Re: [Full-Disclosure] Bypassing Black Ice PC protection?

["Curt Wilson" <netw3_security () hushmail com>]

-----BEGIN PGP SIGNED MESSAGE-----


Paulo + everyone, the techniques mentioned in that bugtraq message mentioned here are applicable from WITHIN the host 
protected by a personal firewall, so if a malicious applet or some other malware took control of the system from a 
local administrator for instance, the firewall could be easily bypassed from that side. This is not what I'm seeing. 
What I've seen is an Internet based attacker getting TCP SYN packets through Black Ice PC Protection, reaching an 
application (FTP server). If the IP was blocked at the systems 'edge', then the FTP server log should not have shown 
any such IP address entry, becase as far as the FTP server *should* know, there was no connection attempt. The attacker 
did not actually start a session with the FTP server due to IP based access control within the server itself. Still, 
seeing Black Ice be 'melted' as a friend said, is troubling. I've double the firewall rules and there is nothing that 
specifies that this IP should be allowed through.

Since the attacker, or the attackers script more likely was rejected by the FTP application, I don't know how likely it 
is that this specific attacker will come back so I can capture his methods in more detail.

I'll be working on reproducing this behavior myself, but if anyone has additional info please drop me a line. If I can 
reproduce then I'll talk to ISS.

On Mon, 10 Mar 2003 17:19:41 -0800 Darwin <darwin () netmadeira com> wrote:
> ----- Original Message -----
> From: "Curt Wilson" <netw3_security () hushmail com>
>
> > Recently seen: what appears to be an attacker bypassing Black Ice PC protection through unknown methods.
>
> Check this article:
> http://security-archive.merton.ox.ac.uk/bugtraq-200302/0268.html
>
> It describes a way to bypass personal firewalls.
>
> Cheers,
>
> Paulo

-----BEGIN PGP SIGNATURE-----
Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify

wmMEARECACMFAj5tXf8cHG5ldHczX3NlY3VyaXR5QGh1c2htYWlsLmNvbQAKCRBGd/Yw
aRH3K0ymAJwNzbMhGMbrjHWj7DtyANnTbMHsyQCdEm3afn5aJ+LJ+DYFswwpu28I7Hg=
=X9zB
-----END PGP SIGNATURE-----


----------------------------------------------------------------------------

<Pre>Lose another weekend managing your IDS?
Take back your personal time.
15-day free trial of StillSecure Border Guard.</Pre>
<A href="http://www.securityfocus.com/stillsecure";> http://www.securityfocus.com/stillsecure </A>