Re: Session hijacking, source-routes

[Cohen Liota <cohen_liota () securecomputing com>]

The simple answer is yes.  Yes, but it does depend on certain 
conditions, namely the predictability of the initial connection 
sequence numbers.  I find a fair test of this to telnet or ftp
to the system in question and run a tcpdump watching for the
initial connect then drop the connection, wait fifteen minutes
do the same and in another fifteen minutes again once more.
Compare the sequence numbers and if you see that the sequence 
numbers increment in a predictable pattern, your sessions 
can be hijacked.

A typical attack usually looks something like this;
1. C SYN-floods B's port we are impersonating
2. C sends a normal SYN to a port on A
3. A returns a SYN-ACK to C containing A's current Initial 
Sequence Number
4. A internally increments the ISN, this is done differently 
in different OS'es, BSD's, HPUX, Irix, SunOS etc usually 
increments by x for each connection and double each second. 
Now we can guess the ISN A will pick for the next connection,
so lets spoof:
5. C sends a SYN to A, source spoofed as B
6. A sends a SYNACK to B, containing the ISN (C cannot see this,
but it doesn't matter because we have _guessed_ the ISN)
7. Here B WOULD have responded to A with a RST since it has no 
clue on why he got the SYNACK, but since we in 1. synflooded the 
port, it won't respond at all.
 8. Now C sends an ACK to A, source spoofed as B, containing the 
guessed ISN+1. Provided that the guess was correct, A now thinks 
there is a fully setup TCP connection between A and B. We can do
whatever we want from now on, blindly of course.
9. C sends 'echo + + >>/.rhosts' to port 514 on A, spoofed as if 
coming from B.
10. If root on A had computer B in /.rhosts, that's it game over.
11. C is nice and sends a FIN to A.
12. C is brutal and sends a RST to A just to clean things up.
13. C is nice and RST's the synflooded port on B, leaving no traces.

There is also a decent paper by Laurent Joncheray, if you would
like I can send it.

Hopes that helps clear it up for you,
Cohen
  

At 09:44 AM 2/10/99 -0600, you wrote:
> Can a TCP session be hijacked if the target system rejects
> source-routed IP packets?
>
> If I understand the process correctly, the attacker quells the
> legitimate client with a DOS attack and gets the server to
> route the packets to himself instead after having observed the
> proper sequence numbers to use.  (No real significance to use
> of client/server here -- could work against either end of the
> TCP connection.)
>
> If my f/w rejects all source-routed packets, are its connections
> immune to session hijacking, or does this (or can this) work
> another way?
>
> --
> KH
---
Cohen Liota
Information Security Specialist         +1.416.815.3041 - voice
Secure Computing Corporation            +1.416.815.3001 - fax
cohen_liota () securecomputing com              http://www.securecomputing.com/