[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [Full-Disclosure] Core Internet Vulnerable - News at 11:00

To: cjclark@xxxxxxxxxxxx
Subject: Re: [Full-Disclosure] Core Internet Vulnerable - News at 11:00
From: Michal Zalewski <lcamtuf@xxxxxxxxxxx>
Date: Tue, 20 Apr 2004 21:45:03 +0200 (CEST)

On Tue, 20 Apr 2004, Crist J. Clark wrote:

> Does anyone know WTF they are trying to say in this AP article,
> "Core Internet Technology Is Vulnerable,"

http://www.uniras.gov.uk/vuls/2004/236929/index.htm

Just to have my $.02, I've posted a quick IMO piece about this to
vulndiscuss (just as, without doubt, dozens of others decided to do), but
I'm not sure it'll make it through.

Here it is, for your amusement:

/.../

This vulnerability report, in essence, states that data injection attacks
in TCP/IP sessions (and in particular, forcing connections to be dropped
by spoofing RST packets), do not require the attacker to guess the exact
sequence number, but rather operate within the range of sequence numbers
defined by window size / window scale parameters of the connection. This
report is based on Mr. Watson's presentation at CanSecWest this year.

I see this report comes from a reputable source and mentions, among
others, Steve Bellovin as one of folks involved in helping prepare it, but
I feel utterly confused and stumped by how it deserves being called a new
vulnerability. Although the original paper is valid, and it is definitely
a great conference speech material, I fail to see how this attack may be
even remotely considered a new vulnerability.

With just a quick google, I can find references going back to as early as
1996 IP spoofing paper that clearly mentions the ability to insert data
into processing buffer by merely fitting into the receive window:

  http://www.networkcommand.com/docs/ipspoof.txt

Similarly, CERT advisory released after Tim Newsham and I published our
TCP/IP ISN prediction papers (CA-2001-09) mentioned the very same
possibility. Countless other less or more specific references to this
common knowledge may be found across the web in no time, perhaps dating
back to even earlier years.

Connection dropping attacks are a specific case of data injection
(connection hijacking) blind spoof attacks - the most popular and most
commonly practiced case, that is. As such, I think there is both extensive
prior knowledge (and art) for this vulnerability, and branding a
subvariant of it a new attack is a tad misleading (shame on NISCC for not
researching the issue?).

That said, kudos to Watson: it is definitely good to see this problem
being finally discussed in broad daylight; I think it would be good to see
some kludges intended to mitigate it a bit.

-- 
------------------------- bash$ :(){ :|:&};: --
 Michal Zalewski * [http://lcamtuf.coredump.cx]
    Did you know that clones never use mirrors?
--------------------------- 2004-04-20 21:05 --

   http://lcamtuf.coredump.cx/photo/current/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Follow-Ups:
- RE: [Full-Disclosure] Core Internet Vulnerable - News at 11:00
  - From: Alerta Redsegura
- Re: [Full-Disclosure] Core Internet Vulnerable - News at 11:00
  - From: Exibar
- Re: [Full-Disclosure] Core Internet Vulnerable - News at 11:00
  - From: Pavel Kankovsky

References:
- [Full-Disclosure] Core Internet Vulnerable - News at 11:00
  - From: Crist J. Clark

Prev by Date: Re: [Full-Disclosure] Core Internet Vulnerable - News at 11:00
Next by Date: RE: [Full-Disclosure] Core Internet Vulnerable - News at 11:00
Previous by thread: Re: [Full-Disclosure] Core Internet Vulnerable - News at 11:00
Next by thread: RE: [Full-Disclosure] Core Internet Vulnerable - News at 11:00
Index(es):
- Date
- Thread