|
11 | 11 | * and incorrectly reported as vulnerable without proper verification. In some |
12 | 12 | * systems, hosts can leak information of value to attackers. |
13 | 13 | * |
14 | | - * Hosts with randomized timestamps are protected from such attacks, while others |
15 | | - * may expose detailed system uptime and time information that attackers can use in |
16 | | - * subsequent attacks. Attack scenarios could include hosts that use system time to seed |
17 | | - * random generators to generate passwords as an example, testing when a system rebooted |
18 | | - * to understand maintenance cycles, automated patching, testing if a kernel panic DoS |
19 | | - * was successful and lastly fingerprinting with systems exposed behind NAT. |
| 14 | + * Hosts with *true* per-packet randomized timestamps are protected. Linux |
| 15 | + * with net.ipv4.tcp_timestamps=1 is *not* — it applies a random offset per |
| 16 | + * connection, but the counter remains strictly monotonic at ~1000 Hz. |
20 | 17 | * |
21 | 18 | * The tool sends TCP SYN packets with timestamp options to target hosts and |
22 | 19 | * analyzes the returned timestamp values to determine: |
|
42 | 39 | * Environment Variables: |
43 | 40 | * DEBUG=1 Enable packet-level hex dump tracing |
44 | 41 | * |
45 | | - * Linux Kernel TIMECRIME attack |
46 | | - * ============================= |
47 | | - * Linux sysctl can be 0 - disable, 1 - randomized, 2 - insecure. |
48 | | - * e.g. "sudo sysctl -w net.ipv4.tcp_timestamps=2" to test PoC. |
| 42 | + * LINUX TIMECRIME KERNEL VULNERABILITY (net.ipv4.tcp_timestamps=1) |
| 43 | + * ================================================================ |
| 44 | + * Linux sysctl values: |
| 45 | + * 0 = disabled (secure, no leak) |
| 46 | + * 1 = "randomized" (default) BROKEN |
| 47 | + * 2 = monotonic (insecure) |
49 | 48 | * |
50 | | - * We have noticed that on some Linux distributions net.ipv4.tcp_timestamps=1 |
51 | | - * (the "randomized" default) DOES NOT RANDOMIZE PER-CONNECTION on real kernels. |
52 | | - * Tested on DigitalOcean using kernel 6.12.48, Debian 13, 2025-11-07. Identical |
53 | | - * monotonic 1000 Hz curve is seen with both 1 or 2 set. RFC 7323 §3.2 requires |
54 | | - * per-connection jitter — Linux appears to ignore it. |
| 49 | + * Contrary to documentation and RFC 7323 §3.2, mode 1 does *not* prevent |
| 50 | + * uptime disclosure. A random offset is added per connection, but: |
| 51 | + * * The base counter is jiffies-based and monotonic |
| 52 | + * * Increment = ~1000 ticks/sec (HZ) |
| 53 | + * * Uptime = (last_TSval - first_TSval) / 1000 → accurate |
55 | 54 | * |
56 | | - * Impact: Any Internet-facing Linux box leaks exact boot time and OS fingerprint to |
57 | | - * an unauthenticated attacker despite intending to randomize the data. |
58 | | - * CVSS 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |
| 55 | + * Tested on kernel 6.12.48 (Debian 13, DigitalOcean, 2025-11-07): |
| 56 | + * Even with =1, PoC reports precise uptime and 1000 Hz clock. |
| 57 | + * |
| 58 | + * Impact: |
| 59 | + * * Remote, unauthenticated uptime/boot-time disclosure |
| 60 | + * * OS fingerprinting (1000 Hz → modern Linux) |
| 61 | + * * Patch cycle tracking, DoS validation, VM reuse detection |
| 62 | + * |
| 63 | + * CVSS: 5.3 (AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N) |
| 64 | + * |
| 65 | + * Reported to [email protected] 07/11/2025. Only fix: set =0. |
59 | 66 | * |
60 | 67 | * Author: hackerfantastic |
61 | 68 | * Website: https://hacker.house/ |
|
0 commit comments