Re: [EuroHaCk] Linux 2.2.x ISN vulnerability (fwd)

[jbuhler () CS WASHINGTON EDU (Jeremy Buhler)]

On Tue, 28 Sep 1999, Sebastian wrote:
> A lot of people wrote to us and said that the typo where &secret[3] was
> meant but &secret+3 was written within the kernel code was the cause for
> this bug.
>
> In our tests, however, we applied nothing but this one-line patch and we
> still experienced small-difference ISN's (stealth tested this, but I
> believe in his skills :-).

Right.  Andrea Arcangeli proposed this change on the kernel mailing list,
but it wasn't the patch that actually got applied in 2.3.13pre13.  This
is the patch which I believe is intended to fix the easily-guessable
sequence numbers:

--- linux.vanilla/net/ipv4/tcp_ipv4.c   Sat Aug 28 20:00:59 1999
+++ linux.13p13/net/ipv4/tcp_ipv4.c     Sun Sep 26 23:25:18 1999
@@ -525,7 +525,8 @@

 static inline __u32 tcp_v4_init_sequence(struct sock *sk, struct sk_buff *skb)
 {
-       return secure_tcp_sequence_number(sk->saddr, sk->daddr,
+       return secure_tcp_sequence_number(skb->nh.iph->daddr,
+                                         skb->nh.iph->saddr,
                                           skb->h.th->dest,
                                           skb->h.th->source);
 }

If I understand correctly, the bug was that the sequence number initialization
erroneously didn't use the remote's IP address.

                                                         Jeremy