[13975] in bugtraq
Re: unused bit attack alert
daemon@ATHENA.MIT.EDU (Carlos =?iso-8859-1?Q?Garc=EDa?= A)
Tue Feb 22 22:53:42 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Transfer-Encoding: 8bit
Message-Id: <38B2AFF0.13B9AD8@santandersupernet.com>
Date: Tue, 22 Feb 2000 16:49:04 +0100
Reply-To: Carlos =?iso-8859-1?Q?Garc=EDa?= Argos <MDARGOS@SANTANDERSUPERNET.COM>
From: Carlos =?iso-8859-1?Q?Garc=EDa?= Argos <MDARGOS@SANTANDERSUPERNET.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
LigerTeam wrote:
> "unused bit attack"
>
> Our Team discovered one problem,
> in some case it's simple,
> but it could be serious problem of security
> in the programming related with tcp/ip.
>
> In fact, TCP header is 6 kinds of
> tcp flag (SYN, ACK, PSH, RST, FIN, URG).
>
> problem is the flag value in TCP header
> approaches to 1byte variable of u_char type.
> ex)see tcp.h file
>
> The flag value Each one correspond to 1 bit,
> but it have unused 2 bit.
>
> |unused|unused|URG|ACK|PSH|RST|SYN|FIN|
Those 2 unused bit are exactly those QueSO uses to detect an Operating
System, since there's no specified response to a TCP packet with those
bit on, it depends on the kind of tcp/ip stack the OS uses. More
information on http://apostols.org/projectz/queso/
--
---------------------------- <BoKeRoN> -------------------------------
-- < Carlos Garcma Argos - Estudiante de Ing. Telecomunicacisn > --
-- < SuSE LiNUX 6.2 kernel 2.2.12 - Socio de LiMA (LiNUX Malaga) > --
-- < Usuario de LiNUX registrado nzmero 160070 > --
-- < IRC: @#malaga @#telecos_malaga @#linux-malaga @#teleco > --
-- < http://pagina.de/telecos_malaga >--< http://fly.to/bokeron > --
-- < FidoNet: 2:345/430.25 (Brother BBS) > --
----------------------------------------------------------------------
