Retro cyber-attack returns to haunt widely used, end-of-life operating system

Blind TCP/IP hijacking is resurrected for Windows 7

UPDATED Windows 7 is still susceptible to blind TCP/IP hijacking attacks via a vulnerability that a security researcher says he reported to Microsoft eight years ago.

Adam Zabrocki (AKA ‘pi3’) has recounted in a blog post how in 2008 he fashioned a proof-of-concept of this venerable attack technique with Windows XP the target.

Later, in 2012, he warned Microsoft that all subsequent versions up to Windows 7 – the latest version at that time – contained the same TCP/IP stack flaw that made the attack viable.

Although Microsoft deemed the bug “very difficult” to exploit and therefore only fixed it in Windows 8, Zabrocki says that he was able to rework the attack for use against Windows 7 – noting that doing so was even easier than setting up an up-to-date version of the operating system (OS).

Launched in 2009, Windows 7 reached its end of life a year ago, meaning that users no longer receive security patches.

Read more of the latest Microsoft security news

However, roughly one in four PCs are believed to still be running the aging OS, leaving them potentially vulnerable to a form of cyber-attack that was famously deployed against a Japanese security researcher back in 1994.

Encryption mitigation

“At minimum, this bug allows the attacker to use any Windows 7 machine as a ‘zombie host’ to execute an ‘idle scan’” – which is a “sophisticated TCP port scanning technique because there is no interaction between the attacker computer and the target”, and the “attacker is invisible to the target”, Zabrocki, a former Microsoft security engineer, tells The Daily Swig.

“At most, attackers can fully hijack any established TCP connection.”

Fortunately, most modern protocols implement encryption that limits the attacker’s options unless they can “correctly generate encrypted messages” – an “unlikely” scenario, says Zabrocki.

Nevertheless, there remain “widely deployed protocols which do not encrypt the traffic, e.g, FTP, SMTP, HTTP, DNS, IMAP, and more” that would permit an attacker to “send any commands on behalf of the original client”.

Critical protocols such as TELNET that are used in many IoT devices could enable “the most critical scenario”, adds the researcher, with hijacked sessions potentially having a “catastrophic impact”.

However, a Microsoft spokesperson told The Daily Swig: “The technique described relies on a set of specific conditions that make it very difficult to execute in a real-world scenario. We do not plan to address this with a security update. We recommend customers use Windows 10 for the best protection.”

YOU MIGHT ALSO LIKE Pwnable Document Format: Windows PDF viewers outperformed by browser, macOS, Linux counterparts

Trial and error

Zabrocki’s exploit modified an attack technique documented by another researcher in 2007 that was effective against FreeBSD 4 and Windows 2K/XP because both OS’ used IP_ID as a global counter that increments, predictably, with each sent IP packet.

This also applies to Windows 7, many printers, “older Linux/FreeBSD/Mac OS hosts and probably more”, Zabrocki says.

By contrast, Windows 8 onwards and most other modern OS’ implement IP_ID as a ‘local’ counter per session, each of which has an independent IP_ID base.

Brute forcing the ACK

Zabrocki sent packets with an IP header to the victim’s client in order to ascertain how many packets were sent between each probe. This created a “covert channel” through which he could discover the client IP and port, and sequence numbers for both client and server.

Unlike his XP exploit, Zabrocki’s Windows 7 tool doesn’t need to send two spoofed TCP packets with different ACK values to validate the server SND.NEXT, and ascertained the client’s SND.NEXT by brute-forcing the ACK with spoofed packets containing the correct SQN and various ACK permutations.

“We don’t need to verify every possible value of ACK, we can still use the same trick with TCP window size,” he says.

This article was updated on January 29 with a statement from Microsoft

YOU MAY ALSO LIKE Critical zero-day RCE in Microsoft Office 365 awaits third security patch