Re: unused bit attack alert

[vision () WHITEHATS COM (Max Vision)]

At 05:15 PM 2/22/2000 -0500, Mullen, Patrick wrote:
> > From the Snort Portscan module
> (http://www.clark.net/~roesch/security.html)
>
> spp_portscan.c:
>
>    /* Strip off the reserved bits for the testing, but flag
>       that a scan is being done.
>    */
>    th_flags_cleaned = th_flags & ~(R_RES1 | R_RES2);
>
>    if(th_flags != th_flags_cleaned)
>    {
>       scan = sRESERVEDBITS;
>    }

You might want to strip R_URG as well, since per RFC 793 you can set the
URG flag on packets with minimal effect to state.

For example, I can perform a SYN+URG scan just as well as a SYN scan.  I'm
sure several portscan detectors can be fooled with this per the explanation
seen earlier on Bugtraq.

tcpdump of my example SYN+URG scan:

me.23 > him.www: S 1087172887:1087172887(0) win 512 urg 0 [tos 0x10]
him.www > me.23: S 239306172:239306172(0) ack 1087172888 win 16384 <mss 512>
me.23 > him.www: R 1087172888:1087172888(0) win 0 [tos 0x10]

or the more illustrative view with snort:

02/23-04:41:33.193468 me:23 -> him:80
TCP TTL:64 TOS:0x10 ID:1396
**S****U Seq: 0x7FC28B3A   Ack: 0x0   Win: 0x200

02/23-04:41:33.487261 him:80 -> me:23
TCP TTL:54 TOS:0x0 ID:64782
**S***A* Seq: 0xF1D8AD3   Ack: 0x7FC28B3B   Win: 0x4000
TCP Options => MSS: 512
00 00                                            ..

An interesting IDS testing tool might be to write a fragrouter-like tcp
proxy that would set the URG bit on each packet.  I'm speculating that this
would result in a valid exchange that would subvert certain common IDS.

Max

--
Max Vision Network Security        <vision () whitehats com>
Network Security Assessment         http://maxvision.net/
100% Success Rate : Penetration Testing & Risk Mitigation
Free Visibility Analysis and Price Quote for Your Network