NEOHAPSIS - Peace of Mind Through Integrity and Insight

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com

Neohapsis > Archives > FreeBSD Security> 2005-05

Possible PAWS security vulnerability

From: Tim Traver (tt-listsimplenet.com)
Date: Fri May 20 2005 - 11:26:58 CDT

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hello security gurus,

yesterday, I mistakenly posted a question on the questions list about
this article :

http://www.securityfocus.com/bid/13676/info/

which talks about a form of DOS vulnerability.

I was curious as to the possibility of FreeBSD 5.x being affected, and
if anyone was working on this or not.

Ted Mittelstaedt posted this possible patch based upon the OpenBSD patch :

in /usr/src/sys/netinet

*** tcp_input.c.original Thu May 19 11:52:30 2005
--- tcp_input.c Thu May 19 12:00:14 2005
***************
*** 976,984 ****
--- 976,992 ----
                 * record the timestamp.
                 * NOTE that the test is modified according to the latest
                 * proposal of the tcplwcray.com list (Braden 1993/04/26).
+ * NOTE2 additional check added as a result of PAWS vulnerability
+ * documented in Cisco security notice cisco-sn-20050518-tcpts
+ * from OpenBSD patch for OpenBSD 3.6 015_tcp.patch
                 */
                if ((to.to_flags & TOF_TS) != 0 &&
                    SEQ_LEQ(th->th_seq, tp->last_ack_sent)) {
+ if (SEQ_LEQ(tp->last_ack_sent, th->th_seq + tlen
+
+ ((thflags & (TH_SYN|TH_FIN)) != 0)))
+ tp->ts_recent = to.to_tsval;
+ else
+ tp->ts_recent = 0;
                        tp->ts_recent_age = ticks;
                        tp->ts_recent = to.to_tsval;
                }

After I basically let Ted know that I wouldn't know how to test the
patch, because I don't even know how to break it in the first place, he
went on a tirade calling me a troll, and all sorts of nasty accusations
and general belittlement.

I hope that you don't have to work with him on a regular basis, because
he appears to be the definition of the word "dickhead."

Tim.

_______________________________________________
freebsd-securityfreebsd.org mailing list
http://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-security-unsubscribefreebsd.org"

Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]