Bugtraq mailing list archives

Re: A new TCP/IP blind data injection technique?

From: Valdis.Kletnieks () vt edu
Date: Thu, 11 Dec 2003 12:06:26 -0500

On Thu, 11 Dec 2003 07:37:02 GMT, Nick Cleaton said:

Even if the attacker knows or controls every other byte in the packet
and thus controls the checksum before the final 16 bits go in, the final
checksum is as unpredictable as those 16 bits.


However, it's a trivial matter to take the original text, the replacement text,
and compute an original such that the checksum comes out "the same".

1) Read the RFCs on how to do incremental update of the checksum when decrementing
the TTL - that provides some big hints.

2) Walk across the old and new texts, computing the delta to the checksum.

3) Smash two spare bytes in the new text with the correct delta to make it come out the same.

Remember, it's a checksum, not a hash.

Attachment: _bin
Description:

Current thread:

A new TCP/IP blind data injection technique? Michal Zalewski (Dec 10)
- Re: A new TCP/IP blind data injection technique? Nick Cleaton (Dec 11)
  - Re: A new TCP/IP blind data injection technique? Valdis . Kletnieks (Dec 11)
    - Re[2]: A new TCP/IP blind data injection technique? Marius Huse Jacobsen (Dec 13)
  - Breaking the checksum (a new TCP/IP blind data injection technique) Michal Zalewski (Dec 15)
- Re: A new TCP/IP blind data injection technique? Kris Kennaway (Dec 11)
  - Re: A new TCP/IP blind data injection technique? Casper Dik (Dec 11)
- RE: A new TCP/IP blind data injection technique? David Gillett (Dec 11)
- Message not available
  - Message not available
    - Re: A new TCP/IP blind data injection technique? Michal Zalewski (Dec 12)
    - Re: A new TCP/IP blind data injection technique? Barney Wolff (Dec 12)
    - Re: A new TCP/IP blind data injection technique? Michal Zalewski (Dec 12)
    - Re: A new TCP/IP blind data injection technique? Stephen Frost (Dec 12)
- <Possible follow-ups>
- RE: A new TCP/IP blind data injection technique? Michael Wojcik (Dec 11)

(Thread continues...)