RE: MiM Simultaneous close attack

From: big bon (vulndevat_private)
Date: Fri Aug 17 2001 - 11:08:58 PDT

  • Next message: David Schwartz: "RE: MiM Simultaneous close attack"

    switched network is not security.  switches can be forced to dump packets to 
    all ports just like a hub
    
    >From: Malcolm Jack <Malcolmat_private>
    >To: 'Korhan Kaya' <kkayaat_private>, vuln-devat_private
    >Subject: RE: MiM Simultaneous close attack
    >Date: Fri, 17 Aug 2001 09:01:11 -0700
    >
    >Excuse my ignorance, but wouldn't a switched network be a remedy for this
    >attack?  Unless you are using some type of 'port mirroring' functionality
    >(at the switch) the attacking computer sitting in promiscuous mode would
    >only hear broadcast traffic.  Right? Or am I missing something?
    >
    >
    >
    >
    >-----Original Message-----
    >From: Korhan Kaya [mailto:kkayaat_private]
    >Sent: Tuesday, August 14, 2001 8:38 AM
    >To: vuln-devat_private
    >Subject: MiM Simultaneous close attack
    >
    >
    >MiM simultaneous CLOSE attack
    >
    >Revision 1.1
    >
    >For Public Release 2001 August 07 08:00 (GMT +0200)
    >_________________________________________________________________
    >
    >  Vulnerability :
    >         MiM simultaneous CLOSE attack
    >  Vendor :
    >         N/A
    >  Category :
    >         Man in the middle / Denial of service
    >  Date :
    >         08/07/2001
    >Credits :
    >         Korhan Kaya <kkayaat_private>
    >         Document ID   :  MW-TCPMD-03
    >
    >  Contents
    >
    >  1 Summary
    >  2 Affected systems
    >  3 Details
    >  4 Results
    >  5 Solution
    >  6 Reproducing
    >  7 Vendor status
    >  8 References
    >  9 Disclaimer
    >10 Contact
    >
    >1 Summary
    >
    >   A Man in the middle attacker can cause network
    >   flood and denial of the service usage by sending
    >   2 TCP packets per connection.
    >
    >2 AFFECTED SYSTEMS
    >
    >  This vulnerability is tested against following platforms
    >  and they are vulnerable.
    >
    >  Linux kern-v2.4.x
    >  Microsoft Windows 2000 Server
    >  Microsoft Windows 2000 Workstation
    >  Microsoft Windows ME
    >  Microsoft Windows 98
    >
    >possibly other platforms are vulnerable.
    >Pending platform reports.
    >
    >3 DETAILS
    >
    >   It is possible for an attacker to open ethernet
    >   at promiscious mode and monitor network activity
    >   to collect SEQ and ACK's numbers of an active TCP
    >   connections.
    >
    >   An attacker can trigger an ACK loop by sending a
    >   'spoofed' TCP packet with enabled ACK + FIN flags
    >   to source host and destination host of an active
    >   connection.
    >
    >   TCP Stacks of client and server will acknowledge
    >   that the opposite side of the connection wants
    >   to close the connection. And hosts will immedately
    >   send ACK packets to complete the sequence.
    >
    >   The vulnerability exploits at this point.
    >
    >   Figure A :
    >
    >     TCP A                MIM           TCP B
    >     1.ESTABLISHED                      ESTABLISHED
    >     2..            <-- [CTL=ACK+FIN]
    >     3.                   [CTL=ACK+FIN] -->
    >     4.CLOSE-WAIT   --> <CTL=ACK>     --> CLOSE-WAIT
    >     5.CLOSE-WAIT   <-- <CTL=ACK>     <-- CLOSE-WAIT
    >     ..
    >     ..
    >   1500.CLOSE-WAIT   --> <CTL=ACK>     --> CLOSE-WAIT
    >   1501.CLOSE-WAIT   <-- <CTL=ACK>     <-- CLOSE-WAIT
    >     ..
    >     ..
    >
    >4 RESULTS
    >
    >   Result of this attack is continious loop of ACK packet
    >   traffic between client and server.After tranmitting
    >   MANY packets using maximum throughput , target
    >   connection will be lost. At this period client
    >   software and target service may lockup ,freeze or
    >   crash.
    >
    >   Number of transmitted packets and the generated
    >   traffic depends on host locations.
    >
    >   Attack becomes more effective if it is used against
    >   local connections such as local netbios/cifs traffic.
    >
    >   if an attacker applies above scenario on an avarage
    >   network,every connection attempt from any host to
    >   any server will fail , the network transport will
    >   be saturated in a short time , the collusion
    >   rates will raise to extreme levels and the cpu
    >   consuming of computers which is connected to
    >   network are  increased up to %90 due to the
    >   packet traffic.
    >
    >5 SOLUTION
    >
    >    Workaround
    >
    >    none
    >
    >6 HOW TO REPRODUCE VULNERABILITY
    >
    >    Vulnerability can be reporduced by using atached win32 binary.
    >    Download the zip file and follow the steps at the readme.txt
    >
    >    http://195.244.37.241/mimsc.zip
    >
    >7 VENDOR STATUS
    >
    >   Microsoft corp. is Informed at 07/30/2001 , no response received.
    >
    >8 REFERENCES
    >
    >   RFC 761, Page 35+
    >   RFC 793
    >   ACK Storm http://www.insecure.org/stf/iphijack.txt  (see for Similar
    >results)
    >
    >
    >9 DISCLAIMER
    >
    >   Korhan Kaya is not responsible for the misuse or illegal use of
    >   any of the information and/or the software listed on this
    >   security advisory.
    >
    >   This text may be redistributed freely after the
    >   release date given at the top of the text, provided that
    >   redistributed copies are complete and unmodified.
    >
    >10 CONTACT
    >
    >   Please send suggestions, updates, and comments to:
    >   kkayaat_private
    >
    >
    >
    >
    
    
    _________________________________________________________________
    Get your FREE download of MSN Explorer at http://explorer.msn.com/intl.asp
    



    This archive was generated by hypermail 2b30 : Fri Aug 17 2001 - 15:32:50 PDT