Pantek Library
Hosting Provided By
CybrHost
High Speed Hosting
Mailing Lists: securityfocus.com > incidents > 02 > 120179.html (Request Expert securityfocus.com Support)

Black Ice small segment size FTP attack caused by FX-scanner

From: Curt Wilson <netw3_security(at)hushmail.com>
Date: Thu Dec 05 2002 - 18:02:15 EST
('binary' encoding is not supported, stored as-is)

Recently saw something different in my Black Ice logs recently. AdvICE says that this particular attack is related to an old problem in FW-1 and PIX reported by John McDonald and Thomas Lopatic in 2000 (see http://www.securityfocus.com/bid/979) wherein packets destined for an FTP server behind a vulnerable PIX or FW-1 using a small segment size and specially crafted PASV arguments (similar to the FTP bounce attack) could be used to exploit other services (Solaris 2.6 tooltalk was used in the bid 979 example). 

Severity	 timestamp (GMT)	 issueId	 issueName	 
intruderIp	 intruderName	 victimIp	 victimName	 
parameters	 count	 responseLevel	 intruderPort	 victimPort
packetFlags 
4	 2002-12-04 07:32:53	2000316	 TCP small segment size	 
12.37.34.75	 mail.omnisys-inc.com	 131.xxx.xx.xxx	 	 
port=21|57&flags=S&options=maxseg:1460;bad_length:80	8	 A
	21855	21	 0x26c06

This particular attacker, coming in from mail.omnisys-inc.com, and the signature of their scan looks very much like the FX-Scanner (fxtools. net) mentioned on Incidents recently- see http://online.securityfocus.com/archive/75/299560/2002-11-10/2002-11-16/0 for more discussion on this.

The pattern of my attacker is as follows:

Two ICMP pings using the data "hello???" Six SYNs for HTTP (firewalled)
Six SYNs for TCP 57 (evidently because this port is usually closed) Six SYNs for TCP 21 (FTP)

The MSS is 1460 bytes, and Ethereal says "Maximum segment size (option length = 80 bytes says option goes past end of options)" in the TCP options section. From what I recall, 1460 is a common MSS over PPP and Ethernet links, but it looks like this scanner indicates 1460 but is actually trying to use 80 instead, similar to John McDonalds discussion where he set the MTU to 100.

Is anyone aware of any newer vulnerabilities that are being exploited by this technique?

Curt Wilson
Netw3 Security Research
www.netw3.com


This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com Received on Thu Dec 5 22:30:33 2002

This archive was generated by hypermail 2.1.8 : Wed Aug 23 2006 - 14:01:52 EDT

Do you need help?X
Contact Us  Legal Notices  Order Services Online 
Pantek Home  Privacy Policy  IT news  Site Map  Pantek Library