[13990] in bugtraq
Re: unused bit attack alert
daemon@ATHENA.MIT.EDU (antirez)
Wed Feb 23 15:10:55 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Message-Id: <20000223131406.A187@nagash.suidshell.net>
Date: Wed, 23 Feb 2000 13:14:06 +0100
Reply-To: antirez@linuxcare.com
From: antirez <antirez@LINUXCARE.COM>
X-To: bugtraq@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200002212236.OAA01744@daffy.ee.lbl.gov>; from vern@EE.LBL.GOV on
Mon, Feb 21, 2000 at 02:36:17PM -0800
On Mon, Feb 21, 2000 at 02:36:17PM -0800, Vern Paxson wrote:
> > LigerTeam, strongly propose inserting of
> > solution code before the computing of flag
> > variable.
> >
> > flag = flags & 0x3f;
>
> Otherwise you are still vulnerable to attackers setting legitimate flags
> in bogus combinations, such as adding URG to a SYN.
Also since the valid TCP flags combinations are fixed
and just ~ 13 at cost of some overhead you can simply
allows only this. An example is the ipt_unclean netfilter
module.
For LigerTeam: this is a known problem, please don't claim
you have discovered it (see BUGTRAQ archive).
antirez
--
Salvatore Sanfilippo, Open Source Developer, Linuxcare Italia spa
+39.049.8024648 tel, +39.049.8036484 fax
antirez@linuxcare.com, http://www.linuxcare.com/
Linuxcare. Support for the revolution.
