LigerTeam Advisory

  "unused bit attack"

Our Team discovered one problem,
in some case  it's simple,
but it could be serious problem of security
in the programming related with tcp/ip.

In fact, TCP header is 6 kinds  of
tcp  flag (SYN, ACK,  PSH, RST, FIN,  URG).

problem is the flag value in TCP header
approaches to 1byte variable of u_char type.
ex)see tcp.h file

The flag value Each  one correspond to 1 bit,
but it have unused 2 bit.

|unused|unused|URG|ACK|PSH|RST|SYN|FIN|

Understanding of the very problem is simple.
Let's compare the two codes.
ex)SYN Scan detecter program several code type

i) if ( flag == TH_SYN )

ii) if ( flag & TH_SYN )

(TH_SYN->SYN flag)

The i) code is true, only  when the syn
flag bit  is set at 1.

So  the flag value is 0x2,
and |0|0|0|0|0|0|1|0| in bit.

The next ii) code is true, only
when SYN flag bit, the TH_SYN value
in flags, is set at 1, and the other
bit state is not influential.

Eventually, we can easily know a very
important thing.

If hackers use the two higher bit(unused bit)
one or all, to set at  1,
ii) code type has false value,
but i) code type last true value.
and hackers avoid scan detecter


When the  highest bit  is set  at 1,
so syn flag  bit is  1, and   the flag
variable  is
|1|0|0|0|0|0|1|   = 130

But  this cause mismatching with TH_SYN value
by the  rule of tcp/ip code, and if sentence
has false value.

More over, as tcp/ip code has the  type of bit
computing system, it accept the flags of
syn flag bit, only one, still set at 1.

Conclusion:

When the flags variable in tcp header is adjusted
totally with given value,
higher two bit(unused bit) must be cleared
and set at 0.

Solution:

LigerTeam, strongly propose inserting of
solution code before the computing of flag variable.

  flag = flags & 0x3f;

Weak program :

At  this time, the  main technical papers from
the RTSD (Real Time Scan Detecter) spread  by
CERT-KR show  a representative weak  case.
It said,
when (only) syn packet of  tcp is captured,
the condition  is
tcp[13]== 2 (SYN).
This is the very point.
We thought that other syn packet sensing
tools had fallen in similar  situation.
We  have simply  tested several  firewalls
which would contain that kinds of problem
and have gotten some result that there
was no problem in our view.

All TCP/IP related security program using
the previous i) code  pattern is  weak.
if (flag==(TH_SYN  | TH_ACK)) etc.

Ps: IP is one more bit not used. Straightly
     saying, not defined.



http://liger.fnetwork.com

Contact us: ligerteam@hotmail.com


-The Security LigerTeam 2000 Korea-