|
Security Basics
mailing list archives
RE: TCP/IP CRC question
From: Simon Zuckerbraun <szucker () sst-pr-1 com>
Date: Wed, 13 Oct 2004 00:16:02 -0500
Clement,
Could you explain this for me a little more? I don't yet understand the
scenario. If the attacker is able to alter the data within the packet, I
would think that he'd also be able to alter the checksum to correspond.
In what scenario does the attacker have a need to find a collision?
Where have I gone wrong?
Thanks,
Simon
-----Original Message-----
From: Clement Dupuis [mailto:cdupuis () cccure org]
Sent: Friday, October 08, 2004 5:40 PM
To: miles () mstevenson org
Cc: security-basics () securityfocus com
Subject: RE: TCP/IP CRC question
Good day to all,
Lately I had a similar conversation with William Stearns and Joshua
Wright on CRC32 attack on wireless network. We always hear about
potential attack that are possible but rarely see example of a
collision. Joshua wrote a brute forcer that allowed him to find a
collision as follows for an SQL update statement:
-----------------------------------------------------------
"UPDATE payroll SET wage = 10.75 WHERE empno = 11"
This is what I'm going to call the "intended data", with a CRC of
0x954f8133. The adversary-modified data removes the decimal point and
changes the employee number to 18, terminating the SQL and added a
comment to the UPDATE statement:
"UPDATE payroll SET wage = 1075 WHERE empno = 18; -- pN#j,"
Which has a matching CRC as the previous statement.
----------------------------------------------------------------
Although not common, there are ways to get the same CRC32 values or a
collision if someone really wanted to attempt an attack. It only
requires a bit of programming and patience.
Clement
 By Date 
By Thread
Current thread:
- Re: TCP/IP CRC question, (continued)
|
Intro
