COMMAND

    TCP/IP

SYSTEMS AFFECTED

    munices

PROBLEM

    LigerTeam  posted  following  (it's  nothing  new).   It  could be
    serious  problem  of  security  in  the  programming  related with
    tcp/ip.  In  fact, TCP header  is 6 kinds  of tcp flag  (SYN, ACK,
    PSH, RST, FIN, URG).

    Problem  is  the  flag  value  in  TCP  header approaches to 1byte
    variable of u_char  type.  For  example see see  tcp.h file.   The
    flag value Each one correspond to 1 bit, but it have unused 2 bit.

        |unused|unused|URG|ACK|PSH|RST|SYN|FIN|

    Understanding of the very problem is simple.  Let's compare the
    two codes.  ex) SYN Scan detecter program several code type:

        i) if ( flag == TH_SYN )
       ii) if ( flag & TH_SYN )

        (TH_SYN->SYN flag)

    The i) code is true, only when the  syn flag bit is set at 1.   So
    the flag value is 0x2, and |0|0|0|0|0|0|1|0| in bit.

    The next  ii) code  is true,  only when  SYN flag  bit, the TH_SYN
    value  in  flags,  is  set  at  1,  and the other bit state is not
    influential.

    Eventually, we can easily know a very important thing.  If hackers
    use the two higher  bit(unused bit) one or  all, to set at  1, ii)
    code type has false value, but i) code type last true value... and
    hackers avoid scan detecter.

    When the highest bit is  set at 1, so syn  flag bit is 1, and  the
    flag variable is |1|0|0|0|0|0|1| = 130.

    But this cause mismatching with TH_SYN value by the rule of tcp/ip
    code, and if sentence has false value.  More over, as tcp/ip  code
    has the type of bit computing  system, it accept the flags of  syn
    flag bit, only one, still set at 1.

SOLUTION

    LigerTeam, strongly propose inserting of solution code before  the
    computing of flag variable.

        flag = flags & 0x3f;

    The more  robust fix  is to  systematically test  for TCP flags by
    masking to the value being tested.  For example:

        #define TEST_FLAGS(flags, mask) (((flags) & (mask)) == (mask))

    Otherwise you are still vulnerable to attackers setting legitimate
    flags in bogus combinations, such as adding URG to a SYN.

    This is however  a known issue;  it's in the  category of "invalid
    TCP flags  scanning".   In fact,  the two  unused bits  in the TCP
    flags byte can be used  for TCP fingerprinting as the  response to
    such TCP packets is not specified in RFC 793 and therefore depends
    on  the  TCP/IP  implementation  being  used.  In  addition to TCP
    fingerprinting, TCP packets with certain invalid (i.e. not covered
    by  RFC  793)  flag  combinations  not  including the SYN flag can
    be used to determine which  ports are open on the  target machine.
    This leads  one to  the conclusion  that focussing  on TCP packets
    with  the  SYN  flag  set  is  completely  insufficient  for  scan
    detection.  Any decent scan detector must, among other things, pay
    explicit attention to  those 2 unused  bits in the  TCP flags byte
    anyway.

    Those  2  unused  bit  are  exactly  those QueSO uses to detect an
    Operating System,  since there's  no specified  response to  a TCP
    packet with those bit on, it  depends on the kind of tcp/ip  stack
    the OS uses. More information on

        http://apostols.org/projectz/queso/