Reading Steve Gibson (or someone claiming to be Steve Gibson at least) response to questions concerning this on http://www.dslreports.com/forum/remark,1859774~root=security,1~mode=flat, he says and I quote, "In other words, it is COMPLETELY IMPOSSIBLE to use the ShieldsUP system to launch any sort of denial of service attack against anyone. It's simply not true." Interesting... Blake ----- Original Message ----- From: <Magniat_private> To: <INCIDENTSat_private> Sent: Monday, November 26, 2001 12:53 PM Subject: Malicious use of grc.com > Greetings: > > ShieldsUp(tm) is an application developed by Steve Gibson of Gibson > Research Corporation that allows a web user to request a remote port scan > of their local system via the GRC.Com web site > (https://grc.com/x/ne.dll?bh0bkyd2). > The "Probe my Ports" option performs a scan of many common tcp ports > and reports the status of each port back to the user's browser. > > The development of the application and its method of identifying the > client IP address is quite insecure. As a result, ShieldsUp! allows the web > user to > perform a port scan against any other machine on the Internet and return the > results to the web user. The remote system will log the scan as having > originated from one of Steve Gibson's machines. > > Gibson has chosen to use a simple hidden tag in the client-side HTML code > to identify the IP address that is passed to the scanning engine. Though > the client's IP address is hashed, it is trivial to alter the value of the > hidden tag in order to request that a different IP address be scanned. The > true IP address is never checked in the HTTP header during the scan - > ShieldsUp happily scans the other box while returning the result set into > the > browser of the box that requested the scan. > > Fenris, The Wolf, a member of Hammer of God, quickly reviewed > the hash algorithm used to represent the IP address and found it weak; > therefore, one can easily submit requests, via the Shields Up web page, > for specific IP addresses to be scanned. These findings are not my own, > and I have not included the details of the hash here as it is used to > display a copyrighted page. The Wolf may post his findings if he chooses > to do so, but I will not make that choice for him. > > Instead, we can easily bypass the need to crack the hash by simply using > the "IP Agent" supplied by Gibson. Over a year ago, a hacked version of IP > Agent was published that allowed one to supply an address to scan-- Gibson > discounted this as a non-issue, but reportedly fixed IP Agent to perform a > check to prevent this from happening. > > However, IP Agent now supports multiple client IP addresses. One simply > needs to bind the targeted IP addresses to a local interface and perform a > scan request. In this case, ShieldsUp presents friendly command buttons > listing the IP addresses bound to the local interfaces and allows you to > select any one that you want scanned. Again, no other checking is done, > and ShieldsUp will scan whatever IP address you ask it to and display the > results in your own browser. > > According to the scanning page, "Information gained will NOT be retained, > viewed, or used by us in any way for any purpose whatsoever" which > basically invites anyone to use Gibson's site to do port scans of other > people's boxes without fear of detection. > > Additionally, multiple post requests can be easily scripted to perform > scans against a site in attempts to perform a denial of service attack > against a host. In these cases, with sufficient requests generated, one > could ask grc.com to attack another site and it will comply. > > One would have hoped that instead of Mr. Gibson spending so much time > expounding on the theoretical DoS capabilities of Raw > Sockets, that he instead had used that time to properly develop his own > application in order to prevent the same. Those concerned with malicious > attacks from grc.com should block Gibson's netblock at the border. > > Cheers, > Magni > > -------------------------------------------------------------------------- -- > This list is provided by the SecurityFocus ARIS analyzer service. > For more information on this free incident handling, management > and tracking system please see: http://aris.securityfocus.com > > ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Tue Nov 27 2001 - 11:59:13 PST