Project

General

Profile

Actions

Bug #3286

closed

TCP evasion technique by faking a closed TCP session

Added by Nicolas Adba about 5 years ago. Updated about 5 years ago.

Status:
Closed
Priority:
Normal
Assignee:
Target version:
Affected Versions:
Effort:
Difficulty:
Label:

Description

It is possible to bypass/evade any tcp based signature by faking a closed TCP session using an evil server.
After the TCP SYN packet, it's possible to inject a RST ACK and a FIN ACK packet with an old TCP Timestamp option.
The client will ignore the RST ACK and the FIN ACK packets because of the old TCP Timestamp option.
Both linux and windows client are ignoring the injected packets.

Client    ->  [SYN] [Seq=0 Ack=0]                                     ->  Evil Server     # Legit TCP handshake
Client    <-  [RST, ACK] [Seq=0 Ack=1] [old TCP Timestamp option]     <-  Evil Server     # Injected packet
Client    <-  [FIN, ACK] [Seq=0 Ack=1] [old TCP Timestamp option]     <-  Evil Server     # Injected packet
Client    <-  [SYN, ACK] [Seq=0 Ack=1]                                <-  Evil Server     # Legit TCP handshake
Client    <-  [ACK] [Seq=1 Ack=1]                                     <-  Evil Server     # Legit TCP handshake
Client    ===============  Data evasion        =================          Evil Server

This evasion technique is referenced as CVE-2019-18625.

You can find attached :
- test.rule : A tcp rule that detects the string THIS_IS_A_TEST
- without_evasion.pcap : A web server which sends the string THIS_IS_A_TEST to a client without any evasion technique
- with_evasion_windows.pcap : A web server which sends the string THIS_IS_A_TEST to a windows 10 client with this evasion technique
- with_evasion_linux.pcap : A web server which sends the string THIS_IS_A_TEST to a linux client (kernel 5.2.0) with this evasion technique


Files

test.rule (147 Bytes) test.rule Nicolas Adba, 10/29/2019 07:47 PM
with_evasion_windows.pcap (1.12 KB) with_evasion_windows.pcap Nicolas Adba, 10/29/2019 07:48 PM
with_evasion_linux.pcap (1.24 KB) with_evasion_linux.pcap Nicolas Adba, 10/29/2019 07:48 PM
without_evasion.pcap (1.01 KB) without_evasion.pcap Nicolas Adba, 10/29/2019 07:48 PM

Related issues 1 (0 open1 closed)

Copied to Suricata - Bug #3395: TCP evasion technique by faking a closed TCP session (4.1.x)ClosedVictor JulienActions
Actions #1

Updated by Victor Julien about 5 years ago

  • Private changed from No to Yes
Actions #2

Updated by Victor Julien about 5 years ago

  • Description updated (diff)
  • Status changed from New to Assigned
  • Assignee set to Victor Julien
  • Target version set to 5.0.1
  • Label Needs backport added
Actions #3

Updated by Victor Julien about 5 years ago

  • Priority changed from Normal to High
Actions #4

Updated by Victor Julien about 5 years ago

  • Copied to Bug #3395: TCP evasion technique by faking a closed TCP session (4.1.x) added
Actions #5

Updated by Victor Julien about 5 years ago

  • Status changed from Assigned to Closed
  • Priority changed from High to Normal
  • Private changed from Yes to No
  • Label deleted (Needs backport)
Actions

Also available in: Atom PDF