Full Disclosure mailing list archives
Re: Core Internet Vulnerable - News at 11:00
From: Michal Zalewski <lcamtuf () ghettot org>
Date: Tue, 20 Apr 2004 21:45:03 +0200 (CEST)
On Tue, 20 Apr 2004, Crist J. Clark wrote:
Does anyone know WTF they are trying to say in this AP article, "Core Internet Technology Is Vulnerable,"
http://www.uniras.gov.uk/vuls/2004/236929/index.htm Just to have my $.02, I've posted a quick IMO piece about this to vulndiscuss (just as, without doubt, dozens of others decided to do), but I'm not sure it'll make it through. Here it is, for your amusement: /.../ This vulnerability report, in essence, states that data injection attacks in TCP/IP sessions (and in particular, forcing connections to be dropped by spoofing RST packets), do not require the attacker to guess the exact sequence number, but rather operate within the range of sequence numbers defined by window size / window scale parameters of the connection. This report is based on Mr. Watson's presentation at CanSecWest this year. I see this report comes from a reputable source and mentions, among others, Steve Bellovin as one of folks involved in helping prepare it, but I feel utterly confused and stumped by how it deserves being called a new vulnerability. Although the original paper is valid, and it is definitely a great conference speech material, I fail to see how this attack may be even remotely considered a new vulnerability. With just a quick google, I can find references going back to as early as 1996 IP spoofing paper that clearly mentions the ability to insert data into processing buffer by merely fitting into the receive window: http://www.networkcommand.com/docs/ipspoof.txt Similarly, CERT advisory released after Tim Newsham and I published our TCP/IP ISN prediction papers (CA-2001-09) mentioned the very same possibility. Countless other less or more specific references to this common knowledge may be found across the web in no time, perhaps dating back to even earlier years. Connection dropping attacks are a specific case of data injection (connection hijacking) blind spoof attacks - the most popular and most commonly practiced case, that is. As such, I think there is both extensive prior knowledge (and art) for this vulnerability, and branding a subvariant of it a new attack is a tad misleading (shame on NISCC for not researching the issue?). That said, kudos to Watson: it is definitely good to see this problem being finally discussed in broad daylight; I think it would be good to see some kludges intended to mitigate it a bit. -- ------------------------- bash$ :(){ :|:&};: -- Michal Zalewski * [http://lcamtuf.coredump.cx] Did you know that clones never use mirrors? --------------------------- 2004-04-20 21:05 -- http://lcamtuf.coredump.cx/photo/current/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- Core Internet Vulnerable - News at 11:00 Crist J. Clark (Apr 20)
- RE: Core Internet Vulnerable - News at 11:00 Dave D. Cawley (Apr 20)
- RE: Core Internet Vulnerable - News at 11:00 Frank Knobbe (Apr 20)
- Re: Core Internet Vulnerable - News at 11:00 Michal Zalewski (Apr 20)
- Re: Core Internet Vulnerable - News at 11:00 Exibar (Apr 20)
- RE: Core Internet Vulnerable - News at 11:00 Alerta Redsegura (Apr 20)
- RE: Core Internet Vulnerable - News at 11:00 Jade E. Deane (Apr 20)
- Re: Core Internet Vulnerable - News at 11:00 Alexander Bochmann (Apr 21)
- Re: Core Internet Vulnerable - News at 11:00 Pavel Kankovsky (Apr 20)
- RE: Core Internet Vulnerable - News at 11:00 Dave D. Cawley (Apr 20)
- Re: Core Internet Vulnerable - News at 11:00 Exibar (Apr 20)
- Re: Core Internet Vulnerable - News at 11:00 james (Apr 20)
- Re: Core Internet Vulnerable - News at 11:00 Michael Schaefer (Apr 20)
- NISCC Vulnerability Advisory 236929: Vulnerability Issues in TCP (was Re: [Full-Disclosure] Core Internet Vulnerable - News at 11:00) Chris McCulloh (Apr 20)
- Re: Core Internet Vulnerable - News at 11:00 Gregory A. Gilliss (Apr 20)