switched network is not security. switches can be forced to dump packets to all ports just like a hub >From: Malcolm Jack <Malcolmat_private> >To: 'Korhan Kaya' <kkayaat_private>, vuln-devat_private >Subject: RE: MiM Simultaneous close attack >Date: Fri, 17 Aug 2001 09:01:11 -0700 > >Excuse my ignorance, but wouldn't a switched network be a remedy for this >attack? Unless you are using some type of 'port mirroring' functionality >(at the switch) the attacking computer sitting in promiscuous mode would >only hear broadcast traffic. Right? Or am I missing something? > > > > >-----Original Message----- >From: Korhan Kaya [mailto:kkayaat_private] >Sent: Tuesday, August 14, 2001 8:38 AM >To: vuln-devat_private >Subject: MiM Simultaneous close attack > > >MiM simultaneous CLOSE attack > >Revision 1.1 > >For Public Release 2001 August 07 08:00 (GMT +0200) >_________________________________________________________________ > > Vulnerability : > MiM simultaneous CLOSE attack > Vendor : > N/A > Category : > Man in the middle / Denial of service > Date : > 08/07/2001 >Credits : > Korhan Kaya <kkayaat_private> > Document ID : MW-TCPMD-03 > > Contents > > 1 Summary > 2 Affected systems > 3 Details > 4 Results > 5 Solution > 6 Reproducing > 7 Vendor status > 8 References > 9 Disclaimer >10 Contact > >1 Summary > > A Man in the middle attacker can cause network > flood and denial of the service usage by sending > 2 TCP packets per connection. > >2 AFFECTED SYSTEMS > > This vulnerability is tested against following platforms > and they are vulnerable. > > Linux kern-v2.4.x > Microsoft Windows 2000 Server > Microsoft Windows 2000 Workstation > Microsoft Windows ME > Microsoft Windows 98 > >possibly other platforms are vulnerable. >Pending platform reports. > >3 DETAILS > > It is possible for an attacker to open ethernet > at promiscious mode and monitor network activity > to collect SEQ and ACK's numbers of an active TCP > connections. > > An attacker can trigger an ACK loop by sending a > 'spoofed' TCP packet with enabled ACK + FIN flags > to source host and destination host of an active > connection. > > TCP Stacks of client and server will acknowledge > that the opposite side of the connection wants > to close the connection. And hosts will immedately > send ACK packets to complete the sequence. > > The vulnerability exploits at this point. > > Figure A : > > TCP A MIM TCP B > 1.ESTABLISHED ESTABLISHED > 2.. <-- [CTL=ACK+FIN] > 3. [CTL=ACK+FIN] --> > 4.CLOSE-WAIT --> <CTL=ACK> --> CLOSE-WAIT > 5.CLOSE-WAIT <-- <CTL=ACK> <-- CLOSE-WAIT > .. > .. > 1500.CLOSE-WAIT --> <CTL=ACK> --> CLOSE-WAIT > 1501.CLOSE-WAIT <-- <CTL=ACK> <-- CLOSE-WAIT > .. > .. > >4 RESULTS > > Result of this attack is continious loop of ACK packet > traffic between client and server.After tranmitting > MANY packets using maximum throughput , target > connection will be lost. At this period client > software and target service may lockup ,freeze or > crash. > > Number of transmitted packets and the generated > traffic depends on host locations. > > Attack becomes more effective if it is used against > local connections such as local netbios/cifs traffic. > > if an attacker applies above scenario on an avarage > network,every connection attempt from any host to > any server will fail , the network transport will > be saturated in a short time , the collusion > rates will raise to extreme levels and the cpu > consuming of computers which is connected to > network are increased up to %90 due to the > packet traffic. > >5 SOLUTION > > Workaround > > none > >6 HOW TO REPRODUCE VULNERABILITY > > Vulnerability can be reporduced by using atached win32 binary. > Download the zip file and follow the steps at the readme.txt > > http://195.244.37.241/mimsc.zip > >7 VENDOR STATUS > > Microsoft corp. is Informed at 07/30/2001 , no response received. > >8 REFERENCES > > RFC 761, Page 35+ > RFC 793 > ACK Storm http://www.insecure.org/stf/iphijack.txt (see for Similar >results) > > >9 DISCLAIMER > > Korhan Kaya is not responsible for the misuse or illegal use of > any of the information and/or the software listed on this > security advisory. > > This text may be redistributed freely after the > release date given at the top of the text, provided that > redistributed copies are complete and unmodified. > >10 CONTACT > > Please send suggestions, updates, and comments to: > kkayaat_private > > > > _________________________________________________________________ Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
This archive was generated by hypermail 2b30 : Fri Aug 17 2001 - 15:32:50 PDT