RE: MiM Simultaneous close attack

From: big bon (vulndevat_private)
Date: Fri Aug 17 2001 - 11:08:58 PDT

Next message: David Schwartz: "RE: MiM Simultaneous close attack"

Previous message: Xyntrix: "Re: MiM Simultaneous close attack"
Maybe in reply to: Korhan Kaya: "MiM Simultaneous close attack"
Next in thread: Paul: "Re: MiM Simultaneous close attack"
Reply: Paul: "Re: MiM Simultaneous close attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

switched network is not security.  switches can be forced to dump packets to 
all ports just like a hub

>From: Malcolm Jack <Malcolmat_private>
>To: 'Korhan Kaya' <kkayaat_private>, vuln-devat_private
>Subject: RE: MiM Simultaneous close attack
>Date: Fri, 17 Aug 2001 09:01:11 -0700
>
>Excuse my ignorance, but wouldn't a switched network be a remedy for this
>attack?  Unless you are using some type of 'port mirroring' functionality
>(at the switch) the attacking computer sitting in promiscuous mode would
>only hear broadcast traffic.  Right? Or am I missing something?
>
>
>
>
>-----Original Message-----
>From: Korhan Kaya [mailto:kkayaat_private]
>Sent: Tuesday, August 14, 2001 8:38 AM
>To: vuln-devat_private
>Subject: MiM Simultaneous close attack
>
>
>MiM simultaneous CLOSE attack
>
>Revision 1.1
>
>For Public Release 2001 August 07 08:00 (GMT +0200)
>_________________________________________________________________
>
>  Vulnerability :
>         MiM simultaneous CLOSE attack
>  Vendor :
>         N/A
>  Category :
>         Man in the middle / Denial of service
>  Date :
>         08/07/2001
>Credits :
>         Korhan Kaya <kkayaat_private>
>         Document ID   :  MW-TCPMD-03
>
>  Contents
>
>  1 Summary
>  2 Affected systems
>  3 Details
>  4 Results
>  5 Solution
>  6 Reproducing
>  7 Vendor status
>  8 References
>  9 Disclaimer
>10 Contact
>
>1 Summary
>
>   A Man in the middle attacker can cause network
>   flood and denial of the service usage by sending
>   2 TCP packets per connection.
>
>2 AFFECTED SYSTEMS
>
>  This vulnerability is tested against following platforms
>  and they are vulnerable.
>
>  Linux kern-v2.4.x
>  Microsoft Windows 2000 Server
>  Microsoft Windows 2000 Workstation
>  Microsoft Windows ME
>  Microsoft Windows 98
>
>possibly other platforms are vulnerable.
>Pending platform reports.
>
>3 DETAILS
>
>   It is possible for an attacker to open ethernet
>   at promiscious mode and monitor network activity
>   to collect SEQ and ACK's numbers of an active TCP
>   connections.
>
>   An attacker can trigger an ACK loop by sending a
>   'spoofed' TCP packet with enabled ACK + FIN flags
>   to source host and destination host of an active
>   connection.
>
>   TCP Stacks of client and server will acknowledge
>   that the opposite side of the connection wants
>   to close the connection. And hosts will immedately
>   send ACK packets to complete the sequence.
>
>   The vulnerability exploits at this point.
>
>   Figure A :
>
>     TCP A                MIM           TCP B
>     1.ESTABLISHED                      ESTABLISHED
>     2..            <-- [CTL=ACK+FIN]
>     3.                   [CTL=ACK+FIN] -->
>     4.CLOSE-WAIT   --> <CTL=ACK>     --> CLOSE-WAIT
>     5.CLOSE-WAIT   <-- <CTL=ACK>     <-- CLOSE-WAIT
>     ..
>     ..
>   1500.CLOSE-WAIT   --> <CTL=ACK>     --> CLOSE-WAIT
>   1501.CLOSE-WAIT   <-- <CTL=ACK>     <-- CLOSE-WAIT
>     ..
>     ..
>
>4 RESULTS
>
>   Result of this attack is continious loop of ACK packet
>   traffic between client and server.After tranmitting
>   MANY packets using maximum throughput , target
>   connection will be lost. At this period client
>   software and target service may lockup ,freeze or
>   crash.
>
>   Number of transmitted packets and the generated
>   traffic depends on host locations.
>
>   Attack becomes more effective if it is used against
>   local connections such as local netbios/cifs traffic.
>
>   if an attacker applies above scenario on an avarage
>   network,every connection attempt from any host to
>   any server will fail , the network transport will
>   be saturated in a short time , the collusion
>   rates will raise to extreme levels and the cpu
>   consuming of computers which is connected to
>   network are  increased up to %90 due to the
>   packet traffic.
>
>5 SOLUTION
>
>    Workaround
>
>    none
>
>6 HOW TO REPRODUCE VULNERABILITY
>
>    Vulnerability can be reporduced by using atached win32 binary.
>    Download the zip file and follow the steps at the readme.txt
>
>    http://195.244.37.241/mimsc.zip
>
>7 VENDOR STATUS
>
>   Microsoft corp. is Informed at 07/30/2001 , no response received.
>
>8 REFERENCES
>
>   RFC 761, Page 35+
>   RFC 793
>   ACK Storm http://www.insecure.org/stf/iphijack.txt  (see for Similar
>results)
>
>
>9 DISCLAIMER
>
>   Korhan Kaya is not responsible for the misuse or illegal use of
>   any of the information and/or the software listed on this
>   security advisory.
>
>   This text may be redistributed freely after the
>   release date given at the top of the text, provided that
>   redistributed copies are complete and unmodified.
>
>10 CONTACT
>
>   Please send suggestions, updates, and comments to:
>   kkayaat_private
>
>
>
>


_________________________________________________________________
Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp

Next message: David Schwartz: "RE: MiM Simultaneous close attack"
Previous message: Xyntrix: "Re: MiM Simultaneous close attack"
Maybe in reply to: Korhan Kaya: "MiM Simultaneous close attack"
Next in thread: Paul: "Re: MiM Simultaneous close attack"
Reply: Paul: "Re: MiM Simultaneous close attack"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Aug 17 2001 - 15:32:50 PDT