Project

General

Profile

Actions

Bug #1238

closed

Possible evasion in stream-tcp-reassemble.c

Added by JmpCallPoo . over 8 years ago. Updated over 8 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

Hello,

A possible evasion exist in Suricata.
The client can send a fake ACK whith a very low window size, to flag the stream as STREAMTCP_STREAM_FLAG_GAP.

This will be more clear with the PoC in attachement.

@JmpCallPoo .


Files

deseq_ACK.py (1.73 KB) deseq_ACK.py JmpCallPoo ., 07/16/2014 06:42 AM
deseq_ACK.py (1.72 KB) deseq_ACK.py Clean one JmpCallPoo ., 07/16/2014 09:30 AM
Actions #1

Updated by JmpCallPoo . over 8 years ago

Oops :D

Actions #2

Updated by JmpCallPoo . over 8 years ago

Actions #3

Updated by Victor Julien over 8 years ago

Thanks for your report. I have a patch here: https://github.com/inliniac/suricata/pull/1039, care to test it?

Actions #4

Updated by Victor Julien over 8 years ago

  • Status changed from New to Closed
  • Assignee set to Victor Julien
  • Target version set to 2.0.3
  • % Done changed from 0 to 100
Actions

Also available in: Atom PDF