COMMAND

    ISS RealSecure

SYSTEMS AFFECTED

    ISS RealSecure

PROBLEM

    Stephane  Aubert  found  following.    Playing  around  with   ISS
    RealSecure, a well known network intrusion detection system (NIDS)
    he has encountered the following security problems:

        o It is possible to bypass the detection of TearDrop, SynDrop,
          NewTear or Targa DOS attacks.
        o Some  of Whisker  evading modes  are still/really  effective
          i.e.  it is possible to stealth scan a web server for CGIs.

    This has  been tested  on ISS  RealSecure version  3.2.1999.343 on
    Windows NT.

    1. Teardrop signature in RealSecure
    ===================================
    For example, the  original/public teardrop.c version  exploits the
    overlapping IP  fragment bug  by sending  2 IP  fragments.  The ID
    field of the 2 IP fragments is not involved in the attack and  was
    fixed to 242 (why not?):

        *((u_short *)p_ptr) = htons(242);   /* IP id */

    By changing this value from 242 to 666 (it can be a random number)
    RealSecure won't detect teardrop attacks.  The only field  changed
    is the  ID field  of the  IP fragment.   Using Snort  you can also
    sniff the network:

        Original teardrop (detected):
          02/11-09:37:03.822772 xxx.yyy.zzz.246 -> xxx.yyy.zzz.245
          UDP TTL:64 TOS:0x0 ID:242  MF
          Frag Offset: 0x0   Frag Size: 0x24

          02/11-09:37:03.822829 xxx.yyy.zzz.246 -> xxx.yyy.zzz.245
          UDP TTL:64 TOS:0x0 ID:242
          Frag Offset: 0x3   Frag Size: 0x4

        Modified teardrop (NOT detected):
          02/11-09:37:07.967350 xxx.yyy.zzz.246 -> xxx.yyy.zzz.245
          UDP TTL:64 TOS:0x0 ID:666  MF
          Frag Offset: 0x0   Frag Size: 0x24

          02/11-09:37:07.968076 xxx.yyy.zzz.246 -> xxx.yyy.zzz.245
          UDP TTL:64 TOS:0x0 ID:666
          Frag Offset: 0x3   Frag Size: 0x4

    2. Whisker evading modes vs. RealSecure
    =======================================
    Stealth  scan  can  be  done  using  Whisker  v1.3.0a and the HEAD
    method.   It is  also possible  to use  the GET  method (-M 2), in
    that case you  must use an  evading mode (0,  6 or both)  to avoid
    detection.  Examples:

        ./whisker.pl -h xxx.yyy.zzz.ttt -I 1246
        ./whisker.pl -h xxx.yyy.zzz.ttt -I 0 -M 2
        ./whisker.pl -h xxx.yyy.zzz.ttt -I 6 -M 2
        ./whisker.pl -h xxx.yyy.zzz.ttt -I 60 -M 2

SOLUTION

    ISS development is aware of the modified attacks described  above.
    They  have  been  addressed  by  engineering  for  the  next major
    release of RealSecure.