This is probably of interest to gkweb in particular, but the rest of you may also find it rather educational.

You can find it at http://www.dslreports.com/forum/remark,7321041~root=security,1~mode=flat . I think it's been beat on for several weeks by several people before publication. And it includes the source code, for those who might otherwise worry. The author is reputable and is known to WildCatBoy.

For those who may be concerned about the publication of this vulnerability, I believe that almost all of the software firewall vendors were informed of it over the course of the last month.

URL tags added to the link - paul

I should have put the following caveat in my original posting. To quote from the my initial response to the announcement of gkweb's Firewall Leak Tester Site when it was first broached at DSLR Security Forum (see http://www.dslreports.com/forum/remark,7150363~root=security,1~mode=open ): -{ Quote: " A short word of caution to those who might suddenly get an urge to run out and play with some of these tests themselves: Unless you know what you're doing and can put a box at risk, I would advise against it. Some of these vulnerability demonstrators have been known to have unanticipated effects (even from their authors' points of view). And simply removing the demonstrator afterwards doesn't necessarily reverse this impact. The early version of YALTA, for example, could completely munge the ruleset for some of the earlier versions of NIS/NPF and there was absolutely no clear indication of what had been done or how to recover from it. In effect, that version of YALTA dropped the NIS/NPF firewalls in their entirety. " }-and, more recently from the thread on MBTEST at grc.security.software -{ Quote: " And, incidentally, I'm not encouraging anyone to rush out and play with MBTEST; I'm simply notifying people of its existence and what it purports to demonstrate. In a thread on DSLR Security about gkweb's Firewall Leak Tester website, I specifically cautioned people about running around installing and testing all the various leaktests mentioned. You've got to know what you're doing and understand how the tests work (so you can clean up afterwards) and it's preferable that (even then) you have boxes that you can put at risk. (And I decline on the second point.) . . . .
WinPCap is used by many knowledgable people for special purposes. In the hands of someone who knows what it is and how to use it RESPONSIBLY, it's an invaluable tool; in the hands of someone who doesn't, it can be deadly. And, yes, that's partly due to the fact that it works at such a low level. Indeed, that's what allows Ethereal (and other packet sniffers) to operate 'in front of' the software firewall. " }-
In other words, none of these leaktesters should be run out of idle curiosity.



url tags added to the link - Jan

In a display of unusual omniscience :o , I was lucky enough to title this thread "Another Vulnerability Demonstrator", rather than a "New Leaktest Demonstration".

So, therefore, I think I can get away with now drawing attention to jdong's thread at DSLR Security Forum on Software Firewall Termination (see http://www.dslreports.com/forum/remark,7342925~root=security,1~mode=flat;start=0 ).

As gkweb has noted in that thread (and jdong has agreed), this is not technically a leaktest demonstration, but rather an investigation of whether (and how) various software firewalls can be terminated. It's still evolving and jdong is putting out new versions of his demonstrator further down in the thread. (Same CAVEAT as in my preceding post applies here, also.)

And, once again, we're seeing the same problem that gkweb has confronted repeatedly: People are all too frequently reporting results without indicating which version/build/update of the software firewall they're running, what OS they're running on, how they've got the software firewall configured, and what (if anything) else they're running concurrently. Still, it's a potentially interesting read.

Damn, those guys at broadband forums are really technical huh?