Re: Security Advisory: A simple TCP spoofing attack

[wietse () PORCUPINE ORG (Wietse Venema)]

Oliver Friedrichs of Secure Networks Inc. describes a semi-blind
IP address spoofing attack on servers that wipe IP options once a
connection has been established. This protection is used in network
daemons such as rshd and rlogind, and also in my own tcp wrapper.

I've updated the tcp wrapper source code. The wrapper now optionally
looks for IP source routing options and disconnects when it finds
such options. Those who care to look at my source code will notice
that recognizing IP options reliably is not entirely trivial.

Below is a little blurb with pointers to source code archives.

        Wietse

--blurb--

Version 7.5 of my TCP Wrapper program is available.

Version 7.5 has support for more UNIX system types, and gives better
protection against IP spoofing attacks based on source-routed TCP
connections, by refusing them. This protection is not enabled by
default.

Version 7.5 does not introduce new features. Do not bother applying
this patch when you built your current tcp wrapper without enabling the
KILL_OPTIONS compiler switch. The patch is not useful for obsolete UNIX
versions that pre-date 4.4BSD, such as SunOS 4. Such systems are unable
to receive source-routed connections and are therefore not vulnerable
to IP spoofing attacks with source-routed TCP connections.

In order to upgrade, you can pick up the complete 7.5 source from the
usual FTP archives:

        ftp.win.tue.nl:/pub/security/tcp_wrappers_7.5.tar.gz
        ftp.cert.org:/pub/tools/tcp_wrappers (soon)

        MD5 checksum: 8c7a17a12d9be746e0488f7f6bfa4abb

You can also send an email message to majordomo () wzv win tue nl with as
body (not subject):

        get tcp-wrappers-announce Patch05

The full source code (Part01..07, Patch01..05) can be obtained in the
same manner. You can send multiple `get' commands in one message.