The Mummy 2018 – Microsoft Accidentally Summons Back Ugly Attacks from the Past

Conference:  BlackHat EU 2018



The presentation discusses two attacks on TCP/IP protocol and provides recommendations for network security.
  • Two attacks on TCP/IP protocol: key recovery and reading kernel memory
  • Recommendations for network security: avoid fragmentation, do not refactor working code, search for vulnerabilities in commonly used protocols such as TCP/IP
The speaker demonstrates a demo of the key recovery attack, which involves generating pairs of IP paths and using the key candidates to predict IP IDs for different IP paths. This leads to the ability to read uninitialized kernel memory. The speaker also emphasizes the importance of avoiding fragmentation and not refactoring working code.


In the early 2000s attackers could very easily leverage naïve mechanisms of IP fragmentation and reassembly to intercept packets, modify them, or cause denial of service. The same fundamental flaw brought up other techniques such as stealth-scan.These attacks relied on the trivial predictability of the IP identification field. The major operating systems fixed the problem by adding a randomization element. A simple and efficient solution.For years this seemed to have done the trick until a seemingly innocent but unnecessary reorganization of the relevant code in the Windows kernel left things even worse than they began: opening back not only these attacks, but also leaking kernel memory in a very funny way.Unlike any of the vulnerabilities I've ever had the privilege to discover/research, this vulnerability (CVE-2018-8493) is a (simple) crypto bug, which shouldn't have been so damaging. The system's design, however, caused it to break down the entire mechanism.