[7914] in bugtraq
Re: Borderware predictable initial TCP
daemon@ATHENA.MIT.EDU (Roy Hills)
Wed Sep 9 12:09:36 1998
Date: Wed, 9 Sep 1998 11:21:13 +0100
Reply-To: Roy Hills <Roy.Hills@NTA-MONITOR.COM>
From: Roy Hills <Roy.Hills@NTA-MONITOR.COM>
X-To: "Ivan Arce,CORE SDI" <ivan@securenetworks.com>
To: BUGTRAQ@NETSPACE.ORG
In-Reply-To: <Pine.BSI.3.96.980908202933.23627A-100000@silence>
At 20:31 08/09/98 -0600, Ivan Arce,CORE SDI wrote:
>Hmmm
>NT+SP3, Pentium 233Mhz
>How exploitable does this look:
>
> [List of consistent, predictable TCP sequence numbers deleted]
>
Looks like I was too quick to dismiss a one-per-millisecond sequence
as "not predictable in the real world"! Thanks for correcting me.
I've also got a feeling that it may be possible to send multiple ACKs to the
server and the incorrect ones might just get ignored - if this is true,
then it
would be possible to "bracket" the predicted sequence no. with multiple
ACKs to increase the chance of success. Does anyone know if this is
really the case?
Roy Hills
NTA Monitor Ltd
--
Roy Hills Tel: 01634 721855
NTA Monitor Ltd FAX: 01634 721844
6 Beaufort Court, Medway City Estate, Email: Roy.Hills@nta-monitor.com
Rochester, Kent ME2 4FB, UK WWW: http://www.nta-monitor.com/
