NetBarrier Advisory 2000

published:    September 09, 2000
vulnerable:    Intego’s NetBarrier (all versions) running on MaCOS

Discussion

Intego software (www.intego.com) offers a security software package for the Macintosh platform. The software is a firewall utility that allows the user to chose between different security schemes (server only, client only, customized, etc) and block different kind of known DoS (pingflood, synflood, ping of death, etc). One way of actually protecting the user from a remote attack such as a pingflood is to allow the user to block the ip from where the attack is performed. The software either offers the user to stop or ignore the ip address (by default) or can be set to block immediatly the address for a given period of time or permanently.

Now the problem is, one can easily spoof any kind of attack recognized by NetBarrier from an arbitrary ip address therefore blocking all communications between the given address and the victim. (if settings are default, the user must press ‘stop’, which is most likely what is going to happen.). This means if the NetBarrier user is connected to a service such as IRC, by example, spoofing a pingflood or a simple portscan (spoofed syn requests) from the IRC server’s address will instantly disconnect the user from that server and keep him off that service for as long as the ip remains in the stop list.

Since NetBarrier displays the numerical address and not its dns equivalent by default, it makes it even harder for the user to recognize the ip address he is stopping. Also attacks coming from various sources may lead the user to be quick on the stop button, meaning he has even less chances to recognize the incoming ip address as a friendly address.

The remote ip that is blocked from the machine can be anything from an actual connection to the user’s DNS servers, router, etc. Potentially shutting off its whole internet or local connection.

Exploit

Mac users willing to test this attack on their machines can use GrouchySmurf, a smurf port for the mac platform, to perform the attack. All the user has to do is enter the machine’s ip address in the broadcast servers list and enter the supposed attacker’s ip address in the source ip field. Spoofed packets should be sent fast enough so NetBarrier sees it as an attack; (it doesnt take much, actually) 50 packets with a 50ms delay will do just fine.

For other platforms any kind of spoofed icmp flooder will do (I’m thinking especially about the linux/unix platform here).

Fix

Well unless Intego software finds a solution to either verify if the attacker’s ip is an address used by the computer (chat server, router, dns, mail server, etc) or to authenticate spoofed packets (not sure if that is possible) the fix will be either to ignore all attacks, therefore rendering the protection software useless (instead of that, just remove it.) or to be really careful not to block any ip address needed by the user.

A way to verify this is to use IPNetMonitor for Mac, this application will list all the current TCP connections established on the machine. Another thing would be to remember important ip addresses such as router, dns, smtp and pop3 servers, etc.

A good idea between the two solutions would be to shut off only the antivandal services that allow this kind of attack to occur. (stop unknown protocols, protect against syn floods, protect against ping attacks, protect against port scans and protect against intrusion attemps.). Other options should not be vulnerable to this issue.

Credits

vulnerability discovered by WeeDo

for more macintosh-related security information: www.imachacker.com (will be up mid-september 2k)for more macintosh related security information, www.imachacker.com (will be up mid-september 2k)