Home page logo

fulldisclosure logo Full Disclosure mailing list archives

Re: Bypass personal firewall application protection . Again.
From: Andrei Zlate-Podani <azlate () bitdefender com>
Date: Tue, 07 Dec 2004 18:19:58 +0200

offtopic wrote:

Bypass personal firewall application protection . Again. (c)oded by offtopic (offtopic () mail ru) 2004 Special thank to 3APA3A for links to the debuggers for Windows.
<quote src=  http://www.security.nnov.ru/advisories/bypassing.asp?l=EN >
Personal  firewall  usually restricts access to network to the list of   allowed  application.  In addition, integrity 
of these applications is controlled to prevent code insertion into executable file. It makes it impossible to install 
trojan application with direct network access.

Modern personal firewalls hook such unsafe API calls like WriteProcessMemory CreateRemoteThread, and controls modification of trusted application code. Some personal firewalls even catch CAT+ sometimes. So we got protected high-privileged application, which can communicate with network, low-privileged application trojan, and personal firewall as access control system. The best way for bypass any accesses control in windows is a SHATTER attacks. Because most if not all of high-privileged applications use GUI trojan can use window messages to modify application memory and execute code in the context of trusted application.
<quote src=  http://security.tombom.co.uk/shatter.html >
Any application on a given desktop can send a message to any window on the same desktop, regardless of whether or not 
that window is owned by the sending application, and regardless of whether the target application wants to receive 
those messages. There is no mechanism for authenticating the source of a message; a message sent from a malicious 
application is indistinguishable from a message sent by the Windows kernel. It is this lack of authentication that we 
will be exploiting, taking into consideration that these messages can be used to manipulate windows and the processes 
that own them.

So, attack is very simple:
1. Trojan finds trusted application and appropriate.
2. Trojan inserts shellcode in selected window
<quote src= http://www.google.com/search?q= input+-+if+crafted '>
+This is generally a very easy thing to do, as any user-supplied input   if crafted
correctly   can be interpreted as a sequence of valid CPU instructions+

3. Afterward trojan founds shellcode address, and transfer control to the shellcode. It s not a problem, because
<quote src= http://www.securityassessment.com/Papers/Shattering_By_Example-V1_03102003.pdf >
+even the most obscure of messages can be used to make a process execute code that it was not intended to run. </quote>

I don t experiment on this too much but several of widely used personal firewalls are tested and vulnerable. If any 
vendors need addition details, they can contact me.

Thanks for your attention and sorry for my English.
(c)oded by offtopic () mail ru

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

You don't need all this shell code stuff to send data through a firewall. It's enough to have a browser allowed to access the internet to send whatever you want. When the host is compromised you cannot stop a malicious application from doing damage.

Imagine a school with children that can read and write, but with teachers who cannot, and you have a metaphor of the 
Information Age in which we live.
--- Peter Cochrane

This message was scanned for spam and viruses by BitDefender
For more information please visit http://www.bitdefender.com/

Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]