From owner-freebsd-security@FreeBSD.ORG Fri Apr 23 20:31:29 2004 Return-Path: Delivered-To: freebsd-security@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 0DEF316A4CF for ; Fri, 23 Apr 2004 20:31:29 -0700 (PDT) Received: from relay.pair.com (relay.pair.com [209.68.1.20]) by mx1.FreeBSD.org (Postfix) with SMTP id 9C2D043D1F for ; Fri, 23 Apr 2004 20:31:28 -0700 (PDT) (envelope-from silby@silby.com) Received: (qmail 46667 invoked from network); 24 Apr 2004 03:31:26 -0000 Received: from niwun.pair.com (HELO localhost) (209.68.2.70) by relay.pair.com with SMTP; 24 Apr 2004 03:31:26 -0000 X-pair-Authenticated: 209.68.2.70 Date: Fri, 23 Apr 2004 22:34:51 -0500 (CDT) From: Mike Silbersack To: freebsd-security@freebsd.org Message-ID: <20040423222922.F1915@odysseus.silby.com> MIME-Version: 1.0 Content-Type: MULTIPART/MIXED; BOUNDARY="0-961716412-1082777691=:1915" Subject: Proposed RST patch X-BeenThere: freebsd-security@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: Security issues [members-only posting] List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 24 Apr 2004 03:31:29 -0000 This message is in MIME format. The first part should be readable text, while the remaining parts are likely unreadable without MIME-aware tools. Send mail to mime@docserver.cac.washington.edu for more info. --0-961716412-1082777691=:1915 Content-Type: TEXT/PLAIN; charset=US-ASCII Here's my proposed patch to change RST handling so that ESTABLISHED connections are subject to strict RST checking, but connections in other states are only subject to the "within the window" check. Part 2 of the patch is simply a patch to netstat so that it displays the statistic. As expected, it's very straightforward, the only real question is what to call the statistic... "Ignored RSTs in the window" isn't the best description. FWIW, I've been testing with the exploit code (reset-tcp-rfc31337-compliant.c from osvdb-4030-exploit.zip), and this change does indeed defeat the attack. It took me a while to get the code working, they really munged up the libnet calls, but I guess that was the intent. Mike "Silby" Silbersack --0-961716412-1082777691=:1915 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="bad_reset.patch" Content-Transfer-Encoding: BASE64 Content-ID: <20040423223451.T1915@odysseus.silby.com> Content-Description: Content-Disposition: attachment; filename="bad_reset.patch" ZGlmZiAtdSAtciAvdXNyL3NyYy9zeXMub2xkL25ldGluZXQvdGNwX2lucHV0 LmMgL3Vzci9zcmMvc3lzL25ldGluZXQvdGNwX2lucHV0LmMNCi0tLSAvdXNy L3NyYy9zeXMub2xkL25ldGluZXQvdGNwX2lucHV0LmMJVGh1IEFwciAyMiAw MToxNToxNSAyMDA0DQorKysgL3Vzci9zcmMvc3lzL25ldGluZXQvdGNwX2lu cHV0LmMJRnJpIEFwciAyMyAyMjoxMzoxOCAyMDA0DQpAQCAtMTU3MCw2ICsx NTcwLDEwIEBADQogCQkJCWdvdG8gY2xvc2U7DQogDQogCQkJY2FzZSBUQ1BT X0VTVEFCTElTSEVEOg0KKwkJCQlpZiAodHAtPmxhc3RfYWNrX3NlbnQgIT0g dGgtPnRoX3NlcSkgew0KKwkJCQkJdGNwc3RhdC50Y3BzX2JhZHJzdCsrOw0K KwkJCQkJZ290byBkcm9wOw0KKwkJCQl9DQogCQkJY2FzZSBUQ1BTX0ZJTl9X QUlUXzE6DQogCQkJY2FzZSBUQ1BTX0ZJTl9XQUlUXzI6DQogCQkJY2FzZSBU Q1BTX0NMT1NFX1dBSVQ6DQpkaWZmIC11IC1yIC91c3Ivc3JjL3N5cy5vbGQv bmV0aW5ldC90Y3BfdmFyLmggL3Vzci9zcmMvc3lzL25ldGluZXQvdGNwX3Zh ci5oDQotLS0gL3Vzci9zcmMvc3lzLm9sZC9uZXRpbmV0L3RjcF92YXIuaAlU aHUgQXByIDIyIDAxOjE1OjE2IDIwMDQNCisrKyAvdXNyL3NyYy9zeXMvbmV0 aW5ldC90Y3BfdmFyLmgJRnJpIEFwciAyMyAyMjoxMjo0OSAyMDA0DQpAQCAt NDE0LDYgKzQxNCw3IEBADQogCXVfbG9uZwl0Y3BzX2JhZHN5bjsJCS8qIGJv Z3VzIFNZTiwgZS5nLiBwcmVtYXR1cmUgQUNLICovDQogCXVfbG9uZwl0Y3Bz X210dXJlc2VudDsJCS8qIHJlc2VuZHMgZHVlIHRvIE1UVSBkaXNjb3Zlcnkg Ki8NCiAJdV9sb25nCXRjcHNfbGlzdGVuZHJvcDsJLyogbGlzdGVuIHF1ZXVl IG92ZXJmbG93cyAqLw0KKwl1X2xvbmcJdGNwc19iYWRyc3Q7CQkvKiBpZ25v cmVkIFJTVHMgaW4gdGhlIHdpbmRvdyAqLw0KIA0KIAl1X2xvbmcJdGNwc19z Y19hZGRlZDsJCS8qIGVudHJ5IGFkZGVkIHRvIHN5bmNhY2hlICovDQogCXVf bG9uZwl0Y3BzX3NjX3JldHJhbnNtaXR0ZWQ7CS8qIHN5bmNhY2hlIGVudHJ5 IHdhcyByZXRyYW5zbWl0dGVkICovDQo= --0-961716412-1082777691=:1915 Content-Type: TEXT/PLAIN; charset=US-ASCII; name="bad_reset-part2.patch" Content-Transfer-Encoding: BASE64 Content-ID: <20040423223451.F1915@odysseus.silby.com> Content-Description: Content-Disposition: attachment; filename="bad_reset-part2.patch" LS0tIC91c3Ivc3JjL3Vzci5iaW4vbmV0c3RhdC9pbmV0LmMub2xkCUZyaSBB cHIgMjMgMjI6MTk6NDMgMjAwNA0KKysrIC91c3Ivc3JjL3Vzci5iaW4vbmV0 c3RhdC9pbmV0LmMJRnJpIEFwciAyMyAyMjoyMTowOSAyMDA0DQpAQCAtNDE1 LDYgKzQxNSw3IEBADQogCXAodGNwc19hY2NlcHRzLCAiXHQlbHUgY29ubmVj dGlvbiBhY2NlcHQlc1xuIik7DQogCXAodGNwc19iYWRzeW4sICJcdCVsdSBi YWQgY29ubmVjdGlvbiBhdHRlbXB0JXNcbiIpOw0KIAlwKHRjcHNfbGlzdGVu ZHJvcCwgIlx0JWx1IGxpc3RlbiBxdWV1ZSBvdmVyZmxvdyVzXG4iKTsNCisJ cCh0Y3BzX2JhZHJzdCwgIlx0JWx1IElnbm9yZWQgUlNUcyBpbiB0aGUgd2lu ZG93JXNcbiIpOw0KIAlwKHRjcHNfY29ubmVjdHMsICJcdCVsdSBjb25uZWN0 aW9uJXMgZXN0YWJsaXNoZWQgKGluY2x1ZGluZyBhY2NlcHRzKVxuIik7DQog CXAyKHRjcHNfY2xvc2VkLCB0Y3BzX2Ryb3BzLA0KIAkJIlx0JWx1IGNvbm5l Y3Rpb24lcyBjbG9zZWQgKGluY2x1ZGluZyAlbHUgZHJvcCVzKVxuIik7DQo= --0-961716412-1082777691=:1915--