COMMAND

    MiM simultaneous CLOSE attack

SYSTEMS AFFECTED

    most systems

PROBLEM

    Korhan Kaya  found following.   A Man  in the  middle attacker can
    cause network flood and denial  of the service usage by  sending 2
    TCP packets per connection.  This vulnerability is tested  against
    following platforms and they are vulnerable:

        - Linux kern-v2.4.x
        - Microsoft Windows 2000 Server
        - Microsoft Windows 2000 Workstation
        - Microsoft Windows ME
        - Microsoft Windows 98

    It is  possible for  an attacker  to open  ethernet at promiscious
    mode and monitor network activity to collect SEQ and ACK's numbers
    of an active TCP connections.

    An attacker  can trigger  an ACK  loop by  sending a 'spoofed' TCP
    packet with enabled ACK + FIN flags to source host and destination
    host of an active connection.

    TCP  Stacks  of  client  and  server  will  acknowledge  that  the
    opposite side  of the  connection wants  to close  the connection.
    And  hosts  will  immedately  send  ACK  packets  to  complete the
    sequence.

    The vulnerability exploits at this point.

    Figure A :

          TCP A                MIM           TCP B
          1.ESTABLISHED                      ESTABLISHED
          2..            <-- [CTL=ACK+FIN]
          3.                   [CTL=ACK+FIN] -->
          4.CLOSE-WAIT   --> <CTL=ACK>     --> CLOSE-WAIT
          5.CLOSE-WAIT   <-- <CTL=ACK>     <-- CLOSE-WAIT
          ..
          ..
        1500.CLOSE-WAIT   --> <CTL=ACK>     --> CLOSE-WAIT
        1501.CLOSE-WAIT   <-- <CTL=ACK>     <-- CLOSE-WAIT
          ..
          ..

    Result of  this attack  is continious  loop of  ACK packet traffic
    between  client  and  server.After  tranmitting MANY packets using
    maximum  throughput,  target  connection  will  be  lost.  At this
    period client software  and target service  may lockup, freeze  or
    crash.

    Number of  transmitted packets  and the  generated traffic depends
    on host locations.   Attack becomes more  effective if it  is used
    against local connections such as local netbios/cifs traffic.

    If an attacker applies above scenario on an avarage network, every
    connection attempt  from any  host to  any server  will fail,  the
    network transport will be saturated in a short time, the collusion
    rates  will  raise  to  extreme  levels  and  the cpu consuming of
    computers which is  connected to network  are increased up  to %90
    due to the packet traffic.

    Vulnerability can  be reporduced  by using  atached win32  binary.
    Download the zip file and follow the steps at the readme.txt

        http://195.244.37.241/mimsc.zip

SOLUTION

    Nothing yet.