[Owasp-turkey] Fwd: Split Handshake Attack

Huzeyfe ONAL huzeyfe at lifeoverip.net
Thu Jun 3 07:36:58 EDT 2010


Calisma teorik olarak gayet guzel ama gercek dunyada uygulanabilmesi biraz
zor. Yani bu calismanin bir sisteme zarar verebilmesi icin istemci tarafinda
TCP oturumunu baslatan uygulamada bir güvenlik zaafiyeti(Buffer overflow
gibi) olmalı ki işe yarasın.

Bu durumda(istemci programında bir zaafiyet varsa) günümüzdeki istemci
tarafındaki açıklıkların çok daha basit şekilde kötüye
değerlendirilebildiğini biliyoruz.


---
Huzeyfe ONAL
Ağ ve bilgi güvenliği listesine üye oldunuz mu?
http://www.lifeoverip.net/netsec-listesi/

---


On Thu, Jun 3, 2010 at 12:02 AM, Musa Ulker <musaulker at gmail.com> wrote:

> Bu atak konusunda bilginiz var mı arkadaşlar? İlginç geldi..
>
> --------
> This is awesome.  The usual handshake is SYN, SYN/ACK, ACK, like this:
>
> Client     SYN -->           Server
> Client     <-- SYN/ACK   Server
> Client     ACK -->           Server
>
> However, there are permitted variations on this handshake, such as
> this one in which both parties open a session simultaneously:
>
> Client     SYN -->           Server
> Client     <-- ACK           Server
> Client     <-- SYN           Server
> Client     ACK -->           Server
>
> That's legal according to the RFCs, but when you do it on real modern
> operating systems, it comes out like this:
>
> Client     SYN -->           Server
> Client     <-- ACK           Server
> Client     <-- SYN           Server
> Client     SYN/ACK -->   Server
> Client     <-- ACK           Server
>
> In practice, this really opens a session so data can flow.  But it
> confuses IDS systems so much that they let attacks go right through--
> they don't know what's going on.  Snort, TippingPoint 2400, and
> Juniper SRX 5800 all failed to detect attacks sent after that
> handshake.
>
> More info here: http://bit.ly/9tUfb9
>
> --
> M.Musa Ülker
> _______________________________________________
> Owasp-turkey mailing list
> Owasp-turkey at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-turkey
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.owasp.org/pipermail/owasp-turkey/attachments/20100603/9a88e10d/attachment.html 


More information about the Owasp-turkey mailing list