Security #4635
closedtcp: crafted injected packets cause desync after 3whs
Description
It is possible to bypass/evade tcp based signature on some Linux servers.
For that, you have to send a FIN-SYN-ACK after a 3WHS and a fake SYN with a bad sequence number after the server's ACK answer which allow the attacker to desynchronize the NIDS and send/receive known signatures without being detected.
For this attack, the attacker must control the TCP/IP stack of a client.
Here's an example:
Client === Legit TCP handshake === Server
Client> [FIN-SYN-ACK] [Seq=1 Ack=2] -> Server # injected (FSA)[ACK] [Seq=2 Ack=1] <- Server # legit
Client <
Client> [SYN] [Seq=1234] -> Server # injected (bad seq)[ACK] [Seq=x Ack=y] <- Server # legit
Client -> [PSH-ACK] [Seq=1 Ack=2] SIGNATURE -> Server # undetected
Client <
Client <- [PSH-ACK] [Seq=x Ack=y] SIGNATURE <- Server # undetectedThis evasion has been tested against the following servers on the folowing OS:
Web server Tested version OS Vulnerable? ------------ ---------------- -------------- ------------- Nginx 1.21.1 Ubuntu 20.04 Yes Nginx 1.21.1 Windows 10 No Apache 2.4.41 Ubuntu 20.04 No Apache 2.4.41 Windows 10 No Django 3.1.5 Ubuntu 20.04 Yes Django 3.1.5 Windows 10 No Gunicorn 20.0.4 Ubuntu 20.04 Yes Gunicorn 20.0.4 Windows 10 No Python3 3.8.5 Ubuntu 20.04 Yes Python3 3.8.5 Windows 10 No Apparently, this evasion does not work against Windows 10 and Apache2. However, it does work on some other servers running on Linux only.