Full Disclosure mailing list archives

Previous By Date Next
Previous By Thread Next

Re: [funsec] Vista Protected Processes Bypassed

From: Fernando Gont <fernando.gont () gmail com>
Date: Sun, 08 Apr 2007 18:24:59 -0300
At 02:41 p.m. 08/04/2007, Valdis.Kletnieks () vt edu wrote:


Quite often, the *real* security issue is that the protection a given feature
*actually* provides by design isn't the security that people *think* it
provides.  For example, some of us may remember a while ago, when there was
a whole flurry of activity regarding TCP sequence numbers and RST packets.

Turned out that in fact, TCP has *always* worked that way, in that an RST
doesn't have to match exactly, it only needs to be inside the window. When
RTT*bandwidth products were low and windows were small, in a 2**32 sequence
space, the distinction between "match" and "within 16K" was easily overlooked.
The community just needed a slap upside the head, because with multi-megabyte
windows on today's high-speed links, the distinction *is* important....


There are some interesting lessons around the RST stuff.

First, while everybody rushed for fancy mechanisms for preventing 
reset attacks (e.g., the one we are standardizing at the IETF), many 
vendors (still in 2007) do not yet implement TCP port randomization, 
which is an obvious mitigation for most attacks against TCP.

Second, in 2005 (a year later after the RST issues) I worked on ICMP 
attacks against TCP. One of the attacks had exactly the same impact 
as the TCP-based reset attack. However, it required much less effort 
on the side of the attacker (no need to guess TCP sequence 
numbers)... yet it was overlooked (even after being hit a year later 
by the TCP-based counterpart).

Third, regarding the protection people *thinks* that some mechanisms 
provide, probably two great examples are IPsec and the TCP MD5 
option. Everybody assumed that IPsec and TCP MD5 provided protection 
against ICMP-based attacks, when they really didn't, and still do not.

Finally, I'd say that probably the biggest problem with the security 
issues in TCP and other core protocols is that everybody assumes that 
they know by heart how these protocols work, and that any issues in 
them have already already been fixed. Recent history has shown that 
both of these assumptions are incorrect.

Kind regards,

-- 
Fernando Gont
e-mail: fernando () gont com ar || fgont () acm org
PGP Fingerprint: 7809 84F5 322E 45C7 F1C9 3945 96EE A9EF D076 FFF1




_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Previous By Date Next
Previous By Thread Next

Current thread: