[7854] in bugtraq
Re: Borderware predictable initial TCP sequence numbers
daemon@ATHENA.MIT.EDU (Gigi Sullivan)
Wed Sep 2 11:04:37 1998
Date: Wed, 2 Sep 1998 10:56:52 +0200
Reply-To: Gigi Sullivan <sullivan@SECLAB.COM>
From: Gigi Sullivan <sullivan@SECLAB.COM>
X-To: Roy Hills <Roy.Hills@NTA-MONITOR.COM>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Version.32.19980828181855.01023b10@192.168.124.1>
Hello there,
This can be applied also to Firewall-1 (CheckPoint) running on an
HP-UX 10.X series.
bye bye
-- gg sullivan
--
Lorenzo Cavallaro
Intesis SECURITY LAB Phone: +39-2-671563.1
Via Settembrini, 35 Fax: +39-2-66981953
I-20124 Milano ITALY Email: sullivan@seclab.com
On Tue, 1 Sep 1998, Roy Hills wrote:
> Date: Tue, 1 Sep 1998 09:55:24 +0100
> From: Roy Hills <Roy.Hills@NTA-MONITOR.COM>
> To: BUGTRAQ@NETSPACE.ORG
> Subject: Borderware predictable initial TCP sequence numbers
>
> While performing an Internet security scan (aka penetration test) for a UK
> corporate customer, I've discovered that version 5 of Borderware Firewall
> generates predictable initial TCP sequence numbers in response to incoming
> SYNs. The observed pattern is the familiar "64k increments" often seen
> on older Unix kernels. This allows TCP connections to be established
> with a spoofed source address.
[snip]
>
> --
> Roy Hills Tel: 01634 721855
> NTA Monitor Ltd FAX: 01634 721844
> 6 Beaufort Court, Medway City Estate, Email: Roy.Hills@nta-monitor.com
> Rochester, Kent ME2 4FB, UK WWW: http://www.nta-monitor.com/
>
