Re: blackice ignoring port 113

[bugtraq () NETWORKICE COM (Robert Graham)]

BlackICE Defender ships with the following defaults. All these
defaults can be changed by the user. These settings were chosen
because we believe they provide an adequate compromise between
acceptable security and ease-of-use for the less  knowledgeable
user. I stress words like "compromise" and "acceptable" because
high-security is not acceptable to most consumers.

The product is highly configurable for the expert user; though
we probably need to document things better.

Allow port 113 (TCP)
  A lot of ISPs do reverse-identd lookups that cause e-mail sesssions
  to timeout if they don't get back a response (RST or SYN-ACK).
  Also, a lot of consumer packages install identd listeners, and
  sometimes they need to be enabled in order to allow access to
  their servers.
  Remember that BlackICE is a network-IDS: it does check for
  identd exploits even if they are allowed through the firewall
  component by default.
  If you want to change this, edit "firewall.ini" config file.

Allow ports above 1024
  This is the default configuration as shipped. Not wonderful. It
  stops most of the common mistakes users make, but lets most apps
  run correctly. BlackICE does have numerous stateful-packet filters
  (e.g. non-PASV FTP clients always work), but we don't have enough
  to default to firewalling on all ports as shipped.
  The user can change this with a click of the mouse, as well
  as editing "firewall.ini".

Logging of events
  We store all events to a file "attack-list.csv", but we only
  "display" the most recent 50k worth of events. Beyond that,
  you probably want to use 3rd party utilities like ClearICE
  or Excel.

Displaying port scan data
  We are criticized from both sides of not showing enough data
  and showing too much. Sigh. Anyway, list of ports scanned on the
  machine is stored in "attack-list.csv" as an extra column in
  the file. You can display this extra column. Right-mouse-click
  on the column titles in order to edit what info is displayed.

Sniffing
  By default, it saves just those packets that trigger alerts.
  In rare conditions, you own logon failures to your own ISP
  might trigger an alert, causing that data to be saved to a file.
  BlackICE has the really cool feature of being able to save a
  record of all network traffic passing through the system. If
  you are truly paranoid (like me), you should save all traffic.

DNS and NetBIOS lookups
  I really want to disable them, but they have proven useful so
  many times I believe the benefits outweigh the risks. A huge
  number of users have successfully caught friends/families/enemies
  this way. Remember these people who get the most value from
  the product are not very knowledgeable.

What is BlackICE Defender?
  BlackICE Defender is a simplified version of our full network-IDS.
  It scans network traffic (non-promiscuous) looking for signs
  of intrusion. A list of most intrusions it detects is at:
  http://advice.networkice.com/advice/intrusions
  It also contains a small personal firewall, hence the "defender"
  moniker.

Robert Graham
CTO/Network ICE

-----Original Message-----
From: Bugtraq List [mailto:BUGTRAQ () securityfocus com]On Behalf Of vali
Sent: Saturday, July 22, 2000 9:27 AM
To: BUGTRAQ () securityfocus com
Subject: blackice ignoring port 113

It's as simple as that, blackice (a somehow popular windows firewall) is
ignoring TCP trafic with destination port 113 (even with "paranoid" seting).
The most simple way to try this is

nmap -sS -p 113 -P0 victim (victim's blackice is silent)
nmap -sS -p any_other_port -P0 victim (blackice says "tcp port probe").

Tried with blackice 2.1.x (blackice.exe & vxd = 2.1.25, blackicd and
blackdll.dll = 2.1.22) on both win95 OSR 2 ans win98 SE.

This is not much, but is a simple way to flood a computer without blackice
reacting in any way. Also, if somebody is using a buggy ident server this is
fatal (irc clients install sometimes ident servers, without users
knowledge).

Other comments regarding BlackIce:

Blackice is doing a good job in stoping malformed packets "bad" for
Microsoft
IP stacks (including IGMP, fragmented ICMP aka teardrop, etc, etc). Can
detect
nmap stealth scan but there is no simple way to tell from the interface the
port scaned (if the port is not a "standard" port). Anyway, it has
extensive logging capabilities. In fact with "logging" and "evidence
logging"
enabled sniffed sessions can linger in Blackice folder, alongside with
sensitive information like passwords.
Blackice can do (automatic)  DNS reverse lookup and a Netbios scan for the
atackers (wich can be a *very* bad thing). I think this feature is enabled
by
default.

Blackice seems to have some limits for the number of packets loged and for
the
alerts displayed. This is a good thing and a bad thing. This limit the
memory
used but some packets can go unnoticed (and if someone send a lot of spoofed
packets the real atack will go unnoticed).