MiM Simultaneous close attack

From: Korhan Kaya (kkayaat_private)
Date: Tue Aug 14 2001 - 08:37:39 PDT

  • Next message: Jerry Vogler: "RE: Wireless Lans give EVERYONE ACCESS"

    MiM simultaneous CLOSE attack
    
    Revision 1.1
    
    For Public Release 2001 August 07 08:00 (GMT +0200)
    _________________________________________________________________
    
     Vulnerability :
            MiM simultaneous CLOSE attack
     Vendor :
            N/A
     Category :
            Man in the middle / Denial of service
     Date :
            08/07/2001
    Credits :
            Korhan Kaya <kkayaat_private>
            Document ID   :  MW-TCPMD-03
    
     Contents
    
     1 Summary
     2 Affected systems
     3 Details
     4 Results
     5 Solution
     6 Reproducing
     7 Vendor status
     8 References
     9 Disclaimer
    10 Contact
    
    1 Summary
    
      A Man in the middle attacker can cause network
      flood and denial of the service usage by sending
      2 TCP packets per connection.
    
    2 AFFECTED SYSTEMS
    
     This vulnerability is tested against following platforms
     and they are vulnerable.
    
     Linux kern-v2.4.x
     Microsoft Windows 2000 Server
     Microsoft Windows 2000 Workstation
     Microsoft Windows ME
     Microsoft Windows 98
    
    possibly other platforms are vulnerable.
    Pending platform reports.
    
    3 DETAILS
    
      It is possible for an attacker to open ethernet
      at promiscious mode and monitor network activity
      to collect SEQ and ACK's numbers of an active TCP
      connections.
    
      An attacker can trigger an ACK loop by sending a
      'spoofed' TCP packet with enabled ACK + FIN flags
      to source host and destination host of an active
      connection.
    
      TCP Stacks of client and server will acknowledge
      that the opposite side of the connection wants
      to close the connection. And hosts will immedately
      send ACK packets to complete the sequence.
    
      The vulnerability exploits at this point.
    
      Figure A :
    
        TCP A                MIM           TCP B
        1.ESTABLISHED                      ESTABLISHED
        2..            <-- [CTL=ACK+FIN]
        3.                   [CTL=ACK+FIN] -->
        4.CLOSE-WAIT   --> <CTL=ACK>     --> CLOSE-WAIT
        5.CLOSE-WAIT   <-- <CTL=ACK>     <-- CLOSE-WAIT
        ..
        ..
      1500.CLOSE-WAIT   --> <CTL=ACK>     --> CLOSE-WAIT
      1501.CLOSE-WAIT   <-- <CTL=ACK>     <-- CLOSE-WAIT
        ..
        ..
    
    4 RESULTS
    
      Result of this attack is continious loop of ACK packet
      traffic between client and server.After tranmitting
      MANY packets using maximum throughput , target
      connection will be lost. At this period client
      software and target service may lockup ,freeze or
      crash.
    
      Number of transmitted packets and the generated
      traffic depends on host locations.
    
      Attack becomes more effective if it is used against
      local connections such as local netbios/cifs traffic.
    
      if an attacker applies above scenario on an avarage
      network,every connection attempt from any host to
      any server will fail , the network transport will
      be saturated in a short time , the collusion
      rates will raise to extreme levels and the cpu
      consuming of computers which is connected to
      network are  increased up to %90 due to the
      packet traffic.
    
    5 SOLUTION
    
       Workaround
    
       none
    
    6 HOW TO REPRODUCE VULNERABILITY
    
       Vulnerability can be reporduced by using atached win32 binary.
       Download the zip file and follow the steps at the readme.txt
    
       http://195.244.37.241/mimsc.zip
    
    7 VENDOR STATUS
    
      Microsoft corp. is Informed at 07/30/2001 , no response received.
    
    8 REFERENCES
    
      RFC 761, Page 35+
      RFC 793
      ACK Storm http://www.insecure.org/stf/iphijack.txt  (see for Similar
    results)
    
    
    9 DISCLAIMER
    
      Korhan Kaya is not responsible for the misuse or illegal use of
      any of the information and/or the software listed on this
      security advisory.
    
      This text may be redistributed freely after the
      release date given at the top of the text, provided that
      redistributed copies are complete and unmodified.
    
    10 CONTACT
    
      Please send suggestions, updates, and comments to:
      kkayaat_private
    



    This archive was generated by hypermail 2b30 : Tue Aug 14 2001 - 08:50:15 PDT