Full Disclosure mailing list archives
Re: [funsec] Vista Protected Processes Bypassed
From: Fernando Gont <fernando.gont () gmail com>
Date: Sun, 08 Apr 2007 18:24:59 -0300
At 02:41 p.m. 08/04/2007, Valdis.Kletnieks () vt edu wrote:
Quite often, the *real* security issue is that the protection a given feature *actually* provides by design isn't the security that people *think* it provides. For example, some of us may remember a while ago, when there was a whole flurry of activity regarding TCP sequence numbers and RST packets. Turned out that in fact, TCP has *always* worked that way, in that an RST doesn't have to match exactly, it only needs to be inside the window. When RTT*bandwidth products were low and windows were small, in a 2**32 sequence space, the distinction between "match" and "within 16K" was easily overlooked. The community just needed a slap upside the head, because with multi-megabyte windows on today's high-speed links, the distinction *is* important....
There are some interesting lessons around the RST stuff. First, while everybody rushed for fancy mechanisms for preventing reset attacks (e.g., the one we are standardizing at the IETF), many vendors (still in 2007) do not yet implement TCP port randomization, which is an obvious mitigation for most attacks against TCP. Second, in 2005 (a year later after the RST issues) I worked on ICMP attacks against TCP. One of the attacks had exactly the same impact as the TCP-based reset attack. However, it required much less effort on the side of the attacker (no need to guess TCP sequence numbers)... yet it was overlooked (even after being hit a year later by the TCP-based counterpart). Third, regarding the protection people *thinks* that some mechanisms provide, probably two great examples are IPsec and the TCP MD5 option. Everybody assumed that IPsec and TCP MD5 provided protection against ICMP-based attacks, when they really didn't, and still do not. Finally, I'd say that probably the biggest problem with the security issues in TCP and other core protocols is that everybody assumes that they know by heart how these protocols work, and that any issues in them have already already been fixed. Recent history has shown that both of these assumptions are incorrect. Kind regards, -- Fernando Gont e-mail: fernando () gont com ar || fgont () acm org PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1 _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Vista Protected Processes Bypassed Randall M (Apr 07)
- Re: Vista Protected Processes Bypassed scott (Apr 07)
- Re: [funsec] Vista Protected Processes Bypassed C Q (Apr 08)
- Re: [funsec] Vista Protected Processes Bypassed Valdis . Kletnieks (Apr 08)
- Re: [funsec] Vista Protected Processes Bypassed Fernando Gont (Apr 08)
- Re: [funsec] Vista Protected Processes Bypassed Valdis . Kletnieks (Apr 08)
- Re: [funsec] Vista Protected Processes Bypassed C Q (Apr 08)