Backdoor Access To Windows Firewall

As you probably know, Windows XP comes with its own firewall. In Service Pack 2, that firewall may come enabled by default, if no other firewall is present. The purpose of a software firewall basically is to close network ports to any piece of software trying to access those ports, as well as to keep remote traffic from entering through those ports.

Someone recently discovered (http://habaneronetworks.com/viewArticle.php?ID=144) that Microsoft has left a glaring hole in this firewall. Any application running on the computer simply is allowed to edit the registry and have itself exempted from the firewall's rules. That means that the Windows firewall will just ignore a piece of software if that software performs a simple registry edit. That defeats the purpose of having a firewall in the first place if software can bypass it so easily.

Spywareinfo Newsletter Mar 13/05 (http://www.spywareinfoforum.com/newsletter/archives/2005/mar13.php#firewall)

Thanks for the info.

Thanks,

Chris

ya know what?

the remote registry service is also a threat here... any remote user can change your registry... its a part of that "remote desktop" thing.

sorry for being so vague.

www.blackviper.com
More info about WinXP services.

"One addtional note:
"The Windows Firewall API makes it possible to programmatically manage the features of Windows Firewall (formerly known as Internet Connection Firewall) by allowing applications to create, enable, and disable firewall exceptions." MSDN
What this means in relation to system security is that applications (must be run in an Administrator account) can now add themselves to and change exceptions in the Windows Firewall without a user prompt. So be sure to follow best practices and do not run or install unknown/untrusted applications and routinely check your exceptions list and remove anything that does not need to be there."

Windows Firewall Overview & Tips (http://www.wilderssecurity.com/showthread.php?p=274382)

Regards,

CrazyM

Hi,

The news was already given in this ill-frequented area (regarding to AV's and Firewall's section):

http://www.wilderssecurity.com/showthread.php?p=380761


I still not totally convinced by this kind of proof of concept.
But in all case, it's not serious to use Windows firewall.
And originally, all Windows is backdoored.

Regards

-{ Quote: "
Someone recently discovered (http://habaneronetworks.com/viewArticle.php?ID=144) that Microsoft has left a glaring hole in this firewall. Any application running on the computer simply is allowed to edit the registry and have itself exempted from the firewall's rules. That means that the Windows firewall will just ignore a piece of software if that software performs a simple registry edit. That defeats the purpose of having a firewall in the first place if software can bypass it so easily." }-
It's even easier than this Microsoft provided a nice API to control every aspect of Windows Firewall, no application has to edit the registry to add itself as exception to the Windows Firewall, this can be done by adding a few lines of code or just by using the sample code Microsoft provided.

On the other hand you'll have to run the code as Admin which allows other great things to be done. You may programmatically start and stop services or uninstall every application you like including AV, AT, Firewalls or whatever other strange "protection" software one may run. If I would try to bypass the Firewall I wouldn't even mess with the nasty COM stuff involved or dig deep into the Windows Registry, I'd would just stop the security center and Firewall services (to stop the security center service would'nt be really necessary I think since most users disable it first to get rid of the "silly" notifications it displays and if Symantec NIS or NAV were or are installed it's broken anyway) to get things done and start them afterwards. This would have the advantage that even if the user manages to review the exception list there would be no traces left.

A computer administrator always has full access to the entire system, including service control and full access to the system registry keys. The Windows Firewall is neither backdoored nor ineffective it just allows administration (which may come in handy for enterprise usage). How to avoid this backdoor? Don't use the Administrator account for every day use or wait for you favorite "security" vendor to release a tool to protect from this "flaw".