Actions
Security #4569
closedtcp: crafted injected packets cause desync after 3whs
Git IDs:
6cb6225b28c5d8e616a420b7d05b129ba2845dc0
Severity:
HIGH
Disclosure Date:
Description
Reported by Fratso:
It is possible to bypass/evade tcp based signature on some Linux servers.
For that, you have to send a FIN-SYN-ACK after a 3WHS and a fake SYN with a bad sequence number after the server's ACK answer which allow the attacker to desynchronize the NIDS and send/receive known signatures without being detected.
For this attack, the attacker must control the TCP/IP stack of a client.
Here's an example:
Client === Legit TCP handshake === Server Client -> [FIN-SYN-ACK] [Seq=1 Ack=2] -> Server # injected (FSA) Client <- [ACK] [Seq=2 Ack=1] <- Server # legit Client -> [SYN] [Seq=1234] -> Server # injected (bad seq) Client -> [PSH-ACK] [Seq=1 Ack=2] SIGNATURE -> Server # undetected Client <- [ACK] [Seq=x Ack=y] <- Server # legit Client <- [PSH-ACK] [Seq=x Ack=y] SIGNATURE <- Server # undetected
This evasion has been tested against the following servers on the folowing OS:
Web server Tested version OS Vulnerable? ------------ ---------------- -------------- ------------- Nginx 1.21.1 Ubuntu 20.04 Yes Nginx 1.21.1 Windows 10 No Apache 2.4.41 Ubuntu 20.04 No Apache 2.4.41 Windows 10 No Django 3.1.5 Ubuntu 20.04 Yes Django 3.1.5 Windows 10 No Gunicorn 20.0.4 Ubuntu 20.04 Yes Gunicorn 20.0.4 Windows 10 No Python3 3.8.5 Ubuntu 20.04 Yes Python3 3.8.5 Windows 10 No Apparently, this evasion does not work against Windows 10 and Apache2. However, it does work on some other servers running on Linux only.
Updated by Jeff Lucovsky over 3 years ago
- Copied to Security #4634: tcp: crafted injected packets cause desync after 3whs added
Updated by Jeff Lucovsky over 3 years ago
- Copied to Security #4635: tcp: crafted injected packets cause desync after 3whs added
Updated by Victor Julien over 3 years ago
- Assignee changed from Victor Julien to Philippe Antoine
Updated by Philippe Antoine over 3 years ago
- Status changed from Assigned to In Review
- Affected Versions 6.0.3 added
Gitlab
I would like a review of my draft PR by some TCP superman
Updated by Philippe Antoine about 3 years ago
- Status changed from In Review to Closed
Actions