Security #4569
Updated by Victor Julien about 2 years ago
Reported by Fratso: Frédéric Autissier: > It is possible to bypass/evade tcp based signature on some Linux servers. > > For that, you have to send a FIN-SYN-ACK after a 3WHS and a fake SYN with a bad sequence number after the server's ACK answer which allow the attacker to desynchronize the NIDS and send/receive known signatures without being detected. > > For this attack, the attacker must control the TCP/IP stack of a client. > > Here's an example: <pre> Client === Legit TCP handshake === Server Client -> [FIN-SYN-ACK] [Seq=1 Ack=2] -> Server # injected (FSA) Client <- [ACK] [Seq=2 Ack=1] <- Server # legit Client -> [SYN] [Seq=1234] -> Server # injected (bad seq) Client -> [PSH-ACK] [Seq=1 Ack=2] SIGNATURE -> Server # undetected Client <- [ACK] [Seq=x Ack=y] <- Server # legit Client <- [PSH-ACK] [Seq=x Ack=y] SIGNATURE <- Server # undetected </pre> > This evasion has been tested against the following servers on the folowing OS: > > | Web server | Tested version | OS | Vulnerable? | > |------------|----------------|--------------|-------------| > | Nginx | 1.21.1 | Ubuntu 20.04 | Yes | > | Nginx | 1.21.1 | Windows 10 | No | > | Apache | 2.4.41 | Ubuntu 20.04 | No | > | Apache | 2.4.41 | Windows 10 | No | > | Django | 3.1.5 | Ubuntu 20.04 | Yes | > | Django | 3.1.5 | Windows 10 | No | > | Gunicorn | 20.0.4 | Ubuntu 20.04 | Yes | > | Gunicorn | 20.0.4 | Windows 10 | No | > | Python3 | 3.8.5 | Ubuntu 20.04 | Yes | > | Python3 | 3.8.5 | Windows 10 | No | > > Apparently, this evasion does not work against Windows 10 and Apache2. However, it does work on some other servers running on Linux only.