TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to
[EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems!
----------------------------------------------------------------------------
Hi Tim,
You're absolutely right, I apologize. I must have been thinking about
acknos which are less important in resets. I've just forged a RST with
TCP flags of x'04', a valid seqno (i cheated and traced it) and a null
ackno (zero) - which killed the session. It seems that I'd need to
guess a seqno which falls within what the receiver is prepared for
(rcv_nxt <= seqno < rcv_nxt + rcv_wnd). For an 8KB window that's up to
(2^32)/8192 seqnos. I assume that realsecure uses the ackno/seqno from
the rogue packet it sees, to build the kill? If so then the hacker
would have to include a valid number in his rogue packet in order for
the realsecure kill to cause any damage.
James
On Fri, 27 Apr 2001 15:47:59 -0400, you wrote:
>> Having pondered this at length in a previous posting, it has just
>> dawned on me that the hacker could just spoof a reset anyway. I don't
>> remember whether seqno's have to be valid for a reset but i imagine
>> not. So...
>
>Actually sequence numbers *DO* have to be valid in a RST, and that's a very
>important requirement! If it weren't true, if I wanted to disconnect user X
>from your web server, all I'd have to do is flood you with about 65K RST
>packets, one for each possible source port number on the user's IP.
>
>Since sequence numbers must be valid, I have to be able to guess both the
>source port and the sequence number. Instead of 65K possibilities, this
>gives me more like 281 TRILLION possibilities. It's a bit harder to do.
>
>> However it many cases I think it would be hard for a hacker to find
>> valid quads, plus they could probably spoof their own resets directly.
>
>Correct. If the attacker could spoof a payload that was valid enough to
>induce RealSecure into sending a valid RST, then he might as well just spoof
>the RST himself.
>
>Tim Farley
>Senior Researcher
>Internet Security Systems
>
>[EMAIL PROTECTED]
>(404) 236-2600
>http://www.iss.net
