The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

computer vulnerability announce CVE-2010-0102

IDS, IPS: Advanced Evasion Techniques

Synthesis of the vulnerability

Twenty three cases of standard techniques of packets variations are not detected by most IDS/IPS.
Impacted products: FW-1, CheckPoint Security Gateway, VPN-1, Cisco IPS, TippingPoint IPS, McAfee NTBA, Snort.
Severity of this bulletin: 2/4.
Consequences of an intrusion: data flow.
Hacker's origin: internet client.
Number of vulnerabilities in this bulletin: 23.
Creation date: 17/12/2010.
Références of this threat: CVE-2010-0102, SBP-2010-31, SBP-2010-32, SBP-2010-33, SBP-2010-34, SBP-2010-35, VIGILANCE-VUL-10227.

Description of the vulnerability

IDS/IPS capture network frames, and analyze their content, in order to detect intrusions attempts. Attackers usually apply variations on these packets, in order to bypass IDS/IPS. Twenty three cases of standard techniques of packets variations are not detected by most IDS/IPS. These 23 cases use IPv4, TCP, SMB and MSRPC variations. They are based on methods known since 12 years. Stonesoft named these cases "Advanced Evasion Techniques". They were announced in VIGILANCE-ACTU-2612.

An attacker can send a SMB Write packet with a special "writemode" value, followed by other SMB Write packets to be ignored. [severity:2/4]

An attacker can split SMB Write data in packets containing only one byte, encapsulated in small IPv4/TCP fragments. [severity:2/4]

An attacker can duplicate each IPv4 packet, with additional IPv4 options. [severity:2/4]

An attacker can fragment MSRPC queries into packets containing at most 25 bytes of payload. [severity:2/4]

An attacker can send MSRPC messages where all integers are encoded as Big Endian instead of Little Endian. [severity:2/4]

An attacker can change NDR flags of MSRPC messages. [severity:2/4]

An attacker can create MSRPC fragmented messages in fragmented SMB messages. [severity:2/4]

An attacker can fragment SMB messages in blocks containing one byte of payload. [severity:2/4]

An attacker can fragment SMB messages in blocks containing at most 32 bytes of payload. [severity:2/4]

An attacker can use a SMB filename starting by "unused\..\". [severity:2/4]

An attacker can use overlapping TCP segments. [severity:2/4]

An attacker can send TCP segments in random order. [severity:2/4]

An attacker can fragment TCP data in blocks of one byte. [severity:2/4]

An attacker can use a second TCP session using the same port numbers. [severity:2/4]

An attacker can use a TCP session, where the first byte is sent with the urgent flag. [severity:2/4]

An attacker can send a NetBIOS message, with data similar to an HTTP GET query. [severity:2/4]

An attacker can inject 5 SMB Write inside a SMB Write. [severity:2/4]

An attacker can fragment a MSRPC query in TCP packets sent in the reverse order. [severity:2/4]

An attacker can fragment a MSRPC query in TCP packets sent in random order. [severity:2/4]

An attacker can fragment a MSRPC query in TCP packets sent with an initial sequence number near 0xFFFFFFFF. [severity:2/4]

An attacker can send an empty NetBIOS packet, before each NetBIOS message. [severity:2/4]

An attacker can send an invalid NetBIOS packet, before each NetBIOS message. [severity:2/4]

An attacker can use an unknown variation. [severity:2/4]
Full Vigil@nce bulletin... (Free trial)

Computer vulnerabilities tracking service

Vigil@nce provides a systems vulnerabilities note. The technology watch team tracks security threats targeting the computer system. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications. The Vigil@nce computer vulnerability tracking service alerts your teams of vulnerabilities or threats impacting your information system.