lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <200303110358.h2B3w53Q053723@mailserver1.hushmail.com>
From: netw3_security at hushmail.com (Curt Wilson)
Subject: Bypassing Black Ice PC protection?

-----BEGIN PGP SIGNED MESSAGE-----


Paulo + everyone, the techniques mentioned in that bugtraq message mentioned here are applicable from WITHIN the host protected by a personal firewall, so if a malicious applet or some other malware took control of the system from a local administrator for instance, the firewall could be easily bypassed from that side. This is not what I'm seeing. What I've seen is an Internet based attacker getting TCP SYN packets through Black Ice PC Protection, reaching an application (FTP server). If the IP was blocked at the systems 'edge', then the FTP server log should not have shown any such IP address entry, becase as far as the FTP server *should* know, there was no connection attempt. The attacker did not actually start a session with the FTP server due to IP based access control within the server itself. Still, seeing Black Ice be 'melted' as a friend said, is troubling. I've double the firewall rules and there is nothing that specifies that this IP should be allowed through.

Since the attacker, or the attackers script more likely was rejected by the FTP application, I don't know how likely it is that this specific attacker will come back so I can capture his methods in more detail.

I'll be working on reproducing this behavior myself, but if anyone has additional info please drop me a line. If I can reproduce then I'll talk to ISS.

On Mon, 10 Mar 2003 17:19:41 -0800 Darwin <darwin@...madeira.com> wrote:
>----- Original Message -----
>From: "Curt Wilson" <netw3_security@...hmail.com>
>
>> Recently seen: what appears to be an attacker bypassing Black Ice PC protection through unknown methods.
>
>Check this article:
>http://security-archive.merton.ox.ac.uk/bugtraq-200302/0268.html
>
>It describes a way to bypass personal firewalls.
>
>Cheers,
>
>Paulo

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wmMEARECACMFAj5tXf8cHG5ldHczX3NlY3VyaXR5QGh1c2htYWlsLmNvbQAKCRBGd/Yw
aRH3K0ymAJwNzbMhGMbrjHWj7DtyANnTbMHsyQCdEm3afn5aJ+LJ+DYFswwpu28I7Hg=
=X9zB
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure"> http://www.securityfocus.com/stillsecure </A>



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ