On Wed, Mar 15, 2006 at 10:26:00AM +0100, Marco Ivaldi wrote:
[..]
Not sure i fully understand your comments... Anyway, here's an host
showing the flawed behaviour (Gentoo Linux 2.6.14-gentoo-r5 + grsec):
Well, it may be related to GR security.
SinFP[1] exploits a difference in IP ID generat
On Fri, 17 Mar 2006, Marco Ivaldi wrote:
> After further testing, i confirm that Linux 2.6 seems to be vunerable in
> every configuration i've seen so far. Since i didn't get any feedback
> yet from the Linux kernel developers nor from Cisco (other vendors may
> also be affected) i've the feeling
> Hi Marco!
Hey Andrea,
> - [PIRELLI HOME ACCESS GATEWAY]
Based on your tests, this device shows the standard incremental IP ID
behaviour: so, nothing special here.
> - [MY BOX WITH 2.6.15.6 #1 i686 pentium4 GNU/Linux (vanilla)]
[snip]
> (closed port + S flag)
> [EMAIL PROTECTED]:~$ cat hpin
Alle 10:33, martedì 14 marzo 2006, Marco Ivaldi ha scritto:
> I've recently stumbled upon an interesting behaviour of some Linux kernels
> that may be exploited by a remote attacker to abuse the ID field of IP
> packets, effectively bypassing the zero IP ID in DF packets countermeasure
> implemen
I've received a couple of off-list replies. See my comments in-line.
On Tue, 14 Mar 2006, Martin Mačok wrote:
Have you verified that the sequence is global and not only per peer? The
latter would mean that "vuln" can't be used as a middle-man for IDLE
scanning...
Yeah, of course i've verifie
Hello Bugtraq,
I've recently stumbled upon an interesting behaviour of some Linux kernels
that may be exploited by a remote attacker to abuse the ID field of IP
packets, effectively bypassing the zero IP ID in DF packets countermeasure
implemented since 2.4.8 (IIRC).
This is the correct behaviour