Home page logo

bugtraq logo Bugtraq mailing list archives

Livingston Portmaster - ISN generation is loosy!
From: aleph1 () DFW NET (Aleph One)
Date: Tue, 30 Jun 1998 10:46:21 -0500

[ LISSTSERV did not grok Emmanuel's message to I am forwarding for him - a1 ]
Date:   Tue, 30 Jun 1998 06:32:33
Reply-To: manu () acm org
From:   Emmanuel Tychon <manu () acm org>
To:     bugtraq () netspace org
Subject: Livingston Portmaster - ISN generation is loosy!

Hello guys!

Making some hacks with Initial Sequence Numbers (ISN), i found something
really strange on Livingston Portmasters routers (running ComOS). It seems
that the ISN is always 127 :o

This is really annoying, because this is really a big security hole (think
about IP-Blind Spoofing), and more formally, it do not comply with RFC793.

RFC793 says:

  To avoid confusion we must prevent segments from one incarnation of a
  connection from being used while the same sequence numbers may still
  be present in the network from an earlier incarnation.  We want to
  assure this, even if a TCP crashes and loses all knowledge of the
  sequence numbers it has been using.  When new connections are created,
  an initial sequence number (ISN) generator is employed which selects a
  new 32 bit ISN.  The generator is bound to a (possibly fictitious) 32
  bit clock whose low order bit is incremented roughly every 4
  microseconds.  Thus, the ISN cycles approximately every 4.55 hours.
  Since we assume that segments will stay in the network no more than
  the Maximum Segment Lifetime (MSL) and that the MSL is less than 4.55
  hours we can reasonably assume that ISN's will be unique.

To do the test, i have used an 'house made' program, but you can see it even
with a simple tcpdump, like this:

23:30:34.271212 ns.4965 > router1.be.telnet: S 873747771:873747771(0)
23:30:36.901212 router1.telnet > ns.4965: S 127:127(0)
23:30:36.901212 ns.4965 > router1.telnet: . ack 1
23:30:41.501212 router1.telnet > ns.4965: . ack 31

["ns" is connecting on "router1". Unused things has been removed from tcpdump

Member of the ACM. Look http://www.acm.org

       |||      |  Emmanuel Tychon
       O-O      |  nic-hdl: ET99-RIPE, nic-irc: kosinus
       (_)      |
   oOO-----OOo  |  Don't be assimilated, use Linux!
    | Linux |   |
    \-------/   |  PGP key on http://pgp.ai.mit.edu

  By Date           By Thread  

Current thread:
  • Livingston Portmaster - ISN generation is loosy! Aleph One (Jun 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]