Retro cyber-attack returns to haunt widely used, end-of-life OS
Windows 7 remains vulnerable to blind TCP/IP hijacking attacks via a vulnerability that a security researcher says he reported to Microsoft eight years ago.
Adam Zabrocki (AKA ‘pi3’) has recounted during a blog post how in 2008 he fashioned a proof-of-concept of this venerable attack technique with Windows XP the target.
Later, in 2012, he warned Microsoft that each one subsequent versions up to Windows 7 – the newest version at that point – contained an equivalent TCP/IP stack flaw that made the attack viable.
Although Microsoft deemed the bug “very difficult” to take advantage of and thus only fixed it in Windows 8, Zabrocki says that he was ready to rework the attack to be used against Windows 7 – noting that doing so was even easier than fixing an up-to-date version of the OS.
Launched in 2009, Windows 7 reached its end of life a year ago, meaning that users do not receive security patches.
However, roughly one in four PCs are believed to still be running the aging OS, leaving them potentially susceptible to a sort of cyber-attack that was famously deployed against a Japanese security researcher back in 1994.
“At minimum, this bug allows the attacker to use any Windows 7 machine as a ‘zombie host’ to execute an ‘idle scan’” – which may be a “sophisticated TCP port scanning technique because there’s no interaction between the attacker computer and therefore the target”, and therefore the “attacker is invisible to the target”, Zabrocki, a former Microsoft security engineer.
“At most, attackers can fully hijack any established TCP connection.”
Fortunately, latest protocols implement encryption that limits the attacker’s options unless they will “correctly generate encrypted messages” – an “unlikely” scenario, says Zabrocki.
Nevertheless, there remain “widely deployed protocols which don’t encrypt the traffic, e.g, FTP, SMTP, HTTP, DNS, IMAP, and more” that might permit an attacker to “send any commands on behalf of the first client”.
Critical protocols like TELNET that are utilized in many IoT devices could enable “the most crucial scenario”, adds the researcher, with hijacked sessions potentially having a “catastrophic impact”.
Trial and error
Zabrocki’s exploit modified an attack technique documented by another researcher in 2007 that was effective against FreeBSD 4 and Windows 2K/XP because both OS’ used IP_ID as a worldwide counter that increments, predictably, with each sent IP packet.
This also applies to Windows 7, many printers, “older Linux/FreeBSD/Mac OS hosts and doubtless more”, Zabrocki says.
By contrast, Windows 8 onwards and most other modern OS implement IP_ID as a ‘local’ counter per session, each of which has an independent IP_ID base.
Brute forcing the ACK
Zabrocki sent packets with an IP header to the victim’s client so as to determine what percentage packets were sent between each probe. This created a “covert channel” through which he could discover the client IP and port, and sequence numbers for both client and server.
Unlike his XP exploit, Zabrocki’s Windows 7 tool doesn’t got to send two spoofed TCP packets with different ACK values to validate the server SND.NEXT, and ascertained the client’s SND.NEXT by brute-forcing the ACK with spoofed packets containing the right SQN and various ACK permutations.
“We don’t have to verify every possible value of ACK, we will still use an equivalent trick with TCP window size,” he says.