Bugtraq mailing list archives
Re: [EuroHaCk] Linux 2.2.x ISN vulnerability (fwd)
From: jbuhler () CS WASHINGTON EDU (Jeremy Buhler)
Date: Tue, 28 Sep 1999 13:21:32 -0700
On Tue, 28 Sep 1999, Sebastian wrote:
A lot of people wrote to us and said that the typo where &secret[3] was meant but &secret+3 was written within the kernel code was the cause for this bug. In our tests, however, we applied nothing but this one-line patch and we still experienced small-difference ISN's (stealth tested this, but I believe in his skills :-).
Right. Andrea Arcangeli proposed this change on the kernel mailing list, but it wasn't the patch that actually got applied in 2.3.13pre13. This is the patch which I believe is intended to fix the easily-guessable sequence numbers: --- linux.vanilla/net/ipv4/tcp_ipv4.c Sat Aug 28 20:00:59 1999 +++ linux.13p13/net/ipv4/tcp_ipv4.c Sun Sep 26 23:25:18 1999 @@ -525,7 +525,8 @@ static inline __u32 tcp_v4_init_sequence(struct sock *sk, struct sk_buff *skb) { - return secure_tcp_sequence_number(sk->saddr, sk->daddr, + return secure_tcp_sequence_number(skb->nh.iph->daddr, + skb->nh.iph->saddr, skb->h.th->dest, skb->h.th->source); } If I understand correctly, the bug was that the sequence number initialization erroneously didn't use the remote's IP address. Jeremy
Current thread:
- [EuroHaCk] Linux 2.2.x ISN vulnerability (fwd) Bluefish (Sep 26)
- Re: [EuroHaCk] Linux 2.2.x ISN vulnerability (fwd) Jeremy Buhler (Sep 27)
- Re: [EuroHaCk] Linux 2.2.x ISN vulnerability (fwd) Sebastian (Sep 28)
- Re: [EuroHaCk] Linux 2.2.x ISN vulnerability (fwd) Jeremy Buhler (Sep 28)
- Re: [EuroHaCk] Linux 2.2.x ISN vulnerability (fwd) Alesh Mustar (Sep 29)
- Re: [EuroHaCk] Linux 2.2.x ISN vulnerability (fwd) Sebastian (Sep 28)
- Re: [EuroHaCk] Linux 2.2.x ISN vulnerability (fwd) Jeremy Buhler (Sep 27)