mailing list archives
Re: Tying a session to an IP address
From: exon <exon () home se>
Date: Mon, 10 May 2004 20:53:40 +0200
Rogan Dawes wrote:
Actually, it is not so trivial to spoof a TCP connection long enough to
get something useful from it. Especially an HTTP connection.
True, but sending to (with an unlawfully gained login) can do as much or
more damage as receiving from.
The original fear with spoofed connections was rlogin/rsh, which used IP
addresses as authentication. The mechanism for exploitation was usually
Correct. This would work equally nice in abusing whatever you might be
able to shoot blindly at. RSH was a bit scary in that it permitted
shell-accounts immediately with no greater effort, but the ability to
add certain pieces of information into a database or some file on the
server can prove equally damaging.
Send SYN packet from "authenticated/permitted" IP address.
Do not receive the SYN/ACK.
Send ACK packet, with a payload of something like
"echo '+ +' >> .rhosts"
Even if you do not receive a response, you have cracked the box.
This is still possible from some web apps, particularly those that allow
you to execute admin functions if you come from a specific IP address,
and don't use session cookies, etc.
Not far from it, so long as you know what you're "shooting" at, and
mapping the steps is trivial with either a little social engineering or
simply browsing the webpage text.
BUT, the majority of apps on the Internet now require you to go through
multiple levels in order to actually achieve something.
e.g. submit a GET to get a form to fill in, submit a POST with the
values, submit a POST as a confirmation, etc.
It is not a simple as the rsh attack described above.
Personally, I think that tracking the IP address CAN add some value. It
is not foolproof, and can cause problems in certain circumstances, but
it helps to raise the bar where those circumstances do not apply to you.
Anything that helps is good, I suppose, but one must also consider the
fact that a false sense of any security can be worse than a true sense
of no security.