TUCoPS :: Security App Flaws :: rsecur1.htm

RealSecure - bypassing detection of certain attacks 
Vulnerability

    ISS RealSecure

Affected

    ISS RealSecure

Description

    Stephane  Aubert  found  following.    Playing  around  with   ISS
    RealSecure, a well known network intrusion detection system (NIDS)
    he has encountered the following security problems:

        o It is possible to bypass the detection of TearDrop, SynDrop,
          NewTear or Targa DOS attacks.
        o Some  of Whisker  evading modes  are still/really  effective
          i.e.  it is possible to stealth scan a web server for CGIs.

    This has  been tested  on ISS  RealSecure version  3.2.1999.343 on
    Windows NT.

    1. Teardrop signature in RealSecure
    ===================================
    For example, the  original/public teardrop.c version  exploits the
    overlapping IP  fragment bug  by sending  2 IP  fragments.  The ID
    field of the 2 IP fragments is not involved in the attack and  was
    fixed to 242 (why not?):

        *((u_short *)p_ptr) = htons(242);   /* IP id */

    By changing this value from 242 to 666 (it can be a random number)
    RealSecure won't detect teardrop attacks.  The only field  changed
    is the  ID field  of the  IP fragment.   Using Snort  you can also
    sniff the network:

        Original teardrop (detected):
          02/11-09:37:03.822772 xxx.yyy.zzz.246 -> xxx.yyy.zzz.245
          UDP TTL:64 TOS:0x0 ID:242  MF
          Frag Offset: 0x0   Frag Size: 0x24

          02/11-09:37:03.822829 xxx.yyy.zzz.246 -> xxx.yyy.zzz.245
          UDP TTL:64 TOS:0x0 ID:242
          Frag Offset: 0x3   Frag Size: 0x4

        Modified teardrop (NOT detected):
          02/11-09:37:07.967350 xxx.yyy.zzz.246 -> xxx.yyy.zzz.245
          UDP TTL:64 TOS:0x0 ID:666  MF
          Frag Offset: 0x0   Frag Size: 0x24

          02/11-09:37:07.968076 xxx.yyy.zzz.246 -> xxx.yyy.zzz.245
          UDP TTL:64 TOS:0x0 ID:666
          Frag Offset: 0x3   Frag Size: 0x4

    2. Whisker evading modes vs. RealSecure
    =======================================
    Stealth  scan  can  be  done  using  Whisker  v1.3.0a and the HEAD
    method.   It is  also possible  to use  the GET  method (-M 2), in
    that case you  must use an  evading mode (0,  6 or both)  to avoid
    detection.  Examples:

        ./whisker.pl -h xxx.yyy.zzz.ttt -I 1246
        ./whisker.pl -h xxx.yyy.zzz.ttt -I 0 -M 2
        ./whisker.pl -h xxx.yyy.zzz.ttt -I 6 -M 2
        ./whisker.pl -h xxx.yyy.zzz.ttt -I 60 -M 2

Solution

    ISS development is aware of the modified attacks described  above.
    They  have  been  addressed  by  engineering  for  the  next major
    release of RealSecure.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH