Vulnerability Development mailing list archives
RE: MiM Simultaneous close attack
From: "Dom De Vitto" <Dom () DeVitto com>
Date: Fri, 17 Aug 2001 20:11:44 +0100
Yep, missing something. Switches are for high peer2peer bandwidth, not high security. Please check the archives for interesting discussions on breaking switching and VLANs (two separate things). Dom -----Original Message----- From: Malcolm Jack [mailto:Malcolm () brandes com] Sent: 17 August 2001 17:01 To: 'Korhan Kaya'; vuln-dev () securityfocus com Subject: RE: MiM Simultaneous close attack Excuse my ignorance, but wouldn't a switched network be a remedy for this attack? Unless you are using some type of 'port mirroring' functionality (at the switch) the attacking computer sitting in promiscuous mode would only hear broadcast traffic. Right? Or am I missing something? -----Original Message----- From: Korhan Kaya [mailto:kkaya () prioriy1world com] Sent: Tuesday, August 14, 2001 8:38 AM To: vuln-dev () securityfocus com Subject: MiM Simultaneous close attack MiM simultaneous CLOSE attack Revision 1.1 For Public Release 2001 August 07 08:00 (GMT +0200) _________________________________________________________________ Vulnerability : MiM simultaneous CLOSE attack Vendor : N/A Category : Man in the middle / Denial of service Date : 08/07/2001 Credits : Korhan Kaya <kkaya () priority1world com> Document ID : MW-TCPMD-03 Contents 1 Summary 2 Affected systems 3 Details 4 Results 5 Solution 6 Reproducing 7 Vendor status 8 References 9 Disclaimer 10 Contact 1 Summary A Man in the middle attacker can cause network flood and denial of the service usage by sending 2 TCP packets per connection. 2 AFFECTED SYSTEMS This vulnerability is tested against following platforms and they are vulnerable. Linux kern-v2.4.x Microsoft Windows 2000 Server Microsoft Windows 2000 Workstation Microsoft Windows ME Microsoft Windows 98 possibly other platforms are vulnerable. Pending platform reports. 3 DETAILS It is possible for an attacker to open ethernet at promiscious mode and monitor network activity to collect SEQ and ACK's numbers of an active TCP connections. An attacker can trigger an ACK loop by sending a 'spoofed' TCP packet with enabled ACK + FIN flags to source host and destination host of an active connection. TCP Stacks of client and server will acknowledge that the opposite side of the connection wants to close the connection. And hosts will immedately send ACK packets to complete the sequence. The vulnerability exploits at this point. Figure A : TCP A MIM TCP B 1.ESTABLISHED ESTABLISHED 2.. <-- [CTL=ACK+FIN] 3. [CTL=ACK+FIN] --> 4.CLOSE-WAIT --> <CTL=ACK> --> CLOSE-WAIT 5.CLOSE-WAIT <-- <CTL=ACK> <-- CLOSE-WAIT .. .. 1500.CLOSE-WAIT --> <CTL=ACK> --> CLOSE-WAIT 1501.CLOSE-WAIT <-- <CTL=ACK> <-- CLOSE-WAIT .. .. 4 RESULTS Result of this attack is continious loop of ACK packet traffic between client and server.After tranmitting MANY packets using maximum throughput , target connection will be lost. At this period client software and target service may lockup ,freeze or crash. Number of transmitted packets and the generated traffic depends on host locations. Attack becomes more effective if it is used against local connections such as local netbios/cifs traffic. if an attacker applies above scenario on an avarage network,every connection attempt from any host to any server will fail , the network transport will be saturated in a short time , the collusion rates will raise to extreme levels and the cpu consuming of computers which is connected to network are increased up to %90 due to the packet traffic. 5 SOLUTION Workaround none 6 HOW TO REPRODUCE VULNERABILITY Vulnerability can be reporduced by using atached win32 binary. Download the zip file and follow the steps at the readme.txt http://195.244.37.241/mimsc.zip 7 VENDOR STATUS Microsoft corp. is Informed at 07/30/2001 , no response received. 8 REFERENCES RFC 761, Page 35+ RFC 793 ACK Storm http://www.insecure.org/stf/iphijack.txt (see for Similar results) 9 DISCLAIMER Korhan Kaya is not responsible for the misuse or illegal use of any of the information and/or the software listed on this security advisory. This text may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified. 10 CONTACT Please send suggestions, updates, and comments to: kkaya () priority1world com
Current thread:
- MiM Simultaneous close attack Korhan Kaya (Aug 14)
- <Possible follow-ups>
- RE: MiM Simultaneous close attack Malcolm Jack (Aug 17)
- Re: MiM Simultaneous close attack Xyntrix (Aug 17)
- Re: MiM Simultaneous close attack jaywhy (Aug 17)
- Re: MiM Simultaneous close attack Michael J. Cannon (Aug 17)
- RE: MiM Simultaneous close attack David Schwartz (Aug 17)
- RE: MiM Simultaneous close attack Dom De Vitto (Aug 17)
- Re: MiM Simultaneous close attack Korhan Kaya (Aug 17)
- Re: MiM Simultaneous close attack Xyntrix (Aug 17)
- RE: MiM Simultaneous close attack big bon (Aug 17)
- Re: MiM Simultaneous close attack Paul (Aug 18)
- Re: MiM Simultaneous close attack Robert Freeman (Aug 18)
- Re: MiM Simultaneous close attack Mauro Flores (Aug 21)
- RE: MiM Simultaneous close attack Dom De Vitto (Aug 21)
- Re: MiM Simultaneous close attack Jim Nanney (Aug 21)
- Re: MiM Simultaneous close attack Paul (Aug 18)
- Re: MiM Simultaneous close attack jaywhy (Aug 18)
- Re: MiM Simultaneous close attack Paul (Aug 19)