Home page logo
/

bugtraq logo Bugtraq mailing list archives

Re: unused bit attack alert
From: jtb () THEO2 PHYSIK UNI-STUTTGART DE (Jochen Bauer)
Date: Tue, 22 Feb 2000 11:54:09 +0100


On Mon, Feb 21, 2000 at 07:43:54AM -0800, LigerTeam wrote:
[...]
In fact, TCP header is 6 kinds  of
tcp  flag (SYN, ACK,  PSH, RST, FIN,  URG).

problem is the flag value in TCP header
approaches to 1byte variable of u_char type.
ex)see tcp.h file

The flag value Each  one correspond to 1 bit,
but it have unused 2 bit.

|unused|unused|URG|ACK|PSH|RST|SYN|FIN|

Understanding of the very problem is simple.
Let's compare the two codes.
ex)SYN Scan detecter program several code type

 i) if ( flag == TH_SYN )

 ii) if ( flag & TH_SYN )

(TH_SYN->SYN flag)

The i) code is true, only  when the syn
flag bit  is set at 1.

So  the flag value is 0x2,
and |0|0|0|0|0|0|1|0| in bit.

 The next ii) code is true, only
 when SYN flag bit, the TH_SYN value
 in flags, is set at 1, and the other
 bit state is not influential.

 Eventually, we can easily know a very
 important thing.

If hackers use the two higher bit(unused bit)
one or all, to set at  1,
ii) code type has false value,
but i) code type last true value.
and hackers avoid scan detecter
[...] 
Conclusion:

When the flags variable in tcp header is adjusted
totally with given value,
higher two bit(unused bit) must be cleared
and set at 0.
[...]

This is a known issue; it's in the category of "invalid TCP flags 
scanning". In fact, the two unused bits in the TCP flags byte can 
be used for TCP fingerprinting as the response to such TCP packets 
is not specified in RFC 793 and therefore depends on the TCP/IP 
implementation being used. In addition to TCP fingerprinting, TCP 
packets with certain invalid (i.e. not covered by RFC 793) flag
combinations not including the SYN flag can be used to determine 
which ports are open on the target machine.

This leads one to the conclusion that focussing on TCP packets with 
the SYN flag set is completely insufficient for scan detection. Any 
decent scan detector must, among other things, pay explicit 
attention to those 2 unused bits in the TCP flags byte anyway.

--
Jochen Bauer

Security Team (RUS-CERT)                                              
Computer Center of the University of Stuttgart                        
Germany
                                                               
************************************************************************ 
*Email: jtb () theo2 physik uni-stuttgart de                              *
*       jochen.bauer () rus uni-stuttgart de                              *
*                                                                      *
*PGP Public Key:                                                       *
*http://ca.uni-stuttgart.de:11371/pks/lookup?op=index&search=0xB5D92889*
************************************************************************ 


<HR NOSHADE>
<UL>
<LI>application/pgp-signature attachment: stored
</UL>


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault