[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] A new TCP/IP blind data injection technique?

To: Michael Gale <michael@bluesuperman.com>
Subject: Re: [Full-Disclosure] A new TCP/IP blind data injection technique?
From: Valdis.Kletnieks@vt.edu
Date: Sat, 13 Dec 2003 15:04:10 -0500

On Sat, 13 Dec 2003 03:35:25 MST, Michael Gale <michael@bluesuperman.com>  said:

> For example the BorderWare Firewall will not accept fragmented packets,
> they are working on a firewall function that when fragmented packets
> arrive. It will save the first piece plus all frags until the final one
> is received. But the packet back together and do a sanity check of some
> sort. Then pass or drop the packet.

So the problem is that the host may re-assemble a fragmented packet with 
injected
data in it.

And we protect against it by.... you got it.. having the firewall re-assemble 
the
fragmented packet with injected data and then handing the re-assembled full
packet (with injected data) to the host.

Whoops.

Attachment: pgp00032.pgp
Description: PGP signature

Follow-Ups:
- Re: [Full-Disclosure] A new TCP/IP blind data injection technique?
  - From: Michael Gale <michael@bluesuperman.com>

References:
- [Full-Disclosure] A new TCP/IP blind data injection technique?
  - From: Michal Zalewski <lcamtuf@ghettot.org>
- Re: [Full-Disclosure] A new TCP/IP blind data injection technique?
  - From: Michael Gale <michael@bluesuperman.com>

Prev by Date: Re: [Full-Disclosure] A new TCP/IP blind data injection technique?
Next by Date: Re: [Full-Disclosure] A new TCP/IP blind data injection technique?
Previous by thread: Re: [Full-Disclosure] A new TCP/IP blind data injection technique?
Next by thread: Re: [Full-Disclosure] A new TCP/IP blind data injection technique?
Index(es):
- Date
- Thread