Bugtraq mailing list archives
Re: Linux zero IP ID vulnerability?
From: Marco Ivaldi <raptor () 0xdeadbeef info>
Date: Wed, 15 Mar 2006 10:26:00 +0100 (CET)
I've received a couple of off-list replies. See my comments in-line. On Tue, 14 Mar 2006, Martin Mačok wrote:
Have you verified that the sequence is global and not only per peer? The latter would mean that "vuln" can't be used as a middle-man for IDLE scanning...
Yeah, of course i've verified that (see below). On Tue, 14 Mar 2006, Cody Tubbs wrote:
Unless you're using the syn/ack flags to localhost, other hosts should not be replying (I can't seem to reproduce this on any of the hosts I've tried, accept ofcourse on localhost). What is a host(s) you've successfully tried this towards that's not localhost? Thanks.
Not sure i fully understand your comments... Anyway, here's an host showing the flawed behaviour (Gentoo Linux 2.6.14-gentoo-r5 + grsec):
root@pandora:~# hping -SA -c 3 research.mediaservice.net -p 80HPING research.mediaservice.net (eth0 82.56.144.13): SA set, 40 headers + 0 data bytes len=46 ip=82.56.144.13 ttl=59 DF id=48842 sport=80 flags=R seq=0 win=0 rtt=57.4 ms len=46 ip=82.56.144.13 ttl=59 DF id=48843 sport=80 flags=R seq=1 win=0 rtt=57.8 ms len=46 ip=82.56.144.13 ttl=59 DF id=48845 sport=80 flags=R seq=2 win=0 rtt=57.6 ms
--- research.mediaservice.net hping statistic --- 3 packets tramitted, 3 packets received, 0% packet loss round-trip min/avg/max = 57.4/57.6/57.8 ms root@charon:~# hping -SA -c 3 research.mediaservice.net -p 80HPING research.mediaservice.net (dc0 82.56.144.13): SA set, 40 headers + 0 data bytes len=46 ip=82.56.144.13 ttl=59 DF id=48850 sport=80 flags=R seq=0 win=0 rtt=53.7 ms len=46 ip=82.56.144.13 ttl=59 DF id=48851 sport=80 flags=R seq=1 win=0 rtt=56.3 ms len=46 ip=82.56.144.13 ttl=59 DF id=48857 sport=80 flags=R seq=2 win=0 rtt=59.1 ms
--- research.mediaservice.net hping statistic --- 3 packets tramitted, 3 packets received, 0% packet loss round-trip min/avg/max = 53.7/56.4/59.1 ms Cheers, -- Marco Ivaldi Antifork Research, Inc. http://0xdeadbeef.info/ 3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707
Current thread:
- Linux zero IP ID vulnerability? Marco Ivaldi (Mar 14)
- Message not available
- Re: Linux zero IP ID vulnerability? Marco Ivaldi (Mar 15)
- Message not available
- Re: Linux zero IP ID vulnerability? Andrea Purificato - bunker (Mar 16)
- <Possible follow-ups>
- Re: Linux zero IP ID vulnerability? Marco Ivaldi (Mar 17)
- Re: Linux zero IP ID vulnerability? Marco Ivaldi (Mar 23)
- Re: Linux zero IP ID vulnerability? GomoR (Mar 23)