Re: Linux zero IP ID vulnerability?

To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Re: Linux zero IP ID vulnerability?
From: GomoR <bugtraq@xxxxxxxxx>
Date: Wed, 22 Mar 2006 20:58:23 +0100
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

On Wed, Mar 15, 2006 at 10:26:00AM +0100, Marco Ivaldi wrote:
[..]

Not sure i fully understand your comments... Anyway, here's an host
showing the flawed behaviour (Gentoo Linux 2.6.14-gentoo-r5 + grsec):

Well, it may be related to GR security.

SinFP[1] exploits a difference in IP ID generation to detect

(to some extent) the use of GR security inside a Linux kernel.

In fact, last time I checked, there was an option in GRsec
configuration to alter IP ID generation behaviour. You can try

to play with this.[1] http://www.gomor.org/cgi-bin/index.pl?mode=view;page=net_sinfp

--
^  ___  ___             http://www.GomoR.org/          <-+
| / __ |__/          Systems & Security Engineer         |
| \__/ |  \     ---[ zsh$ alias psed='perl -pe ' ]---    |
+-->  Net::Packet <=> http://search.cpan.org/~gomor/  <--+

Prev by Date: [HV-PAPER] Security Product Evaluation Tips
Next by Date: Re: PHP-Stats <= 0.1.9.1 remote commands execution
Previous by thread: Re: Linux zero IP ID vulnerability?
Next by thread: [eVuln] CyBoards PHP Lite SQL Injection Vulnerability
Index(es):
- Date
- Thread