Bugtraq mailing list archives
Re: Security Advisory: A simple TCP spoofing attack
From: wietse () PORCUPINE ORG (Wietse Venema)
Date: Wed, 12 Feb 1997 12:44:53 -0500
Oliver Friedrichs of Secure Networks Inc. describes a semi-blind IP address spoofing attack on servers that wipe IP options once a connection has been established. This protection is used in network daemons such as rshd and rlogind, and also in my own tcp wrapper. I've updated the tcp wrapper source code. The wrapper now optionally looks for IP source routing options and disconnects when it finds such options. Those who care to look at my source code will notice that recognizing IP options reliably is not entirely trivial. Below is a little blurb with pointers to source code archives. Wietse --blurb-- Version 7.5 of my TCP Wrapper program is available. Version 7.5 has support for more UNIX system types, and gives better protection against IP spoofing attacks based on source-routed TCP connections, by refusing them. This protection is not enabled by default. Version 7.5 does not introduce new features. Do not bother applying this patch when you built your current tcp wrapper without enabling the KILL_OPTIONS compiler switch. The patch is not useful for obsolete UNIX versions that pre-date 4.4BSD, such as SunOS 4. Such systems are unable to receive source-routed connections and are therefore not vulnerable to IP spoofing attacks with source-routed TCP connections. In order to upgrade, you can pick up the complete 7.5 source from the usual FTP archives: ftp.win.tue.nl:/pub/security/tcp_wrappers_7.5.tar.gz ftp.cert.org:/pub/tools/tcp_wrappers (soon) MD5 checksum: 8c7a17a12d9be746e0488f7f6bfa4abb You can also send an email message to majordomo () wzv win tue nl with as body (not subject): get tcp-wrappers-announce Patch05 The full source code (Part01..07, Patch01..05) can be obtained in the same manner. You can send multiple `get' commands in one message.
Current thread:
- HPSBUX9702-052 Security Vulnerability in the rlogin executable, (continued)
- HPSBUX9702-052 Security Vulnerability in the rlogin executable Aleph One (Feb 05)
- [linux-security] Re: Linux virus Aleph One (Feb 06)
- setlocale() bug in all released versions of FreeBSD (SA-97:01) Aleph One (Feb 06)
- Wierd behavior of MS's NT4 DNS Jason T. Luttgens (Feb 07)
- New OFFICIAL patch for BSD/OS 2.1 (*SECURITY*) (fwd) Josh Gilliam (Feb 07)
- Bliss: The Facts Jared Mauch (Feb 08)
- view-source myst (Feb 08)
- IRIX: Bug in startmidi David Hedley (Feb 09)
- Re: IRIX: Bug in startmidi Nafees Bin Zafar (Feb 09)
- Security Advisory: A simple TCP spoofing attack Oliver Friedrichs (Feb 09)
- Re: Security Advisory: A simple TCP spoofing attack Wietse Venema (Feb 12)
- buffer overflow in configurable fingerd? M Shariful Anam (Feb 12)
- Re: buffer overflow in configurable fingerd? Ken Hollis (Feb 12)
- Security Bulletins Digest Aleph One (Feb 13)
- Linux NLSPATH buffer overflow solar () IDEAL RU (Feb 13)
- Re: Linux NLSPATH buffer overflow Alan Cox (Feb 14)
- CIAC Bulletin H-27: HP-UX vgdisplay Buffer Overrun Vulnerability Aleph One (Feb 15)
- screen 3.05.02 Khelbin Sunvold (Feb 15)
- Re: screen 3.05.02 test (Feb 16)
- Bug in apache httpd 1.1.3 Mihai Ibanescu (Feb 16)
- Re: Bug in apache httpd 1.1.3 Dean Gaudet (Feb 16)