Linked below is a package containing several proofs of concept for the RST spoofing vulnerability discovered in the TCP protocol.
Details
The TCP stack implementation of numerous vendors contains a flaw that may allow a remote denial of service. The issue is triggered when spoofed TCP Reset packets are received by the targeted TCP stack, and will result in loss of availability for the attacked TCP services.
Technical Description:
RFC-793 utilizes sequence checking to ensure proper ordering of received packets. RFC-793 requires that sequence numbers be checked against the window size before accepting data or control flags as valid. RFC-793 also specifies that RST control flags should be processed immediately, without waiting for out of sequence packets to arrive. Furthermore, RFC-793 allows a TCP implementation to verify both sequence and acknowledgement numbers prior to accepting a RST control flag as valid. No TCP stack implementation tested currently implements checking of both sequence and acknowledgement. All tested TCP stacks currently verify only the sequence number. This allows connections to be reset with dramatically less effort than previously believed.
网管联盟www.bitsCN.com
This risk is compounded by the easy prediction of source port selection used in TCP connections.
Exploit:
The zip file contain the following exploit codes:
reset-tcp.c Simple exploit proof-of-concept in C
reset-tcp_rfc31337-compliant.c Same program with modification from J 'Swoop' Barber
ttt-1.3r.tar.gz Modified version of Cisco CIAG's TCP Test Tool utility
bgp-dosv2.pl PERL example from Rich Compton
The exploits can be downloaded from: http://www.osvdb.org/reference/osvdb-4030-exploit.zip
Additional information
