Re: [Full-Disclosure] Bypassing Black Ice PC protection?

From: Curt Wilson (netw3_securityat_private)
Date: Mon Mar 10 2003 - 19:58:05 PST

  • Next message: David C. Lewis: "Re: The Return of Code Red II?"

    -----BEGIN PGP SIGNED MESSAGE-----
    
    
    Paulo + everyone, the techniques mentioned in that bugtraq message mentioned here are applicable from WITHIN the host protected by a personal firewall, so if a malicious applet or some other malware took control of the system from a local administrator for instance, the firewall could be easily bypassed from that side. This is not what I'm seeing. What I've seen is an Internet based attacker getting TCP SYN packets through Black Ice PC Protection, reaching an application (FTP server). If the IP was blocked at the systems 'edge', then the FTP server log should not have shown any such IP address entry, becase as far as the FTP server *should* know, there was no connection attempt. The attacker did not actually start a session with the FTP server due to IP based access control within the server itself. Still, seeing Black Ice be 'melted' as a friend said, is troubling. I've double the firewall rules and there is nothing that specifies that this IP should be allowed through.
    
    Since the attacker, or the attackers script more likely was rejected by the FTP application, I don't know how likely it is that this specific attacker will come back so I can capture his methods in more detail.
    
    I'll be working on reproducing this behavior myself, but if anyone has additional info please drop me a line. If I can reproduce then I'll talk to ISS.
    
    On Mon, 10 Mar 2003 17:19:41 -0800 Darwin <darwinat_private> wrote:
    >----- Original Message -----
    >From: "Curt Wilson" <netw3_securityat_private>
    >
    >> Recently seen: what appears to be an attacker bypassing Black Ice PC protection through unknown methods.
    >
    >Check this article:
    >http://security-archive.merton.ox.ac.uk/bugtraq-200302/0268.html
    >
    >It describes a way to bypass personal firewalls.
    >
    >Cheers,
    >
    >Paulo
    
    -----BEGIN PGP SIGNATURE-----
    Version: Hush 2.2 (Java)
    Note: This signature can be verified at https://www.hushtools.com/verify
    
    wmMEARECACMFAj5tXf8cHG5ldHczX3NlY3VyaXR5QGh1c2htYWlsLmNvbQAKCRBGd/Yw
    aRH3K0ymAJwNzbMhGMbrjHWj7DtyANnTbMHsyQCdEm3afn5aJ+LJ+DYFswwpu28I7Hg=
    =X9zB
    -----END PGP SIGNATURE-----
    
    
    ----------------------------------------------------------------------------
    
    <Pre>Lose another weekend managing your IDS?
    Take back your personal time.
    15-day free trial of StillSecure Border Guard.</Pre>
    <A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>
    
    
    _______________________________________________
    Full-Disclosure - We believe in it.
    Charter: http://lists.netsys.com/full-disclosure-charter.html
    



    This archive was generated by hypermail 2b30 : Tue Mar 11 2003 - 11:06:40 PST