[EXPL] TCP Reset Spoofing Generic Exploit
From: SecuriTeam (support_at_securiteam.com)
To: firstname.lastname@example.org Date: 26 Apr 2004 13:57:19 +0200
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
- - - - - - - - -
TCP Reset Spoofing Generic Exploit
Linked below is a package containing several proofs of concept for the RST
spoofing vulnerability discovered in the TCP protocol.
The TCP stack implementation of numerous vendors contains a flaw that may
allow a remote denial of service. The issue is triggered when spoofed TCP
Reset packets are received by the targeted TCP stack, and will result in
loss of availability for the attacked TCP services.
RFC-793 utilizes sequence checking to ensure proper ordering of received
packets. RFC-793 requires that sequence numbers be checked against the
window size before accepting data or control flags as valid. RFC-793 also
specifies that RST control flags should be processed immediately, without
waiting for out of sequence packets to arrive. Furthermore, RFC-793 allows
a TCP implementation to verify both sequence and acknowledgement numbers
prior to accepting a RST control flag as valid. No TCP stack
implementation tested currently implements checking of both sequence and
acknowledgement. All tested TCP stacks currently verify only the sequence
number. This allows connections to be reset with dramatically less effort
than previously believed.
This risk is compounded by the easy prediction of source port selection
used in TCP connections.
The zip file contain the following exploit codes:
reset-tcp.c Simple exploit proof-of-concept in C
reset-tcp_rfc31337-compliant.c Same program with modification from J
ttt-1.3r.tar.gz Modified version of Cisco CIAG's TCP Test Tool utility
bgp-dosv2.pl PERL example from Rich Compton
The exploits can be downloaded from:
The information has been provided by <mailto:email@example.com> Paul (Tony)
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: firstname.lastname@example.org
In order to subscribe to the mailing list, simply forward this email to: email@example.com
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.