('binary' encoding is not supported, stored as-is) Recently saw something different in my Black Ice logs recently. AdvICE says that this particular attack is related to an old problem in FW-1 and PIX reported by John McDonald and Thomas Lopatic in 2000 (see http://www.securityfocus.com/bid/979) wherein packets destined for an FTP server behind a vulnerable PIX or FW-1 using a small segment size and specially crafted PASV arguments (similar to the FTP bounce attack) could be used to exploit other services (Solaris 2.6 tooltalk was used in the bid 979 example). Severity timestamp (GMT) issueId issueName intruderIp intruderName victimIp victimName parameters count responseLevel intruderPort victimPort packetFlags 4 2002-12-04 07:32:53 2000316 TCP small segment size 12.37.34.75 mail.omnisys-inc.com 131.xxx.xx.xxx port=21|57&flags=S&options=maxseg:1460;bad_length:80 8 A 21855 21 0x26c06 This particular attacker, coming in from mail.omnisys-inc.com, and the signature of their scan looks very much like the FX-Scanner (fx- tools.net) mentioned on Incidents recently- see http://online.securityfocus.com/archive/75/299560/2002-11-10/2002-11-16/0 for more discussion on this. The pattern of my attacker is as follows: Two ICMP pings using the data "hello???" Six SYNs for HTTP (firewalled) Six SYNs for TCP 57 (evidently because this port is usually closed) Six SYNs for TCP 21 (FTP) The MSS is 1460 bytes, and Ethereal says "Maximum segment size (option length = 80 bytes says option goes past end of options)" in the TCP options section. From what I recall, 1460 is a common MSS over PPP and Ethernet links, but it looks like this scanner indicates 1460 but is actually trying to use 80 instead, similar to John McDonalds discussion where he set the MTU to 100. Is anyone aware of any newer vulnerabilities that are being exploited by this technique? Curt Wilson Netw3 Security Research www.netw3.com ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
This archive was generated by hypermail 2b30 : Thu Dec 05 2002 - 19:27:58 PST