- Re: snmp problems still alive... Gus Huber (Feb 15)
- unused bit attack alert LigerTeam (Feb 21)
- A.L.E.R.T.: BigMailBox.com href tokens leave mailboxes open to control by a malicious site. Cancer Omega (Feb 21)
- Re: unused bit attack alert Jochen Bauer (Feb 22)
- Re: unused bit attack alert Carlos García Argos (Feb 22)
- Re: unused bit attack alert CyberPsychotic (Feb 22)
- Re: snmp problems still alive... Damir Rajnovic (Feb 17)