Bugtraq: Re: A new TCP/IP blind data injection technique?

Nmap Security Scanner

Intro

Ref Guide

Install Guide

Download

Changelog

Book

Docs
Security Lists

Bugtraq

Basics

More
Security Tools

More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:

Bugtraq mailing list archives

Re: A new TCP/IP blind data injection technique?

From: Valdis.Kletnieks () vt edu
Date: Thu, 11 Dec 2003 12:06:26 -0500

On Thu, 11 Dec 2003 07:37:02 GMT, Nick Cleaton said:

Even if the attacker knows or controls every other byte in the packet
and thus controls the checksum before the final 16 bits go in, the final
checksum is as unpredictable as those 16 bits.


However, it's a trivial matter to take the original text, the replacement text,
and compute an original such that the checksum comes out "the same".

1) Read the RFCs on how to do incremental update of the checksum when decrementing
the TTL - that provides some big hints.

2) Walk across the old and new texts, computing the delta to the checksum.

3) Smash two spare bytes in the new text with the correct delta to make it come out the same.

Remember, it's a checksum, not a hash.

Attachment: _bin
Description:

By Date By Thread

Current thread:

A new TCP/IP blind data injection technique? Michal Zalewski (Dec 10)
- Re: A new TCP/IP blind data injection technique? Nick Cleaton (Dec 11)
  - Re: A new TCP/IP blind data injection technique? Valdis . Kletnieks (Dec 11)
    - Re[2]: A new TCP/IP blind data injection technique? Marius Huse Jacobsen (Dec 13)
  - Breaking the checksum (a new TCP/IP blind data injection technique) Michal Zalewski (Dec 15)
- Re: A new TCP/IP blind data injection technique? Kris Kennaway (Dec 11)
  - Re: A new TCP/IP blind data injection technique? Casper Dik (Dec 11)
- RE: A new TCP/IP blind data injection technique? David Gillett (Dec 11)