Date: Wed, 17 Jan 2018 11:24:48 -0600 From: Kevin Day <toasty@dragondata.com> To: Brahmanand Reddy <brahma.gdb@gmail.com> Cc: FreeBSD-security@freebsd.org Subject: Re: Need FreeBSD-SA-00:52(TCP uses weak initial sequence numbers) latest patch Message-ID: <7E7F9FCF-BA42-4B3C-871E-2DDC1229D14D@dragondata.com> In-Reply-To: <CAKsRH7kX_61MxjK32h0zYc=MejPTYMX6BxAjAfuuRVUxpGhZwg@mail.gmail.com> References: <CAKsRH7nsVmhSMUT7TNzGfuN55_J9BkLBzO=8dvjLGvOZtri%2BuQ@mail.gmail.com> <20180111171545.GC68137@fc.opsec.eu> <CAKsRH7kX_61MxjK32h0zYc=MejPTYMX6BxAjAfuuRVUxpGhZwg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
I think the confusion here is that your test program below has a bug - =
your RST packet is invalid so it's not closing the socket on the other =
side.
If you look at how a normal RST is generated normally:
17:13:42.626365 IP src.26057 > dst.22: Flags [S], seq 472216885, win =
65535, length 0
17:13:42.626504 IP dst.22 > src.26057: Flags [S.], seq 3592434473, ack =
472216886, win 65535, length 0
17:13:42.626512 IP src.26057 > dst.22: Flags [R], seq 472216886, win 0, =
length 0
Notice that the third packet (the RST packet) uses the sequence number =
that the SYN had plus 1. Your program is using the SYNACK packet's =
sequence number in the RST, which would look like this instead:
17:13:42.626365 IP src.26057 > dst.22: Flags [S], seq 472216885, win =
65535, length 0
17:13:42.626504 IP dst.22 > src.26057: Flags [S.], seq 3592434473, ack =
472216886, win 65535, length 0
17:13:42.626512 IP src.26057 > dst.22: Flags [R], seq 3592434473, win 0, =
length 0
The dst system is treating this as an invalid RST packet because the =
sequence number is incorrect and completely ignoring it, leaving the =
socket still half open. When you send the SYN2 packet with the same =
source and destination port, and the dst system still has the socket =
open, it's going to repeat the same SYNACK back to you.
If you change your program to send a RST with a sequence of the initial =
SYN plus 1, you'll actually reset the connection and see the behavior =
you're looking for. You're seeing the same ISN because your RST isn't =
closing the connection on the other side, so the dst system is still =
trying to open the original socket.
> On Jan 11, 2018, at 7:20 PM, Brahmanand Reddy <brahma.gdb@gmail.com> =
wrote:
>=20
> Hi Kurt,
>=20
> Thanks lot responding my mail,
>=20
> Please explain why you think this should be an issue for FreeBSD 10.2 =
?
>=20
> Currently i am using 10.2 and 10.4, i found this =
problem/vulnerability
> still exist using below script
>=20
> #!/usr/local/bin/python
> from scapy.all import *
>=20
> # VARIABLES
> src =3D str(input('IP SRC: '))
> dst =3D str(input('IP DST: '))
>=20
> sport =3D random.randint(1024,65535)
> dport =3D int(input("DST PORT: "))
>=20
>=20
> # SYN
> ip=3DIP(src=3Dsrc,dst=3Ddst)
> =
SYN=3DTCP(sport=3Dsport,dport=3Ddport,flags=3D'S',seq=3Drandom.randint(102=
4,1048576),
> ack=3D0)
> SYNACK=3Dsr1(ip/SYN)
> print('Seq1 Number is :',SYNACK[TCP].seq) =3D=3D> Seq1
>=20
> # RST
> RST=3DTCP(sport=3Dsport, dport=3Ddport, flags=3D'R', seq=3DSYNACK.ack, =
ack=3D0)
> send(ip/RST)
>=20
> #SYN
> =
SYN2=3DTCP(sport=3Dsport,dport=3Ddport,flags=3D'S',seq=3Drandom.randint(10=
24,1048576),
> ack=3D0)
> SYNACK2=3Dsr1(ip/SYN2)
> print('Seq2 Number is :',SYNACK2[TCP].seq) =
=3D=3D>
> same ISN number i observed/receiving.
>=20
> I mean seq1=3Dseq2, TCP ISN reusing.
>=20
> i think the patch is available on 10.4 on wards, but i dint found
> exactly/similar patch from https://www.freebsd.org/security/patches/
>=20
> It could be great to confirm what is the corresponding latest patch =
this
> problem would be solved. Kindly correct me anything i am missing.
>=20
>=20
> Sincerely,
> Brahma
>=20
>=20
>=20
>=20
> On Thu, Jan 11, 2018 at 10:45 PM, Kurt Jaeger <pi@freebsd.org> wrote:
>=20
>> Hi!
>>=20
>>> Please share the corresponding FreeBSD-SA-00:52(*TCP uses weak =
initial
>>> sequence numbers*) latest patch.
>>>=20
>>> the original problem reported on :
>>> https://www.freebsd.org/security/advisories/FreeBSD-
>> SA-00%3A52.tcp-iss.asc
>>=20
>> That's a security annoucement for FreeBSD 3.x to 5.x.
>>=20
>> Please explain why you think this should be an issue for FreeBSD 10.2 =
?
>>=20
>> And, by the way: FreeBSD 10.2 is a old, no-longer supported version.
>>=20
>> https://www.freebsd.org/releases/
>>=20
>> lists which versions are still supported.
>>=20
>> --
>> pi@FreeBSD.org +49 171 3101372 2 years to go !
>>=20
> _______________________________________________
> freebsd-security@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to =
"freebsd-security-unsubscribe@freebsd.org"
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?7E7F9FCF-BA42-4B3C-871E-2DDC1229D14D>