Re: A new TCP/IP blind data injection technique?

From: stanislav shalunov (shalunov_at_internet2.edu)
Date: 12/11/03

  • Next message: Slackware Security Team: "[slackware-security] cvs security update (SSA:2003-345-01)"
    To: Michael Wojcik <Michael.Wojcik@microfocus.com>
    Date: 11 Dec 2003 15:58:47 -0500
    
    

    Michael Wojcik <Michael.Wojcik@microfocus.com> writes:

    > > From: Valdis.Kletnieks@vt.edu [mailto:Valdis.Kletnieks@vt.edu]
    > > However, it's a trivial matter to take the original text, the
    > > replacement text, and compute an original such that the checksum
    > > comes out "the same".
    >
    > True, but irrelevant to the problem at hand, where the attacker has neither
    > the original checksum nor the original text.

    There's clearly an attack here; the attacker can replace known bits in
    some parts of the stream with bits of his choice. This can be useful
    to replace, e.g., a username here or there, or a predictable URL
    (perhaps in a request for a news site to a proxy server). It is a
    weakness.

    What mitigates the attack is that if pMTUd is used, it won't work
    because all packets will have the DF bit set. Practically all modern
    OSes will use pMTUd. Michal pointed out in private communication that
    some broken firewalls will strip the DF bit off packets. Some of
    these same firewalls will also reduce MSS and do other things designed
    to prevent fragmentation; it's not clear to me how frequently
    fragmentation of TCP packets happens in practice. But in any case,
    ``broken firewalls have negative net effect on security'' is not
    exactly a newsflash; we knew that. Broken firewalls can also hurt
    performance badly and interfere with deployment of new features in the
    IP protocol (think ECN) and new applications.

    Now, UDP in its default state will not set DF and, in some cases,
    systems and applications are intentionally (mis)configured to send
    packets that will be fragmented. NFS, with frequently used block size
    of 4kB or 8kB, would be an important example.

    P.S. Since IPv6 has no notion of en-route fragmentation, it is immune.
    This is actually the first known to me example of a security issue
    where IPv6 design actually improves security.

    -- 
    Stanislav Shalunov		http://www.internet2.edu/~shalunov/
    

  • Next message: Slackware Security Team: "[slackware-security] cvs security update (SSA:2003-345-01)"

    Relevant Pages

    • [REVS] OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vulnerability
      ... Recently Amit'has been looking at the OpenBSD PRNG implementation for DNS ... also use this PRNG for IP fragmentation ID normalization feature (e.g. ... in "regular" IP packets and raw IP packets. ... o Idle-scanning, O/S fingerprinting, host alias detection, traffic ...
      (Securiteam)
    • A paper by Amit Klein (Trusteer): "OpenBSD DNS Cache Poisoning and Multiple O/S Predictable IP ID Vu
      ... DNS transaction ID (OpenBSD ported BIND 9 into their code tree, ... fragmentation ID normalization feature (e.g. "scrub out random- ... packets and raw IP packets. ...
      (Bugtraq)
    • [UNIX] Security Flaws Found in Tinc
      ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... This section describes how Tinc secures forwarded packets. ... The aim of encryption is to make the data unreadable for anybody who does ... It does not prevent an attacker from modifying the data. ...
      (Securiteam)
    • Re: IPS Testing
      ... What if an attacker spoofs SQL Injection/XSS/CSRF ... payload within the packets that Nessus is sending. ... spoof every packets destined to their address ... buy it or download a solution FREE today! ...
      (Pen-Test)
    • Malformed Fragmented Packets DoS Dlink Firewall/Routers
      ... Malformed Fragmented Packets DoS Dlink Firewall/Routers ... Fragmentation is required because every network ... You bitches thought Fate Labs was dead?! ...
      (Bugtraq)