Project

General

Profile

Security #4569

Updated by Victor Julien about 3 years ago

Reported by Frédéric Autissier: 

 > It is possible to bypass/evade tcp based signature on some Linux servers. 
 >  
 > For that, you have to send a FIN-SYN-ACK after a 3WHS and a fake SYN with a bad sequence number after the server's ACK answer which allow the attacker to desynchronize the NIDS and send/receive known signatures without being detected. 
 >  
 > For this attack, the attacker must control the TCP/IP stack of a client. 
 >  
 > Here's an example: 

 <pre> 
 >  
 > Client === Legit TCP handshake === Server 
 > Client -> [FIN-SYN-ACK] [Seq=1 Ack=2] -> Server # injected (FSA) 
 > Client <- [ACK] [Seq=2 Ack=1] <- Server # legit 
 > Client -> [SYN] [Seq=1234] -> Server # injected (bad seq) 
 > Client -> [PSH-ACK] [Seq=1 Ack=2] SIGNATURE -> Server # undetected 
 > Client <- [ACK] [Seq=x Ack=y] <- Server # legit 
 > Client <- [PSH-ACK] [Seq=x Ack=y] SIGNATURE <- Server # undetected 
 </pre> 

 >  
 > This evasion has been tested against the following servers on the folowing OS: 
 >  
 > | Web server | Tested version | OS | Vulnerable? | 
 > |------------|----------------|--------------|-------------| 
 > | Nginx | 1.21.1 | Ubuntu 20.04 | Yes | 
 > | Nginx | 1.21.1 | Windows 10 | No | 
 > | Apache | 2.4.41 | Ubuntu 20.04 | No | 
 > | Apache | 2.4.41 | Windows 10 | No | 
 > | Django | 3.1.5 | Ubuntu 20.04 | Yes | 
 > | Django | 3.1.5 | Windows 10 | No | 
 > | Gunicorn | 20.0.4 | Ubuntu 20.04 | Yes | 
 > | Gunicorn | 20.0.4 | Windows 10 | No | 
 > | Python3 | 3.8.5 | Ubuntu 20.04 | Yes | 
 > | Python3 | 3.8.5 | Windows 10 | No | 
 >  
 > Apparently, this evasion does not work against Windows 10 and Apache2. However, it does work on some other servers running on Linux only.

Back