Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Bypassing Black Ice PC protection?
From: "Curt Wilson" <netw3_security () hushmail com>
Date: Mon, 10 Mar 2003 19:58:05 -0800


Paulo + everyone, the techniques mentioned in that bugtraq message mentioned here are applicable from WITHIN the host 
protected by a personal firewall, so if a malicious applet or some other malware took control of the system from a 
local administrator for instance, the firewall could be easily bypassed from that side. This is not what I'm seeing. 
What I've seen is an Internet based attacker getting TCP SYN packets through Black Ice PC Protection, reaching an 
application (FTP server). If the IP was blocked at the systems 'edge', then the FTP server log should not have shown 
any such IP address entry, becase as far as the FTP server *should* know, there was no connection attempt. The attacker 
did not actually start a session with the FTP server due to IP based access control within the server itself. Still, 
seeing Black Ice be 'melted' as a friend said, is troubling. I've double the firewall rules and there is nothing that 
specifies that this IP should be allowed through.

Since the attacker, or the attackers script more likely was rejected by the FTP application, I don't know how likely it 
is that this specific attacker will come back so I can capture his methods in more detail.

I'll be working on reproducing this behavior myself, but if anyone has additional info please drop me a line. If I can 
reproduce then I'll talk to ISS.

On Mon, 10 Mar 2003 17:19:41 -0800 Darwin <darwin () netmadeira com> wrote:
----- Original Message -----
From: "Curt Wilson" <netw3_security () hushmail com>

Recently seen: what appears to be an attacker bypassing Black Ice PC protection through unknown methods.

Check this article:

It describes a way to bypass personal firewalls.



Version: Hush 2.2 (Java)
Note: This signature can be verified at https://www.hushtools.com/verify


Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]