Bugtraq mailing list archives

Re: unused bit attack alert

From: MDARGOS () SANTANDERSUPERNET COM (Carlos García Argos)
Date: Tue, 22 Feb 2000 16:49:04 +0100


LigerTeam wrote:

  "unused bit attack"

 Our Team discovered one problem,
 in some case  it's simple,
but it could be serious problem of security
in the programming related with tcp/ip.

In fact, TCP header is 6 kinds  of
tcp  flag (SYN, ACK,  PSH, RST, FIN,  URG).

problem is the flag value in TCP header
approaches to 1byte variable of u_char type.
ex)see tcp.h file

The flag value Each  one correspond to 1 bit,
but it have unused 2 bit.

|unused|unused|URG|ACK|PSH|RST|SYN|FIN|


Those 2 unused bit are exactly those QueSO uses to detect an Operating
System, since there's no specified response to a TCP packet with those
bit on, it depends on the kind of tcp/ip stack the OS uses. More
information on http://apostols.org/projectz/queso/

--
---------------------------- <BoKeRoN> -------------------------------
-- <   Carlos GarcÃa Argos - Estudiante de Ing. TelecomunicaciÃ³n  > --
-- <  SuSE LiNUX 6.2 kernel 2.2.12 - Socio de LiMA (LiNUX MÃ¡laga) > --
-- <          Usuario de LiNUX registrado nÃºmero 160070           > --
-- <    IRC: @#malaga @#telecos_malaga @#linux-malaga @#teleco    > --
-- <  http://pagina.de/telecos_malaga >--< http://fly.to/bokeron  > --
-- <            FidoNet: 2:345/430.25 (Brother BBS)               > --
----------------------------------------------------------------------

Current thread:

flex license manager tempfile predictable name..., (continued)
- - - flex license manager tempfile predictable name... sp00n (Feb 21)
    - Re: flex license manager tempfile predictable name... Roelof JT Jonkman (Feb 22)
    - Re: flex license manager tempfile predictable name... David Evans (Feb 23)
    - FreeBSD Security Advisory: FreeBSD-SA-00:03.asmon Kris Kennaway (Feb 19)
    - Re: cisco/ascend snmp config tool or exploit? -- Re: snmp problems still alive Michal Zalewski (Feb 20)
    - Patch Available for "VM File Reading" Vulnerability Microsoft Product Security (Feb 19)
    - Re: cisco/ascend snmp config tool or exploit? -- Re: snmp problems still alive Michal Zalewski (Feb 20)
    - unused bit attack alert LigerTeam (Feb 21)
    - A.L.E.R.T.: BigMailBox.com href tokens leave mailboxes open to control by a malicious site. Cancer Omega (Feb 21)
    - Re: unused bit attack alert Jochen Bauer (Feb 22)
    - Re: unused bit attack alert Carlos García Argos (Feb 22)
    - Re: unused bit attack alert CyberPsychotic (Feb 22)
- Re: snmp problems still alive... John Comeau (Feb 15)
  - Re: snmp problems still alive... Damir Rajnovic (Feb 17)
- Re: snmp problems still alive... Ryan Russell (Feb 15)
- Re: snmp problems still alive... Matthew R. Potter (Feb 17)