Excuse my ignorance, but wouldn't a switched network be a remedy for this attack? Unless you are using some type of 'port mirroring' functionality (at the switch) the attacking computer sitting in promiscuous mode would only hear broadcast traffic. Right? Or am I missing something? -----Original Message----- From: Korhan Kaya [mailto:kkayaat_private] Sent: Tuesday, August 14, 2001 8:38 AM To: vuln-devat_private Subject: MiM Simultaneous close attack MiM simultaneous CLOSE attack Revision 1.1 For Public Release 2001 August 07 08:00 (GMT +0200) _________________________________________________________________ Vulnerability : MiM simultaneous CLOSE attack Vendor : N/A Category : Man in the middle / Denial of service Date : 08/07/2001 Credits : Korhan Kaya <kkayaat_private> Document ID : MW-TCPMD-03 Contents 1 Summary 2 Affected systems 3 Details 4 Results 5 Solution 6 Reproducing 7 Vendor status 8 References 9 Disclaimer 10 Contact 1 Summary A Man in the middle attacker can cause network flood and denial of the service usage by sending 2 TCP packets per connection. 2 AFFECTED SYSTEMS This vulnerability is tested against following platforms and they are vulnerable. Linux kern-v2.4.x Microsoft Windows 2000 Server Microsoft Windows 2000 Workstation Microsoft Windows ME Microsoft Windows 98 possibly other platforms are vulnerable. Pending platform reports. 3 DETAILS It is possible for an attacker to open ethernet at promiscious mode and monitor network activity to collect SEQ and ACK's numbers of an active TCP connections. An attacker can trigger an ACK loop by sending a 'spoofed' TCP packet with enabled ACK + FIN flags to source host and destination host of an active connection. TCP Stacks of client and server will acknowledge that the opposite side of the connection wants to close the connection. And hosts will immedately send ACK packets to complete the sequence. The vulnerability exploits at this point. Figure A : TCP A MIM TCP B 1.ESTABLISHED ESTABLISHED 2.. <-- [CTL=ACK+FIN] 3. [CTL=ACK+FIN] --> 4.CLOSE-WAIT --> <CTL=ACK> --> CLOSE-WAIT 5.CLOSE-WAIT <-- <CTL=ACK> <-- CLOSE-WAIT .. .. 1500.CLOSE-WAIT --> <CTL=ACK> --> CLOSE-WAIT 1501.CLOSE-WAIT <-- <CTL=ACK> <-- CLOSE-WAIT .. .. 4 RESULTS Result of this attack is continious loop of ACK packet traffic between client and server.After tranmitting MANY packets using maximum throughput , target connection will be lost. At this period client software and target service may lockup ,freeze or crash. Number of transmitted packets and the generated traffic depends on host locations. Attack becomes more effective if it is used against local connections such as local netbios/cifs traffic. if an attacker applies above scenario on an avarage network,every connection attempt from any host to any server will fail , the network transport will be saturated in a short time , the collusion rates will raise to extreme levels and the cpu consuming of computers which is connected to network are increased up to %90 due to the packet traffic. 5 SOLUTION Workaround none 6 HOW TO REPRODUCE VULNERABILITY Vulnerability can be reporduced by using atached win32 binary. Download the zip file and follow the steps at the readme.txt http://195.244.37.241/mimsc.zip 7 VENDOR STATUS Microsoft corp. is Informed at 07/30/2001 , no response received. 8 REFERENCES RFC 761, Page 35+ RFC 793 ACK Storm http://www.insecure.org/stf/iphijack.txt (see for Similar results) 9 DISCLAIMER Korhan Kaya is not responsible for the misuse or illegal use of any of the information and/or the software listed on this security advisory. This text may be redistributed freely after the release date given at the top of the text, provided that redistributed copies are complete and unmodified. 10 CONTACT Please send suggestions, updates, and comments to: kkayaat_private
This archive was generated by hypermail 2b30 : Fri Aug 17 2001 - 09:18:59 PDT