Bugtraq mailing list archives
Irix and TCP implementation
From: tesd () HACK GR (TeSd)
Date: Sat, 11 Dec 1999 00:31:20 +0200
Hello, Please excuse me if this is already posted. I was playing hijacking some telnet sessions in my domain when I came across something very strange.It seems that something is going wrong in Irix systems ( At least at Irix 6.3 where my testings were taking place ) in the TCP implementation.To focus on the problem lets see the tcpdump output that follows. There is a normal telnet connection between an O2 ( with irix 6.3) and a linux (2.0.31 kernel).On the O2 exists the client and on linux the telnet deamon.I am sniffing the local network from the side of the O2 and pushing my data to the linux. After the hijacking i switch to the console of the normal user ( the owner of the telnet session ) and throw keystrokes.After pushing some buttons the user sees at his/her display the data that the hijacker pushed and is ready to continue his/her session with no problem at all... tcpdump: listening on ec0 O2.4968 > linux.telnet: P 642880162:642880163(1) ack 3094036674 win 61320 (DF) linux.telnet > O2.4968: P 1:2(1) ack 1 win 32736 (DF) O2.4968 > linux.telnet: . ack 2 win 61320 (DF) O2.4968 > linux.telnet: P 1:2(1) ack 2 win 61320 (DF) linux.telnet > O2.4968: P 2:3(1) ack 2 win 32736 (DF) O2.4968 > linux.telnet: . ack 3 win 61320 (DF) O2.4968 > linux.telnet: P 2:3(1) ack 3 win 61320 (DF) linux.telnet > O2.4968: P 3:4(1) ack 3 win 32736 (DF) O2.4968 > linux.telnet: . ack 4 win 61320 (DF) O2.4968 > linux.telnet: P 3:4(1) ack 4 win 61320 (DF) linux.telnet > O2.4968: P 4:5(1) ack 4 win 32736 (DF) START-OF-HIJACKING O2.4968 > linux.telnet: P 4:14(10) ack 4 win 8759 O2.4968 > linux.telnet: P 14:51(37) ack 4 win 8759 AND-OF-HIJACKING linux.telnet > O2.4968: . ack 51 win 32736 (DF) O2.4968 > linux.telnet: . ack 5 win 61320 (DF) linux.telnet > O2.4968: . ack 51 win 32736 (DF) O2.4968 > linux.telnet: . ack 5 win 61320 (DF) ACK-STORM-IN-PROGRESS O2.4968 > linux.telnet: P 4:5(1) ack 5 win 61320 (DF) O2.4968 > linux.telnet: . ack 5 win 61320 (DF) linux.telnet > O2.4968: . ack 51 win 32736 (DF) ACK-STORM-IN-PROGRESS linux.telnet > O2.4968: P 4:5(1) ack 51 win 32736 (DF) linux.telnet > O2.4968: . ack 51 win 32736 (DF) O2.4968 > linux.telnet: . ack 5 win 61320 (DF) ACK-STORM-IN-PROGRESS O2.4968 > linux.telnet: P 5:6(1) ack 5 win 61320 (DF) linux.telnet > O2.4968: . ack 51 win 32736 (DF) O2.4968 > linux.telnet: . ack 5 win 61320 (DF) ACK-STORM-IN-PROGRESS linux.telnet > O2.4968: P 4:5(1) ack 51 win 32736 (DF) linux.telnet > O2.4968: . ack 51 win 32736 (DF) linux.telnet > O2.4968: . ack 51 win 32736 (DF) linux.telnet > O2.4968: . ack 51 win 32736 (DF) linux.telnet > O2.4968: . ack 51 win 32736 (DF) linux.telnet > O2.4968: . ack 51 win 32736 (DF) O2.4968 > linux.telnet: . ack 112 win 61320 (DF) ^ what is this???? O2.4968 > linux.telnet: P 51:53(2) ack 112 win 61320 (DF) ^ And this??? linux.telnet > O2.4968: P 112:116(4) ack 53 win 32736 (DF) O2.4968 > linux.telnet: . ack 116 win 61320 (DF) linux.telnet > O2.4968: P 116:125(9) ack 53 win 32736 (DF) O2.4968 > linux.telnet: . ack 125 win 61320 (DF) The session is no longer hijacked and the user that telneted to the linux is now ready to send his/her commands as nothing happened. I do not have the irix6.3 source code so i can't say where the problem exactly is. The sure thing is that this poses a great security risc. All that is needed is few programming lines of code and imagination. -->tesd or tesdx0r it makes no difference -->The reason is always the priority. -->http://www.hack.gr/users/tesd.
Current thread:
- sadmind exploits (remote sparc/x86) Marcy Abene (Dec 10)
- Re: sadmind exploits (remote sparc/x86) Erik Fichtner (Dec 10)
- Re: sadmind exploits (remote sparc/x86) Lamont Granquist (Dec 10)
- Irix and TCP implementation TeSd (Dec 10)
- 64bit Sol7 on Ultra1 < 200mhz bug Jake Luck (Dec 11)
- VDO Live Player 3.02 Buffer Overflow UNYUN (Dec 12)
- ssh-1.2.27 exploit Jarek Kutylowski (Dec 13)
- Re: ssh-1.2.27 exploit Iván Arce (Dec 13)
- Re: ssh-1.2.27 exploit Beto (Dec 15)
- FreeBSD 3.3 xsoldier root exploit Brock Tellier (Dec 15)
- Xsoldier xploit (was: FreeBSD 3.3 xsoldier root exploit) Spidey (Dec 15)
- BindView Security Advisory: Vulnerability in Windows NT's SYSKEY feature BindView Security Advisory (Dec 16)
- Cisco Security Advisory: Cisco Cache Engine Authentication Vulnerabilities security-alert () CISCO COM (Dec 16)
- Reinventing the wheel (aka "Decoding Netscape Mail passwords") Vanja Hrustic (Dec 15)
- Re: sadmind exploits (remote sparc/x86) Lamont Granquist (Dec 10)
- Re: sadmind exploits (remote sparc/x86) Erik Fichtner (Dec 10)