[EXPL] TCP Reset Spoofing Generic Exploit

From: SecuriTeam (support_at_securiteam.com)
Date: 04/26/04

  • Next message: SecuriTeam: "[TOOL] OllyUni Plugin for OllyDbg"
    To: list@securiteam.com
    Date: 26 Apr 2004 13:57:19 +0200
    
    

    The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
    - - promotion

    The SecuriTeam alerts list - Free, Accurate, Independent.

    Get your security news from a reliable source.
    http://www.securiteam.com/mailinglist.html

    - - - - - - - - -

      TCP Reset Spoofing Generic Exploit
    ------------------------------------------------------------------------

    SUMMARY

    Linked below is a package containing several proofs of concept for the RST
    spoofing vulnerability discovered in the TCP protocol.

    DETAILS

    The TCP stack implementation of numerous vendors contains a flaw that may
    allow a remote denial of service. The issue is triggered when spoofed TCP
    Reset packets are received by the targeted TCP stack, and will result in
    loss of availability for the attacked TCP services.

    Technical Description:
    RFC-793 utilizes sequence checking to ensure proper ordering of received
    packets. RFC-793 requires that sequence numbers be checked against the
    window size before accepting data or control flags as valid. RFC-793 also
    specifies that RST control flags should be processed immediately, without
    waiting for out of sequence packets to arrive. Furthermore, RFC-793 allows
    a TCP implementation to verify both sequence and acknowledgement numbers
    prior to accepting a RST control flag as valid. No TCP stack
    implementation tested currently implements checking of both sequence and
    acknowledgement. All tested TCP stacks currently verify only the sequence
    number. This allows connections to be reset with dramatically less effort
    than previously believed.
    This risk is compounded by the easy prediction of source port selection
    used in TCP connections.

    Exploit:
    The zip file contain the following exploit codes:

    reset-tcp.c Simple exploit proof-of-concept in C
    reset-tcp_rfc31337-compliant.c Same program with modification from J
    'Swoop' Barber
    ttt-1.3r.tar.gz Modified version of Cisco CIAG's TCP Test Tool utility
    bgp-dosv2.pl PERL example from Rich Compton

    The exploits can be downloaded from:
    <http://www.osvdb.org/reference/osvdb-4030-exploit.zip>
    http://www.osvdb.org/reference/osvdb-4030-exploit.zip

    ADDITIONAL INFORMATION

    The information has been provided by <mailto:paw@paw.org> Paul (Tony)
    Watson .

    The original article can be found at: <http://www.osvdb.org/4030>
    http://www.osvdb.org/4030

    ========================================

    This bulletin is sent to members of the SecuriTeam mailing list.
    To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
    In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com

    ====================
    ====================

    DISCLAIMER:
    The information in this bulletin is provided "AS IS" without warranty of any kind.
    In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.


  • Next message: SecuriTeam: "[TOOL] OllyUni Plugin for OllyDbg"