Project

General

Profile

Actions

Security #4634

closed

tcp: crafted injected packets cause desync after 3whs

Added by Jeff Lucovsky about 1 year ago. Updated 10 months ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Label:
Git IDs:
Severity:
HIGH

Description

It is possible to bypass/evade tcp based signature on some Linux servers.

For that, you have to send a FIN-SYN-ACK after a 3WHS and a fake SYN with a bad sequence number after the server's ACK answer which allow the attacker to desynchronize the NIDS and send/receive known signatures without being detected.

For this attack, the attacker must control the TCP/IP stack of a client.

Here's an example:

Client === Legit TCP handshake === Server
Client > [FIN-SYN-ACK] [Seq=1 Ack=2] -> Server # injected (FSA)
Client <
[ACK] [Seq=2 Ack=1] <- Server # legit
Client > [SYN] [Seq=1234] -> Server # injected (bad seq)
Client -> [PSH-ACK] [Seq=1 Ack=2] SIGNATURE -> Server # undetected
Client <
[ACK] [Seq=x Ack=y] <- Server # legit
Client <- [PSH-ACK] [Seq=x Ack=y] SIGNATURE <- Server # undetected

This evasion has been tested against the following servers on the folowing OS:

Web server Tested version OS Vulnerable?
------------ ---------------- -------------- -------------
Nginx 1.21.1 Ubuntu 20.04 Yes
Nginx 1.21.1 Windows 10 No
Apache 2.4.41 Ubuntu 20.04 No
Apache 2.4.41 Windows 10 No
Django 3.1.5 Ubuntu 20.04 Yes
Django 3.1.5 Windows 10 No
Gunicorn 20.0.4 Ubuntu 20.04 Yes
Gunicorn 20.0.4 Windows 10 No
Python3 3.8.5 Ubuntu 20.04 Yes
Python3 3.8.5 Windows 10 No

Apparently, this evasion does not work against Windows 10 and Apache2. However, it does work on some other servers running on Linux only.


Related issues 1 (0 open1 closed)

Copied from Security #4569: tcp: crafted injected packets cause desync after 3whsClosedPhilippe AntoineActions
Actions #1

Updated by Jeff Lucovsky about 1 year ago

  • Copied from Security #4569: tcp: crafted injected packets cause desync after 3whs added
Actions #2

Updated by Victor Julien 11 months ago

  • Severity set to HIGH
Actions #3

Updated by Victor Julien 11 months ago

  • Status changed from Assigned to Closed
Actions #4

Updated by Victor Julien 10 months ago

  • Private changed from Yes to No
Actions

Also available in: Atom PDF