Re: Linux zero IP ID vulnerability?
I've received a couple of off-list replies. See my comments in-line.
On Tue, 14 Mar 2006, Martin Mačok wrote:
Have you verified that the sequence is global and not only per peer? The
latter would mean that "vuln" can't be used as a middle-man for IDLE
scanning...
Yeah, of course i've verified that (see below).
On Tue, 14 Mar 2006, Cody Tubbs wrote:
Unless you're using the syn/ack flags to localhost, other hosts should
not be replying (I can't seem to reproduce this on any of the hosts I've
tried, accept ofcourse on localhost). What is a host(s) you've
successfully tried this towards that's not localhost? Thanks.
Not sure i fully understand your comments... Anyway, here's an host
showing the flawed behaviour (Gentoo Linux 2.6.14-gentoo-r5 + grsec):
root@pandora:~# hping -SA -c 3 research.mediaservice.net -p 80
HPING research.mediaservice.net (eth0 82.56.144.13): SA set, 40 headers +
0 data bytes
len=46 ip=82.56.144.13 ttl=59 DF id=48842 sport=80 flags=R seq=0 win=0
rtt=57.4 ms
len=46 ip=82.56.144.13 ttl=59 DF id=48843 sport=80 flags=R seq=1 win=0
rtt=57.8 ms
len=46 ip=82.56.144.13 ttl=59 DF id=48845 sport=80 flags=R seq=2 win=0
rtt=57.6 ms
--- research.mediaservice.net hping statistic ---
3 packets tramitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 57.4/57.6/57.8 ms
root@charon:~# hping -SA -c 3 research.mediaservice.net -p 80
HPING research.mediaservice.net (dc0 82.56.144.13): SA set, 40 headers + 0
data bytes
len=46 ip=82.56.144.13 ttl=59 DF id=48850 sport=80 flags=R seq=0 win=0
rtt=53.7 ms
len=46 ip=82.56.144.13 ttl=59 DF id=48851 sport=80 flags=R seq=1 win=0
rtt=56.3 ms
len=46 ip=82.56.144.13 ttl=59 DF id=48857 sport=80 flags=R seq=2 win=0
rtt=59.1 ms
--- research.mediaservice.net hping statistic ---
3 packets tramitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 53.7/56.4/59.1 ms
Cheers,
--
Marco Ivaldi
Antifork Research, Inc. http://0xdeadbeef.info/
3B05 C9C5 A2DE C3D7 4233 0394 EF85 2008 DBFD B707