Vulnerability Development mailing list archives

RE: MiM Simultaneous close attack

From: "Dom De Vitto" <Dom () DeVitto com>
Date: Fri, 17 Aug 2001 20:11:44 +0100

Yep, missing something.

Switches are for high peer2peer bandwidth, not high security.

Please check the archives for interesting discussions on breaking
switching and VLANs (two separate things).

Dom
-----Original Message-----
From: Malcolm Jack [mailto:Malcolm () brandes com]
Sent: 17 August 2001 17:01
To: 'Korhan Kaya'; vuln-dev () securityfocus com
Subject: RE: MiM Simultaneous close attack


Excuse my ignorance, but wouldn't a switched network be a remedy for this
attack?  Unless you are using some type of 'port mirroring' functionality
(at the switch) the attacking computer sitting in promiscuous mode would
only hear broadcast traffic.  Right? Or am I missing something?




-----Original Message-----
From: Korhan Kaya [mailto:kkaya () prioriy1world com]
Sent: Tuesday, August 14, 2001 8:38 AM
To: vuln-dev () securityfocus com
Subject: MiM Simultaneous close attack


MiM simultaneous CLOSE attack

Revision 1.1

For Public Release 2001 August 07 08:00 (GMT +0200)
_________________________________________________________________

 Vulnerability :
        MiM simultaneous CLOSE attack
 Vendor :
        N/A
 Category :
        Man in the middle / Denial of service
 Date :
        08/07/2001
Credits :
        Korhan Kaya <kkaya () priority1world com>
        Document ID   :  MW-TCPMD-03

 Contents

 1 Summary
 2 Affected systems
 3 Details
 4 Results
 5 Solution
 6 Reproducing
 7 Vendor status
 8 References
 9 Disclaimer
10 Contact

1 Summary

  A Man in the middle attacker can cause network
  flood and denial of the service usage by sending
  2 TCP packets per connection.

2 AFFECTED SYSTEMS

 This vulnerability is tested against following platforms
 and they are vulnerable.

 Linux kern-v2.4.x
 Microsoft Windows 2000 Server
 Microsoft Windows 2000 Workstation
 Microsoft Windows ME
 Microsoft Windows 98

possibly other platforms are vulnerable.
Pending platform reports.

3 DETAILS

  It is possible for an attacker to open ethernet
  at promiscious mode and monitor network activity
  to collect SEQ and ACK's numbers of an active TCP
  connections.

  An attacker can trigger an ACK loop by sending a
  'spoofed' TCP packet with enabled ACK + FIN flags
  to source host and destination host of an active
  connection.

  TCP Stacks of client and server will acknowledge
  that the opposite side of the connection wants
  to close the connection. And hosts will immedately
  send ACK packets to complete the sequence.

  The vulnerability exploits at this point.

  Figure A :

    TCP A                MIM           TCP B
    1.ESTABLISHED                      ESTABLISHED
    2..            <-- [CTL=ACK+FIN]
    3.                   [CTL=ACK+FIN] -->
    4.CLOSE-WAIT   --> <CTL=ACK>     --> CLOSE-WAIT
    5.CLOSE-WAIT   <-- <CTL=ACK>     <-- CLOSE-WAIT
    ..
    ..
  1500.CLOSE-WAIT   --> <CTL=ACK>     --> CLOSE-WAIT
  1501.CLOSE-WAIT   <-- <CTL=ACK>     <-- CLOSE-WAIT
    ..
    ..

4 RESULTS

  Result of this attack is continious loop of ACK packet
  traffic between client and server.After tranmitting
  MANY packets using maximum throughput , target
  connection will be lost. At this period client
  software and target service may lockup ,freeze or
  crash.

  Number of transmitted packets and the generated
  traffic depends on host locations.

  Attack becomes more effective if it is used against
  local connections such as local netbios/cifs traffic.

  if an attacker applies above scenario on an avarage
  network,every connection attempt from any host to
  any server will fail , the network transport will
  be saturated in a short time , the collusion
  rates will raise to extreme levels and the cpu
  consuming of computers which is connected to
  network are  increased up to %90 due to the
  packet traffic.

5 SOLUTION

   Workaround

   none

6 HOW TO REPRODUCE VULNERABILITY

   Vulnerability can be reporduced by using atached win32 binary.
   Download the zip file and follow the steps at the readme.txt

   http://195.244.37.241/mimsc.zip

7 VENDOR STATUS

  Microsoft corp. is Informed at 07/30/2001 , no response received.

8 REFERENCES

  RFC 761, Page 35+
  RFC 793
  ACK Storm http://www.insecure.org/stf/iphijack.txt  (see for Similar
results)


9 DISCLAIMER

  Korhan Kaya is not responsible for the misuse or illegal use of
  any of the information and/or the software listed on this
  security advisory.

  This text may be redistributed freely after the
  release date given at the top of the text, provided that
  redistributed copies are complete and unmodified.

10 CONTACT

  Please send suggestions, updates, and comments to:
  kkaya () priority1world com

Current thread:

MiM Simultaneous close attack Korhan Kaya (Aug 14)
- <Possible follow-ups>
- RE: MiM Simultaneous close attack Malcolm Jack (Aug 17)
  - Re: MiM Simultaneous close attack Xyntrix (Aug 17)
    - Re: MiM Simultaneous close attack jaywhy (Aug 17)
    - Re: MiM Simultaneous close attack Michael J. Cannon (Aug 17)
  - RE: MiM Simultaneous close attack David Schwartz (Aug 17)
  - RE: MiM Simultaneous close attack Dom De Vitto (Aug 17)
  - Re: MiM Simultaneous close attack Korhan Kaya (Aug 17)
- RE: MiM Simultaneous close attack big bon (Aug 17)
  - Re: MiM Simultaneous close attack Paul (Aug 18)
    - Re: MiM Simultaneous close attack Robert Freeman (Aug 18)
    - Re: MiM Simultaneous close attack Mauro Flores (Aug 21)
    - RE: MiM Simultaneous close attack Dom De Vitto (Aug 21)
    - Re: MiM Simultaneous close attack Jim Nanney (Aug 21)
    - Re: MiM Simultaneous close attack jaywhy (Aug 18)
    - Re: MiM Simultaneous close attack Paul (Aug 19)