Project

General

Profile

Actions

Security #4569

closed

tcp: crafted injected packets cause desync after 3whs

Added by Victor Julien over 3 years ago. Updated about 2 years ago.

Status:
Closed
Priority:
Normal
Target version:
Affected Versions:
Label:
Needs backport to 5.0, Needs backport to 6.0
Git IDs:

6cb6225b28c5d8e616a420b7d05b129ba2845dc0

Severity:
HIGH
Disclosure Date:

Description

Reported by Fratso:

It is possible to bypass/evade tcp based signature on some Linux servers.

For that, you have to send a FIN-SYN-ACK after a 3WHS and a fake SYN with a bad sequence number after the server's ACK answer which allow the attacker to desynchronize the NIDS and send/receive known signatures without being detected.

For this attack, the attacker must control the TCP/IP stack of a client.

Here's an example:

Client === Legit TCP handshake === Server
Client -> [FIN-SYN-ACK] [Seq=1 Ack=2] -> Server # injected (FSA)
Client <- [ACK] [Seq=2 Ack=1] <- Server # legit
Client -> [SYN] [Seq=1234] -> Server # injected (bad seq)
Client -> [PSH-ACK] [Seq=1 Ack=2] SIGNATURE -> Server # undetected
Client <- [ACK] [Seq=x Ack=y] <- Server # legit
Client <- [PSH-ACK] [Seq=x Ack=y] SIGNATURE <- Server # undetected

This evasion has been tested against the following servers on the folowing OS:

Web server Tested version OS Vulnerable?
------------ ---------------- -------------- -------------
Nginx 1.21.1 Ubuntu 20.04 Yes
Nginx 1.21.1 Windows 10 No
Apache 2.4.41 Ubuntu 20.04 No
Apache 2.4.41 Windows 10 No
Django 3.1.5 Ubuntu 20.04 Yes
Django 3.1.5 Windows 10 No
Gunicorn 20.0.4 Ubuntu 20.04 Yes
Gunicorn 20.0.4 Windows 10 No
Python3 3.8.5 Ubuntu 20.04 Yes
Python3 3.8.5 Windows 10 No

Apparently, this evasion does not work against Windows 10 and Apache2. However, it does work on some other servers running on Linux only.


Related issues 2 (0 open2 closed)

Copied to Suricata - Security #4634: tcp: crafted injected packets cause desync after 3whsClosedShivani BhardwajActions
Copied to Suricata - Security #4635: tcp: crafted injected packets cause desync after 3whsClosedJeff LucovskyActions
Actions #1

Updated by Jeff Lucovsky about 3 years ago

  • Copied to Security #4634: tcp: crafted injected packets cause desync after 3whs added
Actions #2

Updated by Jeff Lucovsky about 3 years ago

  • Copied to Security #4635: tcp: crafted injected packets cause desync after 3whs added
Actions #3

Updated by Victor Julien about 3 years ago

  • Assignee changed from Victor Julien to Philippe Antoine
Actions #4

Updated by Philippe Antoine about 3 years ago

  • Status changed from Assigned to In Review
  • Affected Versions 6.0.3 added

Gitlab

I would like a review of my draft PR by some TCP superman

Actions #5

Updated by Victor Julien about 3 years ago

  • Severity set to HIGH
Actions #7

Updated by Victor Julien almost 3 years ago

  • Private changed from Yes to No
Actions #8

Updated by Victor Julien almost 3 years ago

  • Git IDs updated (diff)
Actions #9

Updated by Victor Julien almost 3 years ago

  • Description updated (diff)
Actions #10

Updated by Victor Julien about 2 years ago

  • Description updated (diff)
Actions

Also available in: Atom PDF