Below is an ipfilter security issue, and my previous mail to author Darren was bounced back, so I think maybe I should mail it to this mailing list. Overview -- Anytime ipfilter see a packet with ACK bit set without the previous SYN, it will marked it as TCPS_ESTABLISHED in it's state table, and for ipfilter will soon notice the RESET packet send back by the system application, it will then change it's ttl in state table to 1 minute,OK, it's good. But If an attact send packet with ACK bit set and bad checksum, ipfilter will happily add an "ESTABLISHED" session into it's state table which will wait 120 hours to timeout instead of the normal 1 minutes! So using this way an evil guy can easily destroy the network connection of any system with ipfilter installed in a few minutes! proof of concept -- [yimingat_private]#hping -s ip.of.spoofedandtrusted.box -A ip.of.target.box -p 22 -c 1 -b you will immediately see a a long wait ttl of 120 hours, like this security.zz.ha.cn,1235 server,22 4/0 tcp 1 40 119:59:48 Affected Versions: -- I've test the following version of ipfilter IP Filter: v3.4.30 IP Filter: v3.4.29 (400) a chinese vesion of these security issue is at http://security.zz.ha.cn Best wishes! -- 我要更好的生活 Yiming Gong Senior System Administrator China Netcom yimingat_private http://security.zz.ha.cn 0086-371-7934907
This archive was generated by hypermail 2b30 : Mon Jan 20 2003 - 17:42:39 PST