Home page logo

bugtraq logo Bugtraq mailing list archives

unused bit attack alert
From: archiver () DB GEOCRAWLER COM (LigerTeam)
Date: Mon, 21 Feb 2000 07:43:54 -0800

This message was sent from Geocrawler.com by "LigerTeam" <ligerteam () hotmail com>
Be sure to reply to that address.

 LigerTeam Advisory

  "unused bit attack"

 Our Team discovered one problem,
 in some case  it's simple,
but it could be serious problem of security
in the programming related with tcp/ip.

In fact, TCP header is 6 kinds  of
tcp  flag (SYN, ACK,  PSH, RST, FIN,  URG).

problem is the flag value in TCP header
approaches to 1byte variable of u_char type.
ex)see tcp.h file

The flag value Each  one correspond to 1 bit,
but it have unused 2 bit.


Understanding of the very problem is simple.
Let's compare the two codes.
ex)SYN Scan detecter program several code type

 i) if ( flag == TH_SYN )

 ii) if ( flag & TH_SYN )

(TH_SYN->SYN flag)

The i) code is true, only  when the syn
flag bit  is set at 1.

So  the flag value is 0x2,
and |0|0|0|0|0|0|1|0| in bit.

 The next ii) code is true, only
 when SYN flag bit, the TH_SYN value
 in flags, is set at 1, and the other
 bit state is not influential.

 Eventually, we can easily know a very
 important thing.

If hackers use the two higher bit(unused bit)
one or all, to set at  1,
ii) code type has false value,
but i) code type last true value.
and hackers avoid scan detecter

 When the  highest bit  is set  at 1,
 so syn flag  bit is  1, and   the flag
 variable  is
 |1|0|0|0|0|0|1|   = 130

 But  this cause mismatching with TH_SYN value
by the  rule of tcp/ip code, and if sentence
has false value.

More over, as tcp/ip code has the  type of bit
computing system, it accept the flags of
syn flag bit, only one, still set at 1.


When the flags variable in tcp header is adjusted
totally with given value,
higher two bit(unused bit) must be cleared
and set at 0.


LigerTeam, strongly propose inserting of
solution code before the computing of flag

  flag = flags & 0x3f;

Weak program :

 At  this time, the  main technical papers from
 the RTSD (Real Time Scan Detecter) spread  by
 CERT-KR show  a representative weak  case.
 It said,
 when (only) syn packet of  tcp is captured,
 the condition  is
 tcp[13]== 2 (SYN).
 This is the very point.
 We thought that other syn packet sensing
 tools had fallen in similar  situation.
 We  have simply  tested several  firewalls
 which would contain that kinds of problem
 and have gotten some result that there
 was no problem in our view.

 All TCP/IP related security programusing
 the previous i) code  pattern is  weak.
 if (flag==(TH_SYN  | TH_ACK)) etc.

 Ps: IP is one more bit not used. Straightly
     saying, not defined.


 Contact us: ligerteam () hotmail com

-The Security LigerTeam 2000 Korea-

Geocrawler.com - The Knowledge Archive

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]