This message was sent from Geocrawler.com by "LigerTeam" <ligerteamat_private> Be sure to reply to that address. LigerTeam Advisory "unused bit attack" Our Team discovered one problem, in some case it's simple, but it could be serious problem of security in the programming related with tcp/ip. In fact, TCP header is 6 kinds of tcp flag (SYN, ACK, PSH, RST, FIN, URG). problem is the flag value in TCP header approaches to 1byte variable of u_char type. ex)see tcp.h file The flag value Each one correspond to 1 bit, but it have unused 2 bit. |unused|unused|URG|ACK|PSH|RST|SYN|FIN| Understanding of the very problem is simple. Let's compare the two codes. ex)SYN Scan detecter program several code type i) if ( flag == TH_SYN ) ii) if ( flag & TH_SYN ) (TH_SYN->SYN flag) The i) code is true, only when the syn flag bit is set at 1. So the flag value is 0x2, and |0|0|0|0|0|0|1|0| in bit. The next ii) code is true, only when SYN flag bit, the TH_SYN value in flags, is set at 1, and the other bit state is not influential. Eventually, we can easily know a very important thing. If hackers use the two higher bit(unused bit) one or all, to set at 1, ii) code type has false value, but i) code type last true value. and hackers avoid scan detecter When the highest bit is set at 1, so syn flag bit is 1, and the flag variable is |1|0|0|0|0|0|1| = 130 But this cause mismatching with TH_SYN value by the rule of tcp/ip code, and if sentence has false value. More over, as tcp/ip code has the type of bit computing system, it accept the flags of syn flag bit, only one, still set at 1. Conclusion: When the flags variable in tcp header is adjusted totally with given value, higher two bit(unused bit) must be cleared and set at 0. Solution: LigerTeam, strongly propose inserting of solution code before the computing of flag variable. flag = flags & 0x3f; Weak program : At this time, the main technical papers from the RTSD (Real Time Scan Detecter) spread by CERT-KR show a representative weak case. It said, when (only) syn packet of tcp is captured, the condition is tcp[13]== 2 (SYN). This is the very point. We thought that other syn packet sensing tools had fallen in similar situation. We have simply tested several firewalls which would contain that kinds of problem and have gotten some result that there was no problem in our view. All TCP/IP related security programusing the previous i) code pattern is weak. if (flag==(TH_SYN | TH_ACK)) etc. Ps: IP is one more bit not used. Straightly saying, not defined. http://liger.fnetwork.com Contact us: ligerteamat_private -The Security LigerTeam 2000 Korea- Geocrawler.com - The Knowledge Archive
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:36:12 PDT