Vulnerability Development mailing list archives
Re: TCP/IP ISN Prediction Susceptibility
From: Elias Levy <aleph1 () SECURITYFOCUS COM>
Date: Tue, 13 Mar 2001 23:56:29 -0700
* Holger van Koll (holger () VANKOLL DE) [010314 03:32]:
Could somebody explain how session hijacking is related to ISN-guessing? "session" means it is already established. ISN are done. If I am able to sniff the session, I dont need ISN-guessing. I can insert pakets based on the sniffed SN. If I canĀ“t (and therefor ISN-guessing would be helpful) it is IMHO of no use for already established sessions. Can somebody shed some light on this?
To splice data into a TCP stream you need six pieces of information: the IP address of the machine A, the IP address of machine B, the TCP port number of machine A, the TCP port number of machine B, the TCP acknowledged sequence number of A, and the TCP acknowledged sequence number of B. The easiest way to obtain this information is by monitoring the actual traffic. This is simple if the traffic is flowing through a broadcast network you are attached to. If this is not the case then you can coerce the traffic your way via a number of tricks such as ARP spoofing, ICMP redirects, route poisoning, etc. A less trivial method is to guess the value of some of the variables. It may be the case that you known the IP addresses of A and B, as well as the port numbers they are using (e.g. some DNS requests). If both A and B ISN's are trivially predictable then guessing the current sequence numbers for A and B may not be difficult if they have not transmitted a lot of data. You can always send multiple packets until you get the numbers right. You may not even need to known the TCP port number of one of the hosts. Many computers assign ephemeral port numbers in a predictable fashion so you can try to guess it as well. And in reality you only need to known the acknowledged sequence number of the machine into whose input stream you want to inject data. You don't need to known the other machine's acknowledged sequence number. So only *one* of the machines need to have an easily predictable ISN. And in most attacks this machine is likely to be the *client* machine (since that is the machine you are more likely to impersonate). And clients (e.g. Windows) are more likely than the server to have predictable ISNs as security tends to be an afterthought. This is different IP spoofing attacks that attempt to initiate a TCP connection to a server for which you need to guess the server's ISN so you can complete the three-way handshake. In this case the *server* having a predictable ISN is the vulnerability. What this all means it that it may be possible to inject data into an established TCP connection without actually having to monitor the traffic between the two hosts. All you would need it to known the connection exists, known or guess the TCP port numbers, and guess the acknowledged sequence number of the host you want to accept the data. Anyway thats my speculation as to what Guardent may say they have discovered: a previously non-widely known attack scenario for the old and venerable predictable ISN vulnerability.
Regards, Holger
-- Elias Levy SecurityFocus.com http://www.securityfocus.com/ Si vis pacem, para bellum
Current thread:
- TCP/IP ISN Prediction Susceptibility Solar, Eclipse (Mar 12)
- Re: TCP/IP ISN Prediction Susceptibility Crist Clark (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Solar, Eclipse (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Holger van Koll (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Elias Levy (Mar 14)
- Re: TCP/IP ISN Prediction Susceptibility Olaf Kirch (Mar 14)
- Re: TCP/IP ISN Prediction Susceptibility Lincoln Yeoh (Mar 14)
- Re: TCP/IP ISN Prediction Susceptibility Elias Levy (Mar 14)
- Re: TCP/IP ISN Prediction Susceptibility Crist Clark (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Mike Sues (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Dom De Vitto (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Vitaly Osipov (Mar 13)
- Re: TCP/IP ISN Prediction Susceptibility Lincoln Yeoh (Mar 14)
- Re: TCP/IP ISN Prediction Susceptibility Mike Fedyk (Mar 14)
- <Possible follow-ups>
- Re: TCP/IP ISN Prediction Susceptibility Eric D. Williams (Mar 13)