Date: Sun, 26 Sep 1999 14:43:14 +0200 (CEST) From: Sebastian scut@nb.in-berlin.de To: alan@cymru.net, linux-kernel@vger.rutgers.edu Subject: Linux 2.2.x ISN Vulnerability ------ TESO Security Advisory 26/09/1999 Linux Kernel 2.2.x ISN Vulnerability Summary =================== A weakness within the TCP stack in Linux 2.2.x kernels has been discovered. The vulnerability makes it possible to "blind-spoof" TCP connections. It's therefore possible for an attacker to initiate a TCP connection from an arbitrary non existing or unresponding IP source address, exploiting IP address based access control mechanisms. Linux 2.0.x kernels were tested against this attack and found not to be vulnerable in any case. Systems Affected =================== All systems running the kernel versions 2.2.x of the Linux operating system. Linux 2.3.x systems may be affected, too, we didn't tested this versions. In our test situations we noticed that it doesn't seem to matter whether the TCP syncookie functionality was enabled or not (enabled within the kernel and activated through the proc filesystem options). Tests =================== This is the beginning of a log of a successfully mounted blind TCP spoofing attack agains a Linux 2.2.12 system. (tcpdump output formatted for better readability) 16:23:02.727540 attacker.522 > victim.ssh : S 446679473: 446679473(0) 16:23:02.728371 victim.ssh > attacker.522: S 3929852318:3929852318(0) 16:23:02.734448 11.11.11.11.522 > victim.ssh: S 446679473: 446679473(0) 16:23:02.734599 victim.ssh > 11.11.11.11.522: S 3929859164:3929859164(0) 16:23:03.014941 attacker.522 > victim.ssh: R 446679474: 446679474(0) 16:23:05.983368 victim.ssh > 11.11.11.11.522: S 3929859164:3929859164(0) 16:23:06.473192 11.11.11.11.522 > victim.ssh: . ack 3929855318 16:23:06.473427 victim.ssh > 11.11.11.11.522: R 3929855318:3929855318(0) 16:23:06.554958 11.11.11.11.522 > victim.ssh: . ack 3929855319 16:23:06.555119 victim.ssh > 11.11.11.11.522: R 3929855319:3929855319(0) 16:23:06.637731 11.11.11.11.522 > victim.ssh: . ack 3929855320 16:23:06.637909 victim.ssh > 11.11.11.11.522: R 3929855320:3929855320(0) ... The first ISN of the victim's host is 3929852318, which is within a SYNACK packet to the attackers host. This is unspoofed and can be easily snagged by the attacker. At the same time the attacker sent out the first unspoofed SYN packet he sent a spoofed SYN packet from 11.11.11.11 too. This packet is answered by the victims host too with the ISN of 3929859164. The difference between the first visible ISN and the second ISN is only (3929859164-3929852318) = 6846. Please notice that all TCP and IP parameters of the spoofed packet, except for the IP source address are the same as of the unspoofed packet. This is important (see below). This small differences within the initial TCP sequence number (ISN) is exploitable. In other tests, where both hosts were unlagged we even had differences below 500 sometimes. We've managed to successfully blind spoof TCP connections on different Linux 2.2.x systems, that is reaching the TCP "ESTABLISHED" state without being able to sniff the victim host. Impact =================== By sending packets from a trusted source address, attackers could possibly bypass address based authentication and security mechanisms. There have been similiar exploiting technics, aimed especially at r* and NFS services, in the past that demonstrated the security impact of weak ISNs very well. We have written a working exploit to demonstrate the weakness. Explanation =================== The problem relies on a implementation flaw within the random ISN algorithm in the Linux kernel. The problem is within drivers/char/random.c, line 1684: __u32 secure_tcp_sequence_number(__u32 saddr, __u32 daddr, __u16 sport, __u16 dport) { ... static __u32 secret[12]; ... secret[0]=saddr; secret[1]=daddr; secret[2]=(sport << 16) + dport; seq = (halfMD4Transform(secret+8, secret) & ((1<<HASH_BITS)-1)) + count; ... } As already said, in our spoofed TCP SYN packet only the IP source address differs, that is only secret[0], so of 12*4 random bytes used to create the sequence number from, only 4 bytes differ. Obviously the hash created by halfMD4Transform has similarities if the source and destination ports and the destination address are the same. It seems that the src-adress is least-significant to the above MD4 algorithm. Changing the source-ports too, makes the 2 ISNs more differ. Due to the short gap of time, the last seq += tv.tv_usec + tv.tv_sec*1000000; is useless. This may be the reason why this bug may have survived long: In any real network situation it is uncommon that the source and destination ports are equal in two different connections on one host. Further analyzation of the hash algorithm in this routine may result in a better ISN prediction than the one we use (range prediction). Solution =================== First: It's always unwise to rely on address based authentication, because in a sniffable enviroment, such as the Internet, there are always means of bypassing address based authentication. Second: The press shouldn't hype this as _THE_ Linux bug.. everyone having looked at the ISNs/DNS Sequence numbers of any of Microsoft's operating systems knows that their 'random numbers' are _much_ easier targets to use for IP and DNS spoofing attacks. For a a description how the ISN numbers of the Microsoft Windows NT TCP stack have even weakened with the latest Service Packs, you may want to browse the latest postings to the Bugtraq security mailing list [1] or read [2]. Well.. not that it matters.. but who uses Microsoft software anyway ? The Linux kernel developers have been notified at the same time as the public Linux community, so a safe patch should be available real soon. Acknowledgments ================ The bugdiscovery and the exploit is due to: Stealth http://www.kalug.lug.net/stealth S. Krahmer http://www.cs.uni-potsdam.de/homepages/students/linuxer This advisory has been written by typo and scut. The tests and further analyzation were done by stealth and scut. The demonstration exploit has been written by S. Krahmer. Contact Information =================== The teso crew can be reached by mailing to teso@shellcode.org. Our webpage is at http://teso.scene.at/ References =================== [1] Mail to the Bugtraq mailing list From: Roy Hills Subject: NT Predictable Initial TCP Sequence numbers - changes observed with SP4 [2] Microsoft Knowledge Database Article ID: Q192292 "Unpredictable TCP Sequence Numbers in SP4". [3] libUSI++, a spoofing library http://www.cs.uni-potsdam.de/homepages/students/linuxer/ [4] TESO http://teso.scene.at/ [5] S. Krahmer http://www.cs.uni-potsdam.de/homepages/students/linuxer Disclaimer =================== This advisory does not claim to be complete or to be usable for any purpose. Especially information on the vulnerable systems may be inaccurate or wrong. The supplied exploit is not to be used for malicious purposes, but for educational purposes only. This advisory is free for open distribution in unmodified form. Articles that are based on information from this advisory should include link [4] and [5]. Exploit =================== We've created a working exploit to demonstrate the vulnerability. The exploit needs libUSI++ installed, which can be obtained through [3]. The exploit is available from either http://teso.scene.at/ or http://www.cs.uni-potsdam.de/homepages/students/linuxer/ ------ - To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majordomo@vger.rutgers.edu Please read the FAQ at http://www.tux.org/lkml/