tricky, but you might be able to use it to inject data or hijack a session, but more inefficiently than using the TCP SEQ/ACK-exploits.
Predict the next IP-ID to be sent, send a packet with that ID, (and spoofed source) TCP/UDP headers, etc., but set the fragment bit.
The receiving IP-stack should try to re-assemble the fragmented packet using the crafted packet as the first fragment, followed by the "real" packet from the client/server. Or indeed, send the crafted opening/closing fragments "around" the "real" packet. With any luck, the "real packet" will get dropped, and your crafted data will be accepted in its stead.
But it is clumsy, target-stack-dependent, and VERY timing-dependent.
C.
From: Carlos Eduardo Pinheiro [mailto:[EMAIL PROTECTED] Sent: Tuesday, March 11, 2003 11:06 AM To: [EMAIL PROTECTED] Subject: Re: ip id numbers
Hi doug,
ID flag indicates which datagram fragments belong together so datagrams do not get mismatched and sequence numbers are used to reassemble data in the order in which it was sent.
Carlos Eduardo Pinheiro - [EMAIL PROTECTED] - ICQ #: 134439332 http://pgp.mit.edu:11371/pks/lookup?op=get&search=0xEC75A11D 2089 293E 6E35 72C2 BDED 06E5 58E7 E4FF EC75 A11D
----- Original Message ----- From: <[EMAIL PROTECTED]> To: <[EMAIL PROTECTED]> Sent: Monday, March 10, 2003 1:16 PM Subject: ip id numbers
>
>
> Hi,
> I'm new to posting on this list although i'm a long-time lurker. I'm
> familiar with tcp sequence number exploits. recently i've seen references
> to non-random ip id numbers and how they can be exploited. can anyone
> explain the difference between tcp sequence and ip id numbers?
> thanks,
> doug sax
_________________________________________________________________
Protect your PC - get McAfee.com VirusScan Online http://clinic.mcafee.com/clinic/ibuy/campaign.asp?cid=3963
