[12051] in bugtraq
Re: [EuroHaCk] Linux 2.2.x ISN vulnerability (fwd)
daemon@ATHENA.MIT.EDU (Jeremy Buhler)
Wed Sep 29 15:32:03 1999
Mime-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
Message-Id: <Pine.LNX.4.10.9909281309240.19077-100000@tako.cs.washington.edu>
Date: Tue, 28 Sep 1999 13:21:32 -0700
Reply-To: Jeremy Buhler <jbuhler@CS.WASHINGTON.EDU>
From: Jeremy Buhler <jbuhler@CS.WASHINGTON.EDU>
X-To: Sebastian <scut@nb.in-berlin.de>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <Pine.LNX.4.05.9909282150370.25252-100000@nb.in-berlin.de>
On Tue, 28 Sep 1999, Sebastian wrote:
> A lot of people wrote to us and said that the typo where &secret[3] was
> meant but &secret+3 was written within the kernel code was the cause for
> this bug.
>
> In our tests, however, we applied nothing but this one-line patch and we
> still experienced small-difference ISN's (stealth tested this, but I
> believe in his skills :-).
Right. Andrea Arcangeli proposed this change on the kernel mailing list,
but it wasn't the patch that actually got applied in 2.3.13pre13. This
is the patch which I believe is intended to fix the easily-guessable
sequence numbers:
--- linux.vanilla/net/ipv4/tcp_ipv4.c Sat Aug 28 20:00:59 1999
+++ linux.13p13/net/ipv4/tcp_ipv4.c Sun Sep 26 23:25:18 1999
@@ -525,7 +525,8 @@
static inline __u32 tcp_v4_init_sequence(struct sock *sk, struct sk_buff *skb)
{
- return secure_tcp_sequence_number(sk->saddr, sk->daddr,
+ return secure_tcp_sequence_number(skb->nh.iph->daddr,
+ skb->nh.iph->saddr,
skb->h.th->dest,
skb->h.th->source);
}
If I understand correctly, the bug was that the sequence number initialization
erroneously didn't use the remote's IP address.
Jeremy
