Bugtraq mailing list archives
Re: unused bit attack alert
From: jtb () THEO2 PHYSIK UNI-STUTTGART DE (Jochen Bauer)
Date: Tue, 22 Feb 2000 11:54:09 +0100
On Mon, Feb 21, 2000 at 07:43:54AM -0800, LigerTeam wrote: [...]
In fact, TCP header is 6 kinds of tcp flag (SYN, ACK, PSH, RST, FIN, URG). problem is the flag value in TCP header approaches to 1byte variable of u_char type. ex)see tcp.h file The flag value Each one correspond to 1 bit, but it have unused 2 bit. |unused|unused|URG|ACK|PSH|RST|SYN|FIN| Understanding of the very problem is simple. Let's compare the two codes. ex)SYN Scan detecter program several code type i) if ( flag == TH_SYN ) ii) if ( flag & TH_SYN ) (TH_SYN->SYN flag) The i) code is true, only when the syn flag bit is set at 1. So the flag value is 0x2, and |0|0|0|0|0|0|1|0| in bit. The next ii) code is true, only when SYN flag bit, the TH_SYN value in flags, is set at 1, and the other bit state is not influential. Eventually, we can easily know a very important thing. If hackers use the two higher bit(unused bit) one or all, to set at 1, ii) code type has false value, but i) code type last true value. and hackers avoid scan detecter
[...]
Conclusion: When the flags variable in tcp header is adjusted totally with given value, higher two bit(unused bit) must be cleared and set at 0.
[...]
This is a known issue; it's in the category of "invalid TCP flags
scanning". In fact, the two unused bits in the TCP flags byte can
be used for TCP fingerprinting as the response to such TCP packets
is not specified in RFC 793 and therefore depends on the TCP/IP
implementation being used. In addition to TCP fingerprinting, TCP
packets with certain invalid (i.e. not covered by RFC 793) flag
combinations not including the SYN flag can be used to determine
which ports are open on the target machine.
This leads one to the conclusion that focussing on TCP packets with
the SYN flag set is completely insufficient for scan detection. Any
decent scan detector must, among other things, pay explicit
attention to those 2 unused bits in the TCP flags byte anyway.
--
Jochen Bauer
Security Team (RUS-CERT)
Computer Center of the University of Stuttgart
Germany
************************************************************************
*Email: jtb () theo2 physik uni-stuttgart de *
* jochen.bauer () rus uni-stuttgart de *
* *
*PGP Public Key: *
*http://ca.uni-stuttgart.de:11371/pks/lookup?op=index&search=0xB5D92889*
************************************************************************
<HR NOSHADE>
<UL>
<LI>application/pgp-signature attachment: stored
</UL>
Current thread:
- Sun Internet Mail Server, (continued)
- Sun Internet Mail Server Michal Krzysztofowicz (Feb 19)
- flex license manager tempfile predictable name... sp00n (Feb 21)
- Re: flex license manager tempfile predictable name... Roelof JT Jonkman (Feb 22)
- Re: flex license manager tempfile predictable name... David Evans (Feb 23)
- FreeBSD Security Advisory: FreeBSD-SA-00:03.asmon Kris Kennaway (Feb 19)
- Re: cisco/ascend snmp config tool or exploit? -- Re: snmp problems still alive Michal Zalewski (Feb 20)
- Patch Available for "VM File Reading" Vulnerability Microsoft Product Security (Feb 19)
- Re: cisco/ascend snmp config tool or exploit? -- Re: snmp problems still alive Michal Zalewski (Feb 20)
- unused bit attack alert LigerTeam (Feb 21)
- A.L.E.R.T.: BigMailBox.com href tokens leave mailboxes open to control by a malicious site. Cancer Omega (Feb 21)
- Re: unused bit attack alert Jochen Bauer (Feb 22)
- Re: unused bit attack alert Carlos García Argos (Feb 22)
- Re: unused bit attack alert CyberPsychotic (Feb 22)
- Re: snmp problems still alive... Damir Rajnovic (Feb 17)