Full Disclosure mailing list archives

Re: A new TCP/IP blind data injection technique?

From: Michal Zalewski <lcamtuf () ghettot org>
Date: Thu, 11 Dec 2003 10:46:04 +0100 (CET)

On Thu, 11 Dec 2003, Shachar Shemesh wrote:

This attack is timing sensitive, route sensitive, and is highly
unreliable.


So is all session injection, but we have seen practical attacks in the
past. A very popular software to drop Windows 9x users from IRC servers by
performing a RST packet injection into an existing session worked
surprisingly well.

Although the problems you mention make some attacks very difficult, in
many other cases, this is not an issue. Server-to-server communications is
often either completely predictable, or can be user-induced (and still
benefit him in some way when compromised).  In other cases, a low success
ratio is not a problem when you want to just disrupt communications at
some point, and do not care about the exact packet for which this happens
(for all sessions that last for a while).

Those problems aside, however, there is a more fundemental problem. You
need to time each and every fragmented packet you send to always arrive
before or after (depending on receiving machine's IP stack) the
corresponding legit fragment, yet before the entire packet is assembled.


Not really. You can just push a non-zero offset packet with no MF set, and
the reassembly will end immediately, without waiting for the remaining
chunks.

Most TCP/IP connections employ PMTU discovery, and then split the stream
at layer 4, rather then perform Layer 3 assembly.


It is a matter of OS configuration. Many systems indeed to deploy PMTU
recently. There is a catch, however: some routers, IP-over-nnn tunnels,
and some firewalls strip and/or ignore DF flag. This is not as uncommon as
we would like it to be. I actually have done some research to back this
claim while writing p0f and encountering some strange discrepancies in
observed signatures.

Even if you found a victim that does not employ PMTU, fragmentation is
still a rare occurance.


I would disagree, but the point of my post is not to get involved in a
pissing contest in making unfounded claims, but to open a discussion. I do
not think this is a threat one should lose sleep over, either, but the
fact is, it makes session data injection considerably easier than with ISN
guessing.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2003-12-11 10:37 --

   http://lcamtuf.coredump.cx/photo/current/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Current thread:

A new TCP/IP blind data injection technique? Michal Zalewski (Dec 10)
- Re: A new TCP/IP blind data injection technique? Kris Kennaway (Dec 10)
  - Re: A new TCP/IP blind data injection technique? Casper Dik (Dec 11)
- Re: A new TCP/IP blind data injection technique? Shachar Shemesh (Dec 11)
  - Re: A new TCP/IP blind data injection technique? Michal Zalewski (Dec 11)
    - Re: A new TCP/IP blind data injection technique? Shachar Shemesh (Dec 11)
    - Re: A new TCP/IP blind data injection technique? Michal Zalewski (Dec 11)
    - Re: A new TCP/IP blind data injection technique? Barney Wolff (Dec 12)
    - Re: A new TCP/IP blind data injection technique? Michal Zalewski (Dec 12)
    - Re: A new TCP/IP blind data injection technique? Stephen Frost (Dec 12)
    - Re: A new TCP/IP blind data injection technique? Jeff Kell (Dec 12)
  - Re: A new TCP/IP blind data injection technique? Valdis . Kletnieks (Dec 11)
    - Re: A new TCP/IP blind data injection technique? Mikael Abrahamsson (Dec 11)
- RE: A new TCP/IP blind data injection technique? David Gillett (Dec 11)
- Re: A new TCP/IP blind data injection technique? Michael Gale (Dec 13)

(Thread continues...)