Security Incidents mailing list archives

Previous By Date Next
Previous By Thread Next

Black Ice small segment size FTP attack caused by FX-scanner

From: Curt Wilson <netw3_security () hushmail com>
Date: 5 Dec 2002 23:02:15 -0000



Recently saw something different in my Black Ice logs recently. AdvICE 
says that this particular attack is related to an old problem in FW-1 and 
PIX reported by John McDonald and Thomas Lopatic in 2000 (see 
http://www.securityfocus.com/bid/979) wherein packets destined for an FTP 
server behind a vulnerable PIX or FW-1 using a small segment size and 
specially crafted PASV arguments (similar to the FTP bounce attack) could 
be used to exploit other services (Solaris 2.6 tooltalk was used in the 
bid 979 example).

Severity         timestamp (GMT)         issueId         issueName       
intruderIp       intruderName    victimIp        victimName      
parameters       count   responseLevel   intruderPort    victimPort      
packetFlags

4        2002-12-04 07:32:53    2000316  TCP small segment size  
12.37.34.75      mail.omnisys-inc.com    131.xxx.xx.xxx          
port=21|57&flags=S&options=maxseg:1460;bad_length:80    8        A
        21855   21       0x26c06

This particular attacker, coming in from mail.omnisys-inc.com, and the 
signature of their scan looks very much like the FX-Scanner (fx-
tools.net) mentioned on Incidents recently- see 
http://online.securityfocus.com/archive/75/299560/2002-11-10/2002-11-16/0 
for more discussion on this.

The pattern of my attacker is as follows:

Two ICMP pings using the data "hello???"
Six SYNs for HTTP (firewalled)
Six SYNs for TCP 57 (evidently because this port is usually closed)
Six SYNs for TCP 21 (FTP)

The MSS is 1460 bytes, and Ethereal says "Maximum segment size (option 
length = 80 bytes says option goes past end of options)" in the TCP 
options section. From what I recall, 1460 is a common MSS over PPP and 
Ethernet links, but it looks like this scanner indicates 1460 but is 
actually trying to use 80 instead, similar to John McDonalds discussion 
where he set the MTU to 100.

Is anyone aware of any newer vulnerabilities that are being exploited by 
this technique?

Curt Wilson
Netw3 Security Research
www.netw3.com

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com
Previous By Date Next
Previous By Thread Next

Current thread: