Date: Tue, 28 Sep 1999 13:21:32 -0700
From: Jeremy Buhler <jbuhler@CS.WASHINGTON.EDU>
To: BUGTRAQ@SECURITYFOCUS.COM
Subject: Re: [EuroHaCk] Linux 2.2.x ISN vulnerability (fwd)
On Tue, 28 Sep 1999, Sebastian wrote:
> A lot of people wrote to us and said that the typo where &secret[3] was
> meant but &secret+3 was written within the kernel code was the cause for
> this bug.
>
> In our tests, however, we applied nothing but this one-line patch and we
> still experienced small-difference ISN's (stealth tested this, but I
> believe in his skills :-).
Right. Andrea Arcangeli proposed this change on the kernel mailing list,
but it wasn't the patch that actually got applied in 2.3.13pre13. This
is the patch which I believe is intended to fix the easily-guessable
sequence numbers:
--- linux.vanilla/net/ipv4/tcp_ipv4.c Sat Aug 28 20:00:59 1999
+++ linux.13p13/net/ipv4/tcp_ipv4.c Sun Sep 26 23:25:18 1999
@@ -525,7 +525,8 @@
static inline __u32 tcp_v4_init_sequence(struct sock *sk, struct sk_buff *skb)
{
- return secure_tcp_sequence_number(sk->saddr, sk->daddr,
+ return secure_tcp_sequence_number(skb->nh.iph->daddr,
+ skb->nh.iph->saddr,
skb->h.th->dest,
skb->h.th->source);
}
If I understand correctly, the bug was that the sequence number initialization
erroneously didn't use the remote's IP address.
Jeremy
