Need FreeBSD-SA-00:52(TCP uses weak initial sequence numbers) latest patch
    Kevin Day 
    toasty at dragondata.com
       
    Wed Jan 17 17:24:52 UTC 2018
    
    
  
I think the confusion here is that your test program below has a bug - your RST packet is invalid so it's not closing the socket on the other side.
If you look at how a normal RST is generated normally:
17:13:42.626365 IP src.26057 > dst.22: Flags [S], seq 472216885, win 65535, length 0
17:13:42.626504 IP dst.22 > src.26057: Flags [S.], seq 3592434473, ack 472216886, win 65535, length 0
17:13:42.626512 IP src.26057 > dst.22: Flags [R], seq 472216886, win 0, length 0
Notice that the third packet (the RST packet) uses the sequence number that the SYN had plus 1. Your program is using the SYNACK packet's sequence number in the RST, which would look like this instead:
17:13:42.626365 IP src.26057 > dst.22: Flags [S], seq 472216885, win 65535, length 0
17:13:42.626504 IP dst.22 > src.26057: Flags [S.], seq 3592434473, ack 472216886, win 65535, length 0
17:13:42.626512 IP src.26057 > dst.22: Flags [R], seq 3592434473, win 0, length 0
The dst system is treating this as an invalid RST packet because the sequence number is incorrect and completely ignoring it, leaving the socket still half open. When you send the SYN2 packet with the same source and destination port, and the dst system still has the socket open, it's going to repeat the same SYNACK back to you.
If you change your program to send a RST with a sequence of the initial SYN plus 1, you'll actually reset the connection and see the behavior you're looking for. You're seeing the same ISN because your RST isn't closing the connection on the other side, so the dst system is still trying to open the original socket.
> On Jan 11, 2018, at 7:20 PM, Brahmanand Reddy <brahma.gdb at gmail.com> wrote:
> 
> Hi Kurt,
> 
> Thanks lot responding my mail,
> 
> Please explain why you think this should be an issue for FreeBSD 10.2 ?
> 
> Currently  i am using 10.2 and 10.4,  i found this problem/vulnerability
> still exist using below script
> 
> #!/usr/local/bin/python
> from scapy.all import *
> 
> # VARIABLES
> src = str(input('IP SRC: '))
> dst = str(input('IP DST: '))
> 
> sport = random.randint(1024,65535)
> dport = int(input("DST PORT: "))
> 
> 
> # SYN
> ip=IP(src=src,dst=dst)
> SYN=TCP(sport=sport,dport=dport,flags='S',seq=random.randint(1024,1048576),
> ack=0)
> SYNACK=sr1(ip/SYN)
> print('Seq1 Number is :',SYNACK[TCP].seq)             ==> Seq1
> 
> # RST
> RST=TCP(sport=sport, dport=dport, flags='R', seq=SYNACK.ack, ack=0)
> send(ip/RST)
> 
> #SYN
> SYN2=TCP(sport=sport,dport=dport,flags='S',seq=random.randint(1024,1048576),
> ack=0)
> SYNACK2=sr1(ip/SYN2)
> print('Seq2 Number is :',SYNACK2[TCP].seq)                           ==>
> same ISN  number  i observed/receiving.
> 
>  I mean seq1=seq2, TCP ISN reusing.
> 
> i think  the patch is available on 10.4 on wards,   but i dint found
> exactly/similar patch from https://www.freebsd.org/security/patches/
> 
>  It could be great to confirm what is the corresponding latest patch this
> problem would be solved.    Kindly correct me anything i am missing.
> 
> 
> Sincerely,
> Brahma
> 
> 
> 
> 
> On Thu, Jan 11, 2018 at 10:45 PM, Kurt Jaeger <pi at freebsd.org> wrote:
> 
>> Hi!
>> 
>>> Please share the corresponding FreeBSD-SA-00:52(*TCP uses weak initial
>>> sequence numbers*) latest patch.
>>> 
>>> the original problem reported on :
>>> https://www.freebsd.org/security/advisories/FreeBSD-
>> SA-00%3A52.tcp-iss.asc
>> 
>> That's a security annoucement for FreeBSD 3.x to 5.x.
>> 
>> Please explain why you think this should be an issue for FreeBSD 10.2 ?
>> 
>> And, by the way: FreeBSD 10.2 is a old, no-longer supported version.
>> 
>> https://www.freebsd.org/releases/
>> 
>> lists which versions are still supported.
>> 
>> --
>> pi at FreeBSD.org         +49 171 3101372                2 years to go !
>> 
> _______________________________________________
> freebsd-security at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-security
> To unsubscribe, send any mail to "freebsd-security-unsubscribe at freebsd.org"
    
    
More information about the freebsd-security
mailing list