Irix and TCP implementation

From: TeSd (tesdat_private)
Date: Fri Dec 10 1999 - 14:31:20 PST

  • Next message: Anthony D. Urso: "Re: Solaris sadmind Buffer Overflow Vulnerability" 

    Hello,

Please excuse me if this is already posted.

I was playing hijacking some telnet sessions in my domain when
I came across something very strange.It seems that something
is going wrong in Irix systems ( At least at Irix 6.3 where my
testings were taking place ) in the TCP implementation.To
focus on the problem lets see the tcpdump output that follows.
There is a normal telnet connection between an O2 ( with irix
6.3) and a linux (2.0.31 kernel).On the O2 exists the client and
on linux the telnet deamon.I am sniffing the local network  from
the side of the O2 and pushing my data to the linux. After the
hijacking i switch to the console of the normal user ( the owner
of the telnet session ) and throw keystrokes.After pushing
some buttons the user sees at his/her display the data that the
hijacker pushed and is ready to continue his/her session with
no problem at all...

tcpdump: listening on ec0
O2.4968 > linux.telnet: P 642880162:642880163(1) ack 3094036674 win 61320
(DF)
linux.telnet > O2.4968: P 1:2(1) ack 1 win 32736 (DF)
O2.4968 > linux.telnet: . ack 2 win 61320 (DF)
O2.4968 > linux.telnet: P 1:2(1) ack 2 win 61320 (DF)
linux.telnet > O2.4968: P 2:3(1) ack 2 win 32736 (DF)
O2.4968 > linux.telnet: . ack 3 win 61320 (DF)
O2.4968 > linux.telnet: P 2:3(1) ack 3 win 61320 (DF)
linux.telnet > O2.4968: P 3:4(1) ack 3 win 32736 (DF)
O2.4968 > linux.telnet: . ack 4 win 61320 (DF)
O2.4968 > linux.telnet: P 3:4(1) ack 4 win 61320 (DF)
linux.telnet > O2.4968: P 4:5(1) ack 4 win 32736 (DF)

        START-OF-HIJACKING
O2.4968 > linux.telnet: P 4:14(10) ack 4 win 8759
O2.4968 > linux.telnet: P 14:51(37) ack 4 win 8759
        AND-OF-HIJACKING

linux.telnet > O2.4968: . ack 51 win 32736 (DF)
O2.4968 > linux.telnet: . ack 5 win 61320 (DF)
linux.telnet > O2.4968: . ack 51 win 32736 (DF)
O2.4968 > linux.telnet: . ack 5 win 61320 (DF)
        ACK-STORM-IN-PROGRESS
O2.4968 > linux.telnet: P 4:5(1) ack 5 win 61320 (DF)
O2.4968 > linux.telnet: . ack 5 win 61320 (DF)
linux.telnet > O2.4968: . ack 51 win 32736 (DF)
        ACK-STORM-IN-PROGRESS
linux.telnet > O2.4968: P 4:5(1) ack 51 win 32736 (DF)
linux.telnet > O2.4968: . ack 51 win 32736 (DF)
O2.4968 > linux.telnet: . ack 5 win 61320 (DF)
        ACK-STORM-IN-PROGRESS
O2.4968 > linux.telnet: P 5:6(1) ack 5 win 61320 (DF)
linux.telnet > O2.4968: . ack 51 win 32736 (DF)
O2.4968 > linux.telnet: . ack 5 win 61320 (DF)
        ACK-STORM-IN-PROGRESS
linux.telnet > O2.4968: P 4:5(1) ack 51 win 32736 (DF)
linux.telnet > O2.4968: . ack 51 win 32736 (DF)
linux.telnet > O2.4968: . ack 51 win 32736 (DF)
linux.telnet > O2.4968: . ack 51 win 32736 (DF)
linux.telnet > O2.4968: . ack 51 win 32736 (DF)
linux.telnet > O2.4968: . ack 51 win 32736 (DF)
O2.4968 > linux.telnet: . ack 112 win 61320 (DF)
                              ^
   		       what is this????

O2.4968 > linux.telnet: P 51:53(2) ack 112 win 61320 (DF)
                           ^
		     And this???

linux.telnet > O2.4968: P 112:116(4) ack 53 win 32736 (DF)
O2.4968 > linux.telnet: . ack 116 win 61320 (DF)
linux.telnet > O2.4968: P 116:125(9) ack 53 win 32736 (DF)
O2.4968 > linux.telnet: . ack 125 win 61320 (DF)

The session is no longer hijacked and the user that telneted
to the linux is now ready to send his/her commands as nothing
happened.
I do not have the irix6.3 source code so i can't say where
the problem exactly is. The sure thing is that this poses a
great security risc. All that is needed is few programming
lines of code and imagination.

-->tesd or tesdx0r it makes no difference
-->The reason is always the priority.
-->http://www.hack.gr/users/tesd.

    This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:20:41 PDT