[Full-Disclosure] A new TCP/IP blind data injection technique?
Valdis.Kletnieks at vt.edu
Valdis.Kletnieks at vt.edu
Sat Dec 13 20:04:10 GMT 2003
On Sat, 13 Dec 2003 03:35:25 MST, Michael Gale <michael at bluesuperman.com> said:
> For example the BorderWare Firewall will not accept fragmented packets,
> they are working on a firewall function that when fragmented packets
> arrive. It will save the first piece plus all frags until the final one
> is received. But the packet back together and do a sanity check of some
> sort. Then pass or drop the packet.
So the problem is that the host may re-assemble a fragmented packet with injected
data in it.
And we protect against it by.... you got it.. having the firewall re-assemble the
fragmented packet with injected data and then handing the re-assembled full
packet (with injected data) to the host.
Whoops.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 226 bytes
Desc: not available
Url : http://lists.grok.org.uk/pipermail/full-disclosure/attachments/20031213/e95f43e7/attachment.bin
Full-Disclosure is hosted and sponsored by Secunia.