Hi,

a new leaktest has been released, DNStester v1.0, available here : http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/leaktest14.htm



a description from the page :

-{ Quote: "
By default on NT OSs since windows 2000, a Windows service 'DNS client' is running and handles all DNS requests. Thus, all DNS requests coming from various applications you can have will be transmitted to the DNS client (SVCHOST.EXE under XP) which will, itself, do the DNS request.
This behaviour can be used to transmit data to a remote computer by crafting a special DNS request without the firewalls notice it. Indeed, the DNS client windows service must be allowed to acces the Internet. DNStester uses this kind of DNS recursive request to bypass your firewall.

=> In order to use DNStester, you must left enabled the DNS client windows service.
" }-

The author's main work is about DNSshell, more information on his website :
http://www.klake.org/~jt/dnshell/


All information and explanations are very detailed and interesting, i advise you to take a look at it.

regards,

gkweb.




url repaired==bigc

Just FYI: DNS Client is not really needed (on most systems) and can be disabled. I always disable it on my XP systems and run an alternative DNS Proxy/Cache (AnalogX FastCache).

Indeed, it's a workaround to disable it :)

the point however is that this service is unfortunaly enabled by default on windows XP (probably in windows 2000 too) and not every users know they can disable it.

regards,

gkweb.

as stated the service is not need....an if the vendor of this so-called leak test wanted to do the public a service than fine just make a program that will disable the service.....instead of saying this:

**=> In order to use DNStester, you must left enabled the DNS client windows service.**


There are many settings that are enabled by default within the Windows operating system....not all of which are good......an there are forums like this one were people help others secure their systems.........
This so-called leak test has the gall to actually ask a user to hack his own firewall by turning on the service if its been disabled......
But also stated by the vendor:

**Indeed, the DNS client windows service must be allowed to acces the Internet. **

Wait...didn't we all just agree that the service can be disable......so whats the purpose of the "MUST" BE ALLOWED"""

Leaktest huh..........

A leaktest is just a proof of 'concept' to show that personal firewalls which are supposed to block programs to access the internet fails in some case :)

That's an important information to show the user to layer his security instead of relying on a single product, i don't see any bad thing in that.

For instance Zone Alarm Pro last version, even with the service enabled catch the leaktest asking the user what to do, so you can see that all of that has a meaning.

There is a difference between to block a leaktest and to pass a leaktest, to pass means to pass the idea behind the leaktest (that ZA does with this one) and to block means to block the leaktest regarding another totally different thing the leaktest triggers, like simply prevent it to launch by a sandboxe or by preventing it to do it's job by disabling a service, or even by keeping up to date his AV to detect it before it can run.
Few leaktests like Copycat can't even be passed currently by firewalls features.

Leaktests are just a way to show that in some way, trojans authors can defeat your firewall (by unpublished exploits) and that you should add layers, may be you think that's stupid, but I do think it's a benefit for everyone, it's just an information, after that, you can behave accordingly or not, it's your choice.

regards,

gkweb.

That plus $1.50 will get you a cup of coffee....where is the proof of concept in a person hacking his own firewall....by enabling a service
lets see....there is a botton on the Tower....press the botton an the computer shuts down....proof of concept.......well thats what that so-called leaktest is doing....telling a person TO ENABLE A SERVICE SO THE LEAK TEST CAN PASS THE FIREWALL.

Leaktests have been around a few years an have severed a purpose....several firewalls have improved because of leaktests.......
But to ask that a service be enable.....thats the gall of it all.........not worth discussion....I just can't believe anyone.....not even a newbie......actually enabling a service KNOWING ITS GOING TO BE EXPLOITED...

Gkweb

Say..please don't think I am posting to offend you.....most definitely not!
My post are about the so-called leaktest......not in anyway personal...ok
Leaktest can have a purpose.....the right kind of leaktest

-{ Quote: "
TO ENABLE A SERVICE SO THE LEAK TEST CAN PASS THE FIREWALL.
" }-

Install Zone Alarm Pro trial and you will see it does NOT pass the firewall, which show that all of the firewalls failing it _while_ this service enabled are vulnerable, that's a fact.

Then in best guidances/pratices or safe hex, whatever you call it, it is advised to not enabled it, it is two totally different area and you can't argue against one taking argues from the other.

If you mean that as a leaktest author that i am i suggest to users to decrease their security, take a look at my website, in particular to these two pages :

http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/advices.htm

http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/software.htm

and probbaly this little tool can interest you too : http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/wwdc.htm


As you can see, the first purpose of leatests is to demonstrate vulnerabilities to make users aware of them, and then to improve their security, the purpose is not (and was never) to tell the users to permanently disable his overall security.
It seems that you don't understand what is a proof of concept, you can disable a service, but the idea can be used into another protocol with a service you can't disable for instance, or may be simply the user beginner into security who is clueess about that will feel compelled now to disable this service.

Once again, i see only benefits for everyone.

regards,

gkweb.

EDIT : no offense taken, you opinion is as good as anyone else.

url's repaired==bigc

-{ Quote: "...It seems that you don't understand what is a proof of concept, you can disable a service, but the idea can be used into another protocol with a service you can't disable for instance" }-

No offense intended, snowman: but that's right on target IMO.

regards.

paul

ok,,we agree that this is a discussion..no offense taken...just taliking...


*but the idea can be used into another protocol with a service you can't disable for instance*


Ok, then make a leaktest for that service that can't be disable.....
if I un-install my firewall good chance I will eventually be hacked.....an If I enable a service that I already know is exploitable...how is that any differant than your test? Of course ZA will fail...how could it possibly pass....the user just hacked the firewall himself...your test didn't..the user did.
As for the newbies..of course they don't know.....they are just newbies....they don'y know that media player is known as the super cookie either.....but they can learn....without being scared......by smoke and mirrors.....
An again i STRONGLY SAY THAT NO OFFENSE INTENDED.
Do you believe that a firewall can be improved to prevent this service from bypassing it??? If you can honestly say yes to that question then I humble myself an offer an apology.............understand of course that I already that disabling the service works.....but can a firewall be improved to prevent the ENABLE service.........?

GW

I just noticed that your are no login...so must have left.
In fairness I wont post on this topic anymore.........I am not someone who goes behind another person's back......instead I prefer to discuss matters openly and honestly with the person......so, perhaps another time.

-{ Quote: "
Do you believe that a firewall can be improved to prevent this service from bypassing it???
" }-

Once again, Zone Alarm Pro already does it.
If i didn't understand your question, can you say it in another way ?

Then, once a trojan put on your system, it is very easy to start the service if it isn't started, the end user will just see the firewall asking him to allow or not "svchost.exe" to access the internet in best cases (if not ZA) and won't have any clue that a trojan is there, so that the service is started or not in fact doesn't matter since a trojan can simply enable it.
If the end user isn't lucky, svchost is already allowed to access the Internet (because svchost is involved in more network services than just DNS requests).

But leaktests aren't trojans, just vulnerability demo, so don't expect a leakest to totally destroy your system just to show you that it can do it.

regards,

gkweb.

EDIT : going to plug off the Internet, i can't continue the discussion until tomorrow probably.

GB

no need to continue..your last explaination settled the matter.....
An as promise....you have my humble aplogy.

We were actually talking about totally diffrant things....I didn't see it until your last post.......your point of a trojan turning on the service.....
again my apology........

No need to apology RedLobster, I must admit that all things around leaktests aren't so obvious sometimes.


hm, bed time now ;)

regards,

gkweb.

gkweb - I could stop it with ZAP and NIS 2004. NIS 2004 says the .exe is trying to connect to a DNS server. I click always block connections on all ports, and it's stopped.

Is your DNS client service running and allowed ?
(svchost.exe - XP, services.exe - 2000).
Are you on XP or 2000 for i can do the test accordingly ?

thanks you.

regards,

gkweb.

Yes, and I am on Windows XP Home edition.

Congratulations on the new improved version 1.3 GK :) Nice Job!

http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/wwdc.htm

Thanks you Pilli ;)

May be this thread would more on topic :
http://www.wilderssecurity.com/showthread.php?t=25485

Again another thanks you for your time taken to test it for me ;)

GKWeb,

Out of curiosity, does ZoneAlarm simply detect DNStest as a new application requesting DNS access (like any other application) or does it catch on that there is something more unusual about it? (zero TTL, use of TXT queries, etc).

Leaktest comments aside, combining this approach with address space injection (allowing a trojan to assume the identity of a trusted application) would bypass virtually any firewall (Outpost's DNS Cache plugin would block repeated access always returning the first cached result instead, but this is more by accident than design). Stopping this would require the likes of ProcessGuard or System Safety Monitor.

Going OT slightly, running the DNS Client service can allow "rogue" DNS servers to spoof you with false replies redirecting you to other sites. Follow the recommendations at the bottom of the Adjust Windows XP DNS Cache Settings (http://www.listsoft.com/?tip=481) article to prevent this (Registry editing required - similar advice is included at the bottom of Microsoft's Windows 2000 DNS (http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/cncf/cncf_imp_miqe.asp) article - presumably this has not yet merited a Security Advisory *typical*).

I have tried both SSM and PG, and they didn't stop it. Maybe they require special settings. Only ZAP and NPF have stopped it. I wish Outpost would - it sounds like a serious thing.

DNStest does not use address space or DLL injection so SSM and PG will have no effect on it (SSM should have prompted you when you ran it though). I was talking about a (currently) theoretical combination of it with a trojan using techniques to hide itself in other running processes.

Outpost can block it, but you have to have it tightly configured. Specifically use the "Application DNS" settings in A Guide to Producing a Secure Configuration for Outpost (http://www.outpostfirewall.com/forum/showthread.php?threadid=9858) (when the Outpost Firewall forum is back up from the vBulletin upgrade).

Thanks for those settings - while my experiences with Outpost haven't been good lately, I haven't given up on it because I could have conflicting software - you never know.

So it must be combined with the address space to transfer the info to the remote computer?

If I recall correctly, if you have blocked WRITE access on svchost.exe and made sure the leaktest doesn't have allow write access, then Process Guard should block this. Unless of course the author has recently changed his methods.

-{ Quote: "So it must be combined with the address space to transfer the info to the remote computer?" }-DNSTest can transmit information to a remote system - however it is easily identified with a suitable firewall configuration. If it used address space injection then it could masquerade as another process with network access permissions (e.g. Internet Explorer) in which case there would be nothing traffic-wise or application-wise for a firewall to pick up on.

I am wondering whether this leaktest is effective at all:

Please note that some people do not only use firewalls but also properly configure them ;-)

A DNS request is an outgoing connection. A properly configured firewall will allow such outgoing connection ONLY if it is made to your internet provider. The firewall will NOT allow a DNS request which is directed to an arbitrary internet address (i.e., a hacker's computer).

So ... where is the leak?

Paranoid2000: the Outpost site is down. Can you find those application DNS rules anywhere else?

SydneyProxy02,

Please review the DNShell documentation (http://www.klake.org/~jt/dnshell/) - communication takes place through your ISP's DNS servers using recursive DNS. Therefore unless your firewall restricts DNS access by application, this leaktest will go through it.

Mvdu:

As I stated previously, the Outpost forum is down for a vBulletin upgrade. It is supposed to be back up sometime on Monday. If you cannot wait till then, PM me with your email address and I will send a copy.

@Paranoid

Thx for the explanation!