[13955] in bugtraq
unused bit attack alert
daemon@ATHENA.MIT.EDU (LigerTeam)
Mon Feb 21 18:37:26 2000
Message-Id: <200002211543.HAA24775@www.geocrawler.com>
Date: Mon, 21 Feb 2000 07:43:54 -0800
Reply-To: LigerTeam <ligerteam@hotmail.com>
From: LigerTeam <archiver@DB.GEOCRAWLER.COM>
X-To: bugtraq@securityfocus.com
To: BUGTRAQ@SECURITYFOCUS.COM
This message was sent from Geocrawler.com by "LigerTeam" <ligerteam@hotmail.com>
Be sure to reply to that address.
LigerTeam Advisory
"unused bit attack"
Our Team discovered one problem,
in some case it's simple,
but it could be serious problem of security
in the programming related with tcp/ip.
In fact, TCP header is 6 kinds of
tcp flag (SYN, ACK, PSH, RST, FIN, URG).
problem is the flag value in TCP header
approaches to 1byte variable of u_char type.
ex)see tcp.h file
The flag value Each one correspond to 1 bit,
but it have unused 2 bit.
|unused|unused|URG|ACK|PSH|RST|SYN|FIN|
Understanding of the very problem is simple.
Let's compare the two codes.
ex)SYN Scan detecter program several code type
i) if ( flag == TH_SYN )
ii) if ( flag & TH_SYN )
(TH_SYN->SYN flag)
The i) code is true, only when the syn
flag bit is set at 1.
So the flag value is 0x2,
and |0|0|0|0|0|0|1|0| in bit.
The next ii) code is true, only
when SYN flag bit, the TH_SYN value
in flags, is set at 1, and the other
bit state is not influential.
Eventually, we can easily know a very
important thing.
If hackers use the two higher bit(unused bit)
one or all, to set at 1,
ii) code type has false value,
but i) code type last true value.
and hackers avoid scan detecter
When the highest bit is set at 1,
so syn flag bit is 1, and the flag
variable is
|1|0|0|0|0|0|1| = 130
But this cause mismatching with TH_SYN value
by the rule of tcp/ip code, and if sentence
has false value.
More over, as tcp/ip code has the type of bit
computing system, it accept the flags of
syn flag bit, only one, still set at 1.
Conclusion:
When the flags variable in tcp header is adjusted
totally with given value,
higher two bit(unused bit) must be cleared
and set at 0.
Solution:
LigerTeam, strongly propose inserting of
solution code before the computing of flag
variable.
flag = flags & 0x3f;
Weak program :
At this time, the main technical papers from
the RTSD (Real Time Scan Detecter) spread by
CERT-KR show a representative weak case.
It said,
when (only) syn packet of tcp is captured,
the condition is
tcp[13]== 2 (SYN).
This is the very point.
We thought that other syn packet sensing
tools had fallen in similar situation.
We have simply tested several firewalls
which would contain that kinds of problem
and have gotten some result that there
was no problem in our view.
All TCP/IP related security programusing
the previous i) code pattern is weak.
if (flag==(TH_SYN | TH_ACK)) etc.
Ps: IP is one more bit not used. Straightly
saying, not defined.
http://liger.fnetwork.com
Contact us: ligerteam@hotmail.com
-The Security LigerTeam 2000 Korea-
Geocrawler.com - The Knowledge Archive
