Project

General

Profile

Bug #3286

Updated by Victor Julien about 5 years ago

It is possible to bypass/evade any tcp based signature by faking a closed TCP session using an evil server. 
 After the TCP SYN packet, it's possible to inject a RST ACK and a FIN ACK packet with an old TCP Timestamp option. 
 The client will ignore the RST ACK and the FIN ACK packets because of the old TCP Timestamp option. 
 Both linux and windows client are ignoring the injected packets. 

 <pre> 
 Client      ->    [SYN] [Seq=0 Ack=0]                                       ->    Evil Server       # Legit TCP handshake 
 Client      <-    [RST, ACK] [Seq=0 Ack=1] [old TCP Timestamp option]       <-    Evil Server       # Injected packet 
 Client      <-    [FIN, ACK] [Seq=0 Ack=1] [old TCP Timestamp option]       <-    Evil Server       # Injected packet 
 Client      <-    [SYN, ACK] [Seq=0 Ack=1]                                  <-    Evil Server       # Legit TCP handshake 
 Client      <-    [ACK] [Seq=1 Ack=1]                                       <-    Evil Server       # Legit TCP handshake 
 Client      ===============    Data evasion          =================            Evil Server 
 </pre> 

 



 This evasion technique is referenced as CVE-2019-18625. 

 You can find attached : 
          - test.rule : A tcp rule that detects the string THIS_IS_A_TEST 
          - without_evasion.pcap : A web server which sends the string THIS_IS_A_TEST to a client without any evasion technique 
          - with_evasion_windows.pcap : A web server which sends the string THIS_IS_A_TEST to a windows 10 client with this evasion technique 
          - with_evasion_linux.pcap : A web server which sends the string THIS_IS_A_TEST to a linux client (kernel 5.2.0) with this evasion technique

Back