Bugtraq mailing list archives
Re: unused bit attack alert
From: MDARGOS () SANTANDERSUPERNET COM (Carlos García Argos)
Date: Tue, 22 Feb 2000 16:49:04 +0100
LigerTeam wrote:
"unused bit attack" Our Team discovered one problem, in some case it's simple, but it could be serious problem of security in the programming related with tcp/ip. In fact, TCP header is 6 kinds of tcp flag (SYN, ACK, PSH, RST, FIN, URG). problem is the flag value in TCP header approaches to 1byte variable of u_char type. ex)see tcp.h file The flag value Each one correspond to 1 bit, but it have unused 2 bit. |unused|unused|URG|ACK|PSH|RST|SYN|FIN|
Those 2 unused bit are exactly those QueSO uses to detect an Operating System, since there's no specified response to a TCP packet with those bit on, it depends on the kind of tcp/ip stack the OS uses. More information on http://apostols.org/projectz/queso/ -- ---------------------------- <BoKeRoN> ------------------------------- -- < Carlos GarcÃa Argos - Estudiante de Ing. Telecomunicación > -- -- < SuSE LiNUX 6.2 kernel 2.2.12 - Socio de LiMA (LiNUX Málaga) > -- -- < Usuario de LiNUX registrado número 160070 > -- -- < IRC: @#malaga @#telecos_malaga @#linux-malaga @#teleco > -- -- < http://pagina.de/telecos_malaga >--< http://fly.to/bokeron > -- -- < FidoNet: 2:345/430.25 (Brother BBS) > -- ----------------------------------------------------------------------
Current thread:
- flex license manager tempfile predictable name..., (continued)
- flex license manager tempfile predictable name... sp00n (Feb 21)
- Re: flex license manager tempfile predictable name... Roelof JT Jonkman (Feb 22)
- Re: flex license manager tempfile predictable name... David Evans (Feb 23)
- FreeBSD Security Advisory: FreeBSD-SA-00:03.asmon Kris Kennaway (Feb 19)
- Re: cisco/ascend snmp config tool or exploit? -- Re: snmp problems still alive Michal Zalewski (Feb 20)
- Patch Available for "VM File Reading" Vulnerability Microsoft Product Security (Feb 19)
- Re: cisco/ascend snmp config tool or exploit? -- Re: snmp problems still alive Michal Zalewski (Feb 20)
- unused bit attack alert LigerTeam (Feb 21)
- A.L.E.R.T.: BigMailBox.com href tokens leave mailboxes open to control by a malicious site. Cancer Omega (Feb 21)
- Re: unused bit attack alert Jochen Bauer (Feb 22)
- Re: unused bit attack alert Carlos García Argos (Feb 22)
- Re: unused bit attack alert CyberPsychotic (Feb 22)
- Re: snmp problems still alive... Damir Rajnovic (Feb 17)