Tutorial - TCP Sequence Number Prediction

TCP Sequence Number Prediction

Created 5/30/02
CVE 1999-0077

Impact

A remote attacker could hijack an existing session or create a new session using an arbitrary source IP address. If services which use address-based authentication mechanisms are enabled on the server, the attacker could execute arbitrary commands.

Background

The Transmission Control Protocol (TCP) is the protocol used by services such as telnet, ftp, and smtp to establish a connection between a client and a server. Every TCP packet includes a sequence number in the header to ensure that all packets are received at the destination and re-assembled in the correct order. The sequence numbering begins with an initial sequence number which is chosen by the server and sent to the client when the connection is established. Thus, sequence numbers also help to verify the identity of the client, since only the intended client has knowledge of the initial sequence number.

The Problem

The TCP implementations on some operating systems choose initial sequence numbers which are constant, time-dependent, incremental, or in some other way not sufficiently randomized. Therefore, by observing the initial sequence numbers of one or more prior connections, one could predict the initial sequence numbers that would be chosen for new connections. Depending on the type of algorithm used by the server, either the exact number or a limited range of possible numbers could be predicted.

Normally, a TCP connection is only successful if the client is able to receive and acknowledge the initial sequence number sent by the server. However, an attacker who is able to guess the initial sequence number for new connections could successfully initiate a session from a false source IP address or hijack other users' sessions. The impact of this vulnerability is especially significant for servers running TCP services using host-based authentication, such as rlogin, rsh, NFS, any service running under TCP wrappers, and any other service whose configuration allows for a host-based access list.

Other related CVE entries:
CVE 2000-0328 Windows NT 4.0
CAN 2000-0916 FreeBSD 4.1.1 and earlier
CVE 2001-0288 Cisco IOS 12.1 and earlier
CAN 2002-1463 Symantec Raptor, Enterprise Firewall, VelociRaptor, and Gateway Security

Resolution

The solution described in RFC1948 was developed to sufficiently randomize initial sequence numbers so they cannot be predicted. Check CERT Advisory 2001-09 to see whether your vendor has released a patch which implements this solution. If your operating system is vulnerable and there is no patch available, it would be advisable to upgrade your operating system. Most modern operating systems are not affected by this vulnerability.

Windows NT users should apply service pack 6a and install the patch referenced in Microsoft Security Bulletin 99-046.

Where can I read more about this?

For more information on TCP, see RFC793.

For more information on initial sequence number predictability, IP address spoofing, and session hijacking, see the Microsoft Security Bulletin 99-046 Frequently Asked Questions and CERT Advisory 1995-01.