81646 2002-10-18  21:15  /156 rader/ Paul Starzetz <paul@starzetz.de>
Importerad: 2002-10-18  21:15  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <2008>
Ärende: Ambiguities in TCP/IP - firewall bypassing
------------------------------------------------------------
1. Abstract
-----------

There are ambiguities in implementations of the TCP/IP suite for
various  operating systems. Even if this fact has been used since a
long time in  different software for OS fingerprinting, no real
attempt has been made  to identify the security impact of the
differences in the TCP/IP  semantics. We have done some research on
the TCP/IP connection open  semantics which is of course very
important for security of networked  systems. We believe that the
flaws we have detected have a big impact on  design of firewalls and
packet filters since an improper implementation  can easily lead to
serious security problems.


2. Details
----------

The TCP/IP protocol stack offers a three way handshake for connection
oriented communication using the TCP protocol. Basically, a
connection  can be opened by sending a synchronization packet to a
listening service  on a particular host. The host will respond with a
synchronization  acknowledgment packet which in turn must be
acknowledged by the  requesting host. Then, the connection is
considered to be open (at least  at the transport layer) and the two
hosts may exchange some data.

The three way handshake is an essential part of the communication
using  the TCP protocol. Therefore many packet filter firewalls try
to prevent  the three way handshake from completion in order to
protect an  internal/corporate network from being accessed from the
outside. Of  course, statefull firewalls may have some more
sophisticated mechanism.

We have found a very ambiguous behavior of TCP/IP implementations
while  doing some research on the connection request phase. Below you
will find  the findings about various OSes, however the list should
not be  considered complete. We have used the NemesisTCP tool [1] to
generate  the traffic and tcpdump to capture the responses.

* The normal behavior (of all OSes) is like this:

14:18:00.595517 192.168.1.184.12345 > 192.168.1.111.9999: S 420:420(0) 
win 512 (DF) [tos 0x18]
14:18:00.595731 192.168.1.111.9999 > 192.168.1.184.12345: S 
1679763291:1679763291(0) ack 421 win 5840 <mss 1460> (DF)

The first host sends a SYN packet from port 12345 to a service on port 
9999 and receives a SYN,ACK


* Linux 2.4.19

The examination of the source code of the TCP engine reveals that a
TCP  connection can be opened by any combination of the TCP flags
having the  SYN bit set and the ACK bit reset. For example we can
open a TCP  connection by sending an obviously bogus SYN,RST packet:

14:25:43.888897 192.168.1.184.12345 > 192.168.1.111.9999: SR
420:420(0)  win 512 (DF) [tos 0x18] 14:25:43.889143
192.168.1.111.9999 > 192.168.1.184.12345: S  2168208394:2168208394(0)
ack 421 win 5840 <mss 1460> (DF)

or something called 'Christmas packet' having mostly every TCP flag
set  (except the ACK flag of course):

14:30:46.341732 192.168.1.184.12345 > 192.168.1.111.9999: SFRP 
420:420(0) win 512 urg 8 (DF) [tos 0x18]
14:30:46.342444 192.168.1.111.9999 > 192.168.1.184.12345: S 
2492223280:2492223280(0) ack 421 win 5840 <mss 1460> (DF)

Also SYN,FIN packets works well...


* Solaris 5.8

Here we have success by sending SYN,FIN packets:

14:33:24.549246 192.168.1.184.12345 > 192.168.1.84.9999: SF 420:420(0) 
win 512 (DF) [tos 0x18]
14:33:24.549757 192.168.1.84.9999 > 192.168.1.184.12345: S 
913533039:913533039(0) ack 421 win 24656 <mss 1460> (DF)

or SYN,FIN,PSH packets with no payload

14:35:14.398346 192.168.1.184.12345 > 192.168.1.84.9999: SFP
420:420(0)  win 512 (DF) [tos 0x18] 14:35:14.398801 192.168.1.84.9999
> 192.168.1.184.12345: S  940377913:940377913(0) ack 421 win 24656
<mss 1460> (DF)

other combinations don't seem to induce the SynSent state in the
TCP/IP  stack


* FreeBSD 4.5

Here we also have luck with SYN,FIN packets:

14:47:21.558541 192.168.1.184.12345 > 192.168.1.104.9999: SF
420:420(0)  win 512 (DF) [tos 0x18] 14:47:21.558719
192.168.1.104.9999 > 192.168.1.184.12345: S  1333327436:1333327436(0)
ack 421 win 65535 <mss 1460>

as well as with other combinations which don't combine the RST and/or 
ACK flag with SYN:

14:48:11.678246 192.168.1.184.12345 > 192.168.1.104.9999: SP
420:420(0)  win 512 (DF) [tos 0x18] 14:48:11.678366
192.168.1.104.9999 > 192.168.1.184.12345: S  1714046856:1714046856(0)
ack 421 win 65535 <mss 1460>


* Windows NT 4.0

As in the case of BSD we can open connections using any combination of 
TCP flags as long as we do not set the RST and/or ACK flag (where did 
they take the code from...hm...):

14:59:46.315126 192.168.1.184.12345 > 192.168.1.17.9999: SF 420:420(0) 
win 512 (DF) [tos 0x18]
14:59:46.315566 192.168.1.17.9999 > 192.168.1.184.12345: S 
15062452:15062452(0) ack 421 win 8576 <mss 1460> (DF)


Other OSes than those tested above are expected to behave in a similar 
manner after obtaining such a discouraging result...


3. Impact
---------

The ambiguities can be used to bypass/tunnel firewalls filtering TCP 
packets according to the TCP flags set. Especially stateless firewalls 
simply comparing the flags field with some expected value(s) to 
distinguish between synchronization packets and packet from an already 
open connection can be easily bypassed just by sending a bogus 
synchronization packet to a listening port. The currently deployed TCP 
stacks seem to be highly bogus and lazy implemented.

Administrators of firewall devices should set up some filtering rules
to  drop bogus TCP packets as mentioned above. For example on systems
using  iptables to filter packets bogus packets can be easily
distinguished by  following rules:

iptables -A INPUT -p tcp -d HOST/MASK --tcp-flags SYN,FIN SYN,FIN -j
LOG -m limit --limit 10/m --log-level "LOGLEVEL" --log-prefix="bogus
packet" $IP -A INPUT -p tcp -d HOST/MASK --tcp-flags SYN,FIN SYN,FIN
-j DROP

and so on for other flag combinations.


4. References
-------------

[1] NemesisTCP: http://online.securityfocus.com/tools/1278
[2] Packet normalization: 
http://www.icir.org/vern/papers/norm-usenix-sec-01-html
(81646) /Paul Starzetz <paul@starzetz.de>/(Ombruten)
Bilaga (text/plain) i text 81647
81647 2002-10-18  21:15  /95 rader/ Paul Starzetz <paul@starzetz.de>
Bilagans filnamn: "tcpamb2.txt"
Importerad: 2002-10-18  21:15  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <2009>
Bilaga (text/plain) till text 81646
Ärende: Bilaga (tcpamb2.txt) till: Ambiguities in TCP/IP - firewall bypassing
------------------------------------------------------------
1. Abstract
-----------

There are ambiguities in implementations of the TCP/IP suite for
various operating systems. Even if this fact has been used since a
long time in different software for OS fingerprinting, no real
attempt has been made to identify the security impact of the
differences in the TCP/IP semantics. We have done some research on
the TCP/IP connection open semantics which is of course very
important for security of networked systems. We believe that the
flaws we have detected have a big impact on design of firewalls and
packet filters since an improper implementation can easily lead to
serious security problems.


2. Details
----------

The TCP/IP protocol stack offers a three way handshake for connection
oriented communication using the TCP protocol. Basically, a
connection can be opened by sending a synchronization packet to a
listening service on a particular host. The host will respond with a
synchronization acknowledgment packet which in turn must be
acknowledged by the requesting host. Then, the connection is
considered to be open (at least at the transport layer) and the two
hosts may exchange some data.

The three way handshake is an essential part of the communication
using the TCP protocol. Therefore many packet filter firewalls try to
prevent the three way handshake from completion in order to protect
an internal/corporate network from being accessed from the
outside. Of course, statefull firewalls may have some more
sophisticated mechanism.

We have found a very ambiguous behavior of TCP/IP implementations
while doing some research on the connection request phase. Below you
will find the findings about various OSes, however the list should
not be considered complete. We have used the NemesisTCP tool [1] to
generate the traffic and tcpdump to capture the responses.

* The normal behavior (of all OSes) is like this:

14:18:00.595517 192.168.1.184.12345 > 192.168.1.111.9999: S 420:420(0) win 512 (DF) [tos 0x18]
14:18:00.595731 192.168.1.111.9999 > 192.168.1.184.12345: S 1679763291:1679763291(0) ack 421 win 5840 <mss 1460> (DF)

The first host sends a SYN packet from port 12345 to a service on
port 9999 and receives a SYN,ACK


* Linux 2.4.19

The examination of the source code of the TCP engine reveals that a
TCP connection can be opened by any combination of the TCP flags
having the SYN bit set and the ACK bit reset. For example we can open
a TCP connection by sending an obviously bogus SYN,RST packet:

14:25:43.888897 192.168.1.184.12345 > 192.168.1.111.9999: SR 420:420(0) win 512 (DF) [tos 0x18]
14:25:43.889143 192.168.1.111.9999 > 192.168.1.184.12345: S 2168208394:2168208394(0) ack 421 win 5840 <mss 1460> (DF)

or something called 'Christmas packet' having mostly every TCP flag
set (except the ACK flag of course):

14:30:46.341732 192.168.1.184.12345 > 192.168.1.111.9999: SFRP 420:420(0) win 512 urg 8 (DF) [tos 0x18]
14:30:46.342444 192.168.1.111.9999 > 192.168.1.184.12345: S 2492223280:2492223280(0) ack 421 win 5840 <mss 1460> (DF)

Also SYN,FIN packets works well...


* Solaris 5.8

Here we have success by sending SYN,FIN packets:

14:33:24.549246 192.168.1.184.12345 > 192.168.1.84.9999: SF 420:420(0) win 512 (DF) [tos 0x18]
14:33:24.549757 192.168.1.84.9999 > 192.168.1.184.12345: S 913533039:913533039(0) ack 421 win 24656 <mss 1460> (DF)

or SYN,FIN,PSH packets with no payload

14:35:14.398346 192.168.1.184.12345 > 192.168.1.84.9999: SFP 420:420(0) win 512 (DF) [tos 0x18]
14:35:14.398801 192.168.1.84.9999 > 192.168.1.184.12345: S 940377913:940377913(0) ack 421 win 24656 <mss 1460> (DF)

other combinations don't seem to induce the SynSent state in the
TCP/IP stack


* FreeBSD 4.5

Here we also have luck with SYN,FIN packets:

14:47:21.558541 192.168.1.184.12345 > 192.168.1.104.9999: SF 420:420(0) win 512 (DF) [tos 0x18]
14:47:21.558719 192.168.1.104.9999 > 192.168.1.184.12345: S 1333327436:1333327436(0) ack 421 win 65535 <mss 1460>

as well as with other combinations which don't combine the RST and/or
ACK flag with SYN:

14:48:11.678246 192.168.1.184.12345 > 192.168.1.104.9999: SP 420:420(0) win 512 (DF) [tos 0x18]
14:48:11.678366 192.168.1.104.9999 > 192.168.1.184.12345: S 1714046856:1714046856(0) ack 421 win 65535 <mss 1460>


* Windows NT 4.0

As in the case of BSD we can open connections using any combination
of TCP flags as long as we do not set the RST and/or ACK flag (where
did they take the code from...hm...):

14:59:46.315126 192.168.1.184.12345 > 192.168.1.17.9999: SF 420:420(0) win 512 (DF) [tos 0x18]
14:59:46.315566 192.168.1.17.9999 > 192.168.1.184.12345: S 15062452:15062452(0) ack 421 win 8576 <mss 1460> (DF)


Other OSes than those tested above are expected to behave in a
similar manner after obtaining such a discouraging result...


3. Impact
---------

The ambiguities can be used to bypass/tunnel firewalls filtering TCP
packets according to the TCP flags set. Especially stateless
firewalls simply comparing the flags field with some expected
value(s) to distinguish between synchronization packets and packet
from an already open connection can be easily bypassed just by
sending a bogus synchronization packet to a listening port. The
currently deployed TCP stacks seem to be highly bogus and lazy
implemented.

Administrators of firewall devices should set up some filtering rules
to drop bogus TCP packets as mentioned above. For example on systems
using iptables to filter packets bogus packets can be easily
distinguished by following rules:

iptables -A INPUT -p tcp -d HOST/MASK --tcp-flags SYN,FIN SYN,FIN -j
LOG -m limit --limit 10/m --log-level "LOGLEVEL" --log-prefix="bogus
packet" $IP -A INPUT -p tcp -d HOST/MASK --tcp-flags SYN,FIN SYN,FIN
-j DROP

and so on for other flag combinations.


4. References
-------------

[1] NemesisTCP: http://online.securityfocus.com/tools/1278 [2] Packet
normalization: http://www.icir.org/vern/papers/norm-usenix-sec-01-html
(81647) /Paul Starzetz <paul@starzetz.de>/(Ombruten)
81649 2002-10-18  22:20  /61 rader/ Alan DeKok <aland@ox.org>
Importerad: 2002-10-18  22:20  av Brevbäraren
Extern mottagare: Paul Starzetz <paul@starzetz.de>
Mottagare: Bugtraq (import) <2011>
Ärende: Re: Ambiguities in TCP/IP - firewall bypassing
------------------------------------------------------------
Paul Starzetz <paul@starzetz.de> wrote:
> There are ambiguities in implementations of the TCP/IP suite for various 
> operating systems.

  What about the specifications?

  In my (admittedly quick) readings of RFC 793 and RFC 1122, I don't
see any text forbidding the use of other flags, in conjunction with
SYN, when opening a new connection.  Even RFC 2525 (Known TCP
Implementation Problems) doesn't appear to cover this issue.

  RFC 1025 (TCP and IP bake-off) has the following text:

	10 points for correctly being able to process a "Kamikaze"
	packet (AKA nastygram, christmas tree packet, lamp test
	segment, et al.).  That is, correctly handle a segment with
	the maximum combination of features at once (e.g., a SYN URG
	PUSH FIN segment with options and data).


  But it doesn't define what it means by "correctly handle" such a
packet.

  The TCP state machine diagram has labels naming the flags on
transitions from 'listen' to 'syn received', but it's silent on the
topic of which flags are NOT allowed.

> We believe that the flaws we have detected have a big impact on 
> design of firewalls and packet filters since an improper implementation 
> can easily lead to serious security problems.

  I believe that all of the implementations you named are "compliant"
with the ambiguous TCP specification.

> The ambiguities can be used to bypass/tunnel firewalls filtering TCP 
> packets according to the TCP flags set. Especially stateless firewalls 
> simply comparing the flags field with some expected value(s) to 
> distinguish between synchronization packets and packet from an already 
> open connection can be easily bypassed just by sending a bogus 
> synchronization packet to a listening port.

  Then the firewall is too permissive.  The people who designed it
either did not understand TCP, or knowingly made the rules too
permissive, or were stuck with a marketing department which required
this insecure behaviour. :(

> The currently deployed TCP stacks seem to be highly bogus and lazy
> implemented.

  One method around that would be to have a complete TCP
specification via finite state machines.  Such a state machine can
then be analyzed, and proven to be correct under whatever definitions
of "correct" you choose.

  I believe this has been tried, but I don't know that anyone has been
successful at it yet.  Even the normal "state machine" diagram used to
explain TCP is very high-level, and misses many of the implementation
details and requirements.

  Alan DeKok.
(81649) /Alan DeKok <aland@ox.org>/-----------------
81651 2002-10-18  23:06  /85 rader/ Benjamin Krueger <benjamin@seattleFenix.net>
Importerad: 2002-10-18  23:06  av Brevbäraren
Extern mottagare: Alan DeKok <aland@ox.org>
Externa svar till: benjamin@seattleFenix.net
Mottagare: Bugtraq (import) <2013>
Ärende: Re: Ambiguities in TCP/IP - firewall bypassing
------------------------------------------------------------
* Alan DeKok (aland@ox.org) [021018 13:21]:
> Paul Starzetz <paul@starzetz.de> wrote:
> > There are ambiguities in implementations of the TCP/IP suite for various 
> > operating systems.
> 
>   What about the specifications?
> 
>   In my (admittedly quick) readings of RFC 793 and RFC 1122, I don't
> see any text forbidding the use of other flags, in conjunction with
> SYN, when opening a new connection.  Even RFC 2525 (Known TCP
> Implementation Problems) doesn't appear to cover this issue.
> 
>   RFC 1025 (TCP and IP bake-off) has the following text:
> 
> 	10 points for correctly being able to process a "Kamikaze"
> 	packet (AKA nastygram, christmas tree packet, lamp test
> 	segment, et al.).  That is, correctly handle a segment with
> 	the maximum combination of features at once (e.g., a SYN URG
> 	PUSH FIN segment with options and data).
> 
> 
>   But it doesn't define what it means by "correctly handle" such a
> packet.

  Identify what the packet should be, and treat it as such? If that
is the correct way to handle these packets, then these stacks are
correct.

>   The TCP state machine diagram has labels naming the flags on
> transitions from 'listen' to 'syn received', but it's silent on the
> topic of which flags are NOT allowed.

  It does, however, consistantly refer to packets as "Syn" or "SynAck"
or "Fin" packets, suggesting that only a specific flag or combination
of flags should be used during the connection.

  One could also make a case for continuing to abide by the cardinal
rule "Be permissive in what you accept, and strict in what you send".
Tough call, but its difficult to justify describing stacks that are
permissive as "highly bogus" or "lazy" given that being permissive in 
what you accept is an established notion.

> > We believe that the flaws we have detected have a big impact on 
> > design of firewalls and packet filters since an improper implementation 
> > can easily lead to serious security problems.
> 
>   I believe that all of the implementations you named are "compliant"
> with the ambiguous TCP specification.

Compliant by the letter, if questionably in spirit. I'm not aware of
any tcp client systems that would send SynFin in the real world, so a
stack that responded with RST could arguably be "more" correct (for
example).

> > The ambiguities can be used to bypass/tunnel firewalls filtering TCP 
> > packets according to the TCP flags set. Especially stateless firewalls 
> > simply comparing the flags field with some expected value(s) to 
> > distinguish between synchronization packets and packet from an already 
> > open connection can be easily bypassed just by sending a bogus 
> > synchronization packet to a listening port.
> 
>   Then the firewall is too permissive.  The people who designed it
> either did not understand TCP, or knowingly made the rules too
> permissive, or were stuck with a marketing department which required
> this insecure behaviour. :(
>
> > The currently deployed TCP stacks seem to be highly bogus and lazy
> > implemented.
> 
>   One method around that would be to have a complete TCP
> specification via finite state machines.  Such a state machine can
> then be analyzed, and proven to be correct under whatever definitions
> of "correct" you choose.
> 
>   I believe this has been tried, but I don't know that anyone has been
> successful at it yet.  Even the normal "state machine" diagram used to
> explain TCP is very high-level, and misses many of the implementation
> details and requirements.
> 
>   Alan DeKok.

-- 
Benjamin Krueger
----------------------------------------------------------------
Send mail w/ subject 'send public key' or query for (0x251A4B18)
Fingerprint = A642 F299 C1C1 C828 F186  A851 CFF0 7711 251A 4B18
(81651) /Benjamin Krueger <benjamin@seattleFenix.net>/(Ombruten)
81654 2002-10-19  01:03  /35 rader/ Alun Jones <alun@texis.com>
Importerad: 2002-10-19  01:03  av Brevbäraren
Extern mottagare: benjamin@seattleFenix.net
Mottagare: Bugtraq (import) <2016>
Ärende: Re: Ambiguities in TCP/IP - firewall bypassing
------------------------------------------------------------
At 03:55 PM 10/18/2002, Benjamin Krueger wrote:
>   One could also make a case for continuing to abide by the cardinal
>rule "Be permissive in what you accept, and strict in what you send".
>Tough call, but its difficult to justify describing stacks that are
>permissive as "highly bogus" or "lazy" given that being permissive in
>what you accept is an established notion.

If a usage makes any kind of sense, then it has usually been allowed.

>Compliant by the letter, if questionably in spirit. I'm not aware of any
>tcp client systems that would send SynFin in the real world, so a stack
>that responded with RST could arguably be "more" correct (for example).

Not necessarily.  Have you heard of T/TCP?  Before that was around, I
remember hearing discussion of using a packet with SYN, FIN, and data
all  in one, to cut down on round-trips in really short
communications, while  still providing reliability.

One of the lessons you learn when writing / reading RFC material is
that  "there are more things on heaven and earth, Horatio, than are
dreamt of in  your philosophy" (or thereabouts).  Just because _you_
don't see a use for  a feature, that doesn't mean to say that someone
else won't / can't, and  specifically, it isn't usually worth
limiting a protocol for the rather  arbitrary reason that you can't
see how a feature would be used.

Alun.
~~~~

--
Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us at
1602 Harvest Moon Place   | http://www.wftpd.com or email alun@texis.com
Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for NT.
(81654) /Alun Jones <alun@texis.com>/-----(Ombruten)
81668 2002-10-19  05:34  /67 rader/ Alan DeKok <aland@ox.org>
Importerad: 2002-10-19  05:34  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <2029>
Ärende: Re: Ambiguities in TCP/IP - firewall bypassing
------------------------------------------------------------
Benjamin Krueger <benjamin@seattlefenix.net> wrote:
...
> >   RFC 1025 (TCP and IP bake-off) has the following text:
> > 
> > 	10 points for correctly being able to process a "Kamikaze"
> > 	packet (AKA nastygram, christmas tree packet, lamp test
> > 	segment, et al.).  That is, correctly handle a segment with
> > 	the maximum combination of features at once (e.g., a SYN URG
> > 	PUSH FIN segment with options and data).
> > 
> > 
> >   But it doesn't define what it means by "correctly handle" such a
> > packet.
> 
>   Identify what the packet should be, and treat it as such? If that is
> the correct way to handle these packets, then these stacks are correct.

  So... what should the packet be?  As I said, the spec is ambiguous.
If you don't know what the packet is, you obviously don't know how to
treat it.

  Sure, the spec *says* to treat packets with the SYN flag in a
certain way.  I'm not arguing with that.  What I'm arguing with is the
concept that because the spec is MISSING text on what to do in other
situations, that we know what to do in those situations.

  The spec is silent on the use of ambiguous or contradictory flags
(SYN+FIN).  So what happens when such a packet is received can only be
described as "implementation defined."

  This is not the way to have a secure, or inter-operable protocol.

> >   The TCP state machine diagram has labels naming the flags on
> > transitions from 'listen' to 'syn received', but it's silent on the
> > topic of which flags are NOT allowed.
> 
>   It does, however, consistantly refer to packets as "Syn" or "SynAck"
> or "Fin" packets, suggesting that only a specific flag or combination
> of flags should be used during the connection.

  So SYN+URG is disallowed.  But to me, that combination seems
reasonable.  So my implementation may not inter-operate with yours.
At the least, we're making different assumptions, which leads to
security problems.

  As I said, the spec is ambiguous.  

>   One could also make a case for continuing to abide by the cardinal
> rule "Be permissive in what you accept, and strict in what you send".
> Tough call, but its difficult to justify describing stacks that are
> permissive as "highly bogus" or "lazy" given that being permissive in 
> what you accept is an established notion.

  Well, at least I didn't say that.

> >   I believe that all of the implementations you named are "compliant"
> > with the ambiguous TCP specification.
> 
> Compliant by the letter, if questionably in spirit. I'm not aware of any
> tcp client systems that would send SynFin in the real world, so a stack
> that responded with RST could arguably be "more" correct (for example).

  <g>  I may believe otherwise.  Who's to say what's compliant, if the
definition of "compliance" isn't written down anywhere?

  Alan DeKok.
(81668) /Alan DeKok <aland@ox.org>/-----------------
81676 2002-10-19  21:36  /82 rader/ John Fitzgerald <john@match-fit.com>
Importerad: 2002-10-19  21:36  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <2034>
Ärende: RE: Ambiguities in TCP/IP - firewall bypassing
------------------------------------------------------------
An interesting point, T/TCP does indeed require multiple flags to be
set simultaneously, however, it's also not a proven protocol. In fact
there are potential security issues Apart from the potential DoS
(re-introducing SYN floods to some environments) it's not clear how
all IP stacks will respond to these packets.  There's also a clear
security issue with allowing one side of the handshake to send
commands before the handshake's been completed - with standard TCP/IP
it's relatively easy to spoof the source IP for the SYN but this
doesn't get the perpetrator very far - with T/TCP a spoofed SYN could
actually send a command which may be actioned if the target host only
uses the source IP as validation (such as rlogin/rsh). This last
matter isn't a show stopper, I don't allow rlogin etc - and if I did
it would only be for addresses that can only be internal (the
firewall would prevent external devices from spoofing such
addresses). But this is just one example of a new security hole being
opened by T/TCP...Ever cautious, I'm inclined to block this traffic
and see what else turns up as the protocol matures.

If anything, this reaffirms my belief in blocking any unexpected
traffic (allow it only when it becomes clear that it must be allowed
through, and only after making sure that new security holes aren't
being introduced)

While on the subject, have there been any moves to ramp up the
acceptance of T/TCP, I can see that there are distinct performance
advantages for HTTP?



-----Original Message-----
From: Alun Jones [mailto:alun@texis.com] 
Sent: 18 October 2002 22:28
To: benjamin@seattleFenix.net
Subject: Re: Ambiguities in TCP/IP - firewall bypassing

At 03:55 PM 10/18/2002, Benjamin Krueger wrote:
>   One could also make a case for continuing to abide by the cardinal
>rule "Be permissive in what you accept, and strict in what you send".
>Tough call, but its difficult to justify describing stacks that are
>permissive as "highly bogus" or "lazy" given that being permissive in
>what you accept is an established notion.

If a usage makes any kind of sense, then it has usually been allowed.

>Compliant by the letter, if questionably in spirit. I'm not aware of
any
>tcp client systems that would send SynFin in the real world, so a stack
>that responded with RST could arguably be "more" correct (for example).

Not necessarily.  Have you heard of T/TCP?  Before that was around, I
remember hearing discussion of using a packet with SYN, FIN, and data
all  in one, to cut down on round-trips in really short
communications, while

still providing reliability.

One of the lessons you learn when writing / reading RFC material is
that

"there are more things on heaven and earth, Horatio, than are dreamt
of in  your philosophy" (or thereabouts).  Just because _you_ don't
see a use for  a feature, that doesn't mean to say that someone else
won't / can't, and

specifically, it isn't usually worth limiting a protocol for the
rather  arbitrary reason that you can't see how a feature would be
used.

Alun.
~~~~

--
Texas Imperial Software   | Try WFTPD, the Windows FTP Server. Find us
at
1602 Harvest Moon Place   | http://www.wftpd.com or email alun@texis.com
Cedar Park TX 78613-1419  | VISA/MC accepted.  NT-based sites, be sure
to
Fax/Voice +1(512)258-9858 | read details of WFTPD Pro for NT.
(81676) /John Fitzgerald <john@match-fit.com>/(Ombruten)
81677 2002-10-19  21:42  /21 rader/ Luis Bruno <lbruno@zbit.pt>
Importerad: 2002-10-19  21:42  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <2035>
Ärende: Re: Ambiguities in TCP/IP - firewall bypassing
------------------------------------------------------------
Alan DeKok wrote:
> Benjamin Krueger <benjamin@seattlefenix.net> wrote:
> > > [snip RFC 1025 (TCP and IP bake-off)]
> > 
> >   Identify what the packet should be, and treat it as such? If that is
> > the correct way to handle these packets, then these stacks are correct.
> 
>   So... what should the packet be?  As I said, the spec is ambiguous.
> If you don't know what the packet is, you obviously don't know how to
> treat it.

Think of ECN; should older stacks simply reject a packet with Syn+0x42
because they don't know what 0x42 is?

If I've understood correctly, you were suggesting to drop "bad"
packets.  I agree; only let established traffic through your
firewall, and only let packets with Syn or Syn+Ack set and with Fin
and Rst unset establish state in the firewall. Ignore the rest of the
flags.

Of course, if anyone finds this un-interoperable, please chime in!
(81677) /Luis Bruno <lbruno@zbit.pt>/-----(Ombruten)
81843 2002-10-21  18:44  /31 rader/ Lyndon Nerenberg <lyndon@orthanc.ab.ca>
Importerad: 2002-10-21  18:44  av Brevbäraren
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <2049>
Ärende: Re: Ambiguities in TCP/IP - firewall bypassing
------------------------------------------------------------
>Think of ECN; should older stacks simply reject a packet with Syn+0x42
>because they don't know what 0x42 is?
>
>If I've understood correctly, you were suggesting to drop "bad" packets.
>I agree; only let established traffic through your firewall, and only
>let packets with Syn or Syn+Ack set and with Fin and Rst unset establish
>state in the firewall. Ignore the rest of the flags.
>
>Of course, if anyone finds this un-interoperable, please chime in!

Before people get too paranoid about accepting packets I recommend
they read RFC 3360: Inappropriate TCP Resets Considered Harmful.

   1.  Introduction
   
      TCP uses the RST (Reset) bit in the TCP header to reset a TCP
      connection.  Resets are appropriately sent in response to a
      connection request to a nonexistent connection, for example.
      The TCP receiver of the reset aborts the TCP connection, and
      notifies the application [RFC793, RFC1122, Ste94].
   
      Unfortunately, a number of firewalls and load-balancers in the
      current Internet send a reset in response to a TCP SYN packet
      that use flags from the Reserved field in the TCP header.
      Section 3 below discusses the specific example of firewalls
      that send resets in response to TCP SYN packets from
      ECN-capable hosts.

      [ ... ]

--lyndon
(81843) /Lyndon Nerenberg <lyndon@orthanc.ab.ca>/(Ombruten)
81940 2002-10-22  18:02  /208 rader/ Ofir Arkin <ofir@sys-security.com>
Importerad: 2002-10-22  18:02  av Brevbäraren
Extern mottagare: 'Paul Starzetz' <paul@starzetz.de>
Extern mottagare: bugtraq@securityfocus.com
Mottagare: Bugtraq (import) <2063>
Ärende: RE: Ambiguities in TCP/IP - firewall bypassing
------------------------------------------------------------
I would like to refer you back to a March 2000 Bugtraq post:
http://online.securityfocus.com/archive/1/52793

The flag combinations with that post relate to Linux 2.2.x and
Windows NT 4 SP6 (and not to all *nix as it states). It is also
advised to read a reply from Lamont Granquist -
http://online.securityfocus.com/archive/1/52939.

I have also stated with that post that: "The Filtering Device is
lame: If the firewall is just a simple packet filter that blocks
incoming SYN's than some of the combinations I have listed would
elicit a reply.  If the Firewall is statefull (AND do his job as it
should. I have seen some idiotically cases were statefull was not
implemented as it should) nothing should pass it."


As a side note - although the RFCs are not specific regarding the
question on how to handle several different flag combinations, there
is also a common sense that needs to be applied. For example, sending
a TCP packet with the SYN|FIN flags on is known to be an OS
fingerprinting attempt, a fact known for several years now (even
appears on several text books :P).

I do expect firewall manufactures to provide some kind of protection
and filtering for non-logical and non-legitimate TCP/IP traffic, but
as I noted back in March 2000, still there are some firewalls and
filtering devices that let this traffic go by.


Yours,
Ofir Arkin [ofir@sys-security.com]
Founder
The Sys-Security Group
http://www.sys-security.com
PGP CC2C BE53 12C6 C9F2 87B1 B8C6 0DFA CF2D D360 43FA

-----Original Message-----
From: Paul Starzetz [mailto:paul@starzetz.de] 
Sent: Friday, October 18, 2002 4:47 PM
To: bugtraq@securityfocus.com
Subject: Ambiguities in TCP/IP - firewall bypassing

1. Abstract
-----------

There are ambiguities in implementations of the TCP/IP suite for
various

operating systems. Even if this fact has been used since a long time
in  different software for OS fingerprinting, no real attempt has
been made  to identify the security impact of the differences in the
TCP/IP  semantics. We have done some research on the TCP/IP
connection open  semantics which is of course very important for
security of networked  systems. We believe that the flaws we have
detected have a big impact on

design of firewalls and packet filters since an improper
implementation  can easily lead to serious security problems.


2. Details
----------

The TCP/IP protocol stack offers a three way handshake for connection
oriented communication using the TCP protocol. Basically, a
connection  can be opened by sending a synchronization packet to a
listening service

on a particular host. The host will respond with a synchronization
acknowledgment packet which in turn must be acknowledged by the
requesting host. Then, the connection is considered to be open (at
least

at the transport layer) and the two hosts may exchange some data.

The three way handshake is an essential part of the communication
using  the TCP protocol. Therefore many packet filter firewalls try
to prevent  the three way handshake from completion in order to
protect an  internal/corporate network from being accessed from the
outside. Of  course, statefull firewalls may have some more
sophisticated mechanism.

We have found a very ambiguous behavior of TCP/IP implementations
while  doing some research on the connection request phase. Below you
will find

the findings about various OSes, however the list should not be 
considered complete. We have used the NemesisTCP tool [1] to generate 
the traffic and tcpdump to capture the responses.

* The normal behavior (of all OSes) is like this:

14:18:00.595517 192.168.1.184.12345 > 192.168.1.111.9999: S 420:420(0) 
win 512 (DF) [tos 0x18]
14:18:00.595731 192.168.1.111.9999 > 192.168.1.184.12345: S 
1679763291:1679763291(0) ack 421 win 5840 <mss 1460> (DF)

The first host sends a SYN packet from port 12345 to a service on port 
9999 and receives a SYN,ACK


* Linux 2.4.19

The examination of the source code of the TCP engine reveals that a
TCP  connection can be opened by any combination of the TCP flags
having the  SYN bit set and the ACK bit reset. For example we can
open a TCP  connection by sending an obviously bogus SYN,RST packet:

14:25:43.888897 192.168.1.184.12345 > 192.168.1.111.9999: SR
420:420(0)  win 512 (DF) [tos 0x18] 14:25:43.889143
192.168.1.111.9999 > 192.168.1.184.12345: S  2168208394:2168208394(0)
ack 421 win 5840 <mss 1460> (DF)

or something called 'Christmas packet' having mostly every TCP flag
set  (except the ACK flag of course):

14:30:46.341732 192.168.1.184.12345 > 192.168.1.111.9999: SFRP 
420:420(0) win 512 urg 8 (DF) [tos 0x18]
14:30:46.342444 192.168.1.111.9999 > 192.168.1.184.12345: S 
2492223280:2492223280(0) ack 421 win 5840 <mss 1460> (DF)

Also SYN,FIN packets works well...


* Solaris 5.8

Here we have success by sending SYN,FIN packets:

14:33:24.549246 192.168.1.184.12345 > 192.168.1.84.9999: SF 420:420(0) 
win 512 (DF) [tos 0x18]
14:33:24.549757 192.168.1.84.9999 > 192.168.1.184.12345: S 
913533039:913533039(0) ack 421 win 24656 <mss 1460> (DF)

or SYN,FIN,PSH packets with no payload

14:35:14.398346 192.168.1.184.12345 > 192.168.1.84.9999: SFP
420:420(0)  win 512 (DF) [tos 0x18] 14:35:14.398801 192.168.1.84.9999
> 192.168.1.184.12345: S  940377913:940377913(0) ack 421 win 24656
<mss 1460> (DF)

other combinations don't seem to induce the SynSent state in the
TCP/IP  stack


* FreeBSD 4.5

Here we also have luck with SYN,FIN packets:

14:47:21.558541 192.168.1.184.12345 > 192.168.1.104.9999: SF
420:420(0)  win 512 (DF) [tos 0x18] 14:47:21.558719
192.168.1.104.9999 > 192.168.1.184.12345: S  1333327436:1333327436(0)
ack 421 win 65535 <mss 1460>

as well as with other combinations which don't combine the RST and/or 
ACK flag with SYN:

14:48:11.678246 192.168.1.184.12345 > 192.168.1.104.9999: SP
420:420(0)  win 512 (DF) [tos 0x18] 14:48:11.678366
192.168.1.104.9999 > 192.168.1.184.12345: S  1714046856:1714046856(0)
ack 421 win 65535 <mss 1460>


* Windows NT 4.0

As in the case of BSD we can open connections using any combination of 
TCP flags as long as we do not set the RST and/or ACK flag (where did 
they take the code from...hm...):

14:59:46.315126 192.168.1.184.12345 > 192.168.1.17.9999: SF 420:420(0) 
win 512 (DF) [tos 0x18]
14:59:46.315566 192.168.1.17.9999 > 192.168.1.184.12345: S 
15062452:15062452(0) ack 421 win 8576 <mss 1460> (DF)


Other OSes than those tested above are expected to behave in a similar 
manner after obtaining such a discouraging result...


3. Impact
---------

The ambiguities can be used to bypass/tunnel firewalls filtering TCP 
packets according to the TCP flags set. Especially stateless firewalls 
simply comparing the flags field with some expected value(s) to 
distinguish between synchronization packets and packet from an already 
open connection can be easily bypassed just by sending a bogus 
synchronization packet to a listening port. The currently deployed TCP 
stacks seem to be highly bogus and lazy implemented.

Administrators of firewall devices should set up some filtering rules
to

drop bogus TCP packets as mentioned above. For example on systems
using  iptables to filter packets bogus packets can be easily
distinguished by  following rules:

iptables -A INPUT -p tcp -d HOST/MASK --tcp-flags SYN,FIN SYN,FIN -j
LOG

-m limit --limit 10/m --log-level "LOGLEVEL" --log-prefix="bogus
packet" $IP -A INPUT -p tcp -d HOST/MASK --tcp-flags SYN,FIN SYN,FIN
-j DROP

and so on for other flag combinations.


4. References
-------------

[1] NemesisTCP: http://online.securityfocus.com/tools/1278
[2] Packet normalization: 
http://www.icir.org/vern/papers/norm-usenix-sec-01-html
(81940) /Ofir Arkin <ofir@sys-security.com>/(Ombruten)