Multiple Firewall Products Bypass Vulnerability

[nick s]

"This is a generic problem of common Personal Firewall products which are accept shortcuts or provide an interface that enables to click without require a password for controlled actions (acting as server -listening ports-, executing another program, connecting to another computer etc.)..."

Full advisory: Multiple Firewall Products Bypass Vulnerability (link may go down) or Multiple Firewall Products Bypass Vulnerability

Nick

more of the advisory (from grc.security):

Online URL : http://ferruh.mavituna.com/article/?769
Download POC : http://ferruh.mavituna.com/opensourc...wallbypass.zip
(Also I attached vbs files as txt, one of them is -mousecontrol.txt- vb.net
source code)

This is a generic problem of common Personal Firewall products which are
accept shortcuts or provide an interface that enables to click without
require a password for controlled actions (acting as server -listening
ports-, executing another program, connecting to another computer etc.).

-------------------------------------------------------------------
Problem;
-------------------------------------------------------------------
Most of personal firewalls allow shortcuts or interface for controlling
traffic. It's simple to bypass these firewalls by a multithreaded program
and sending keys or by contolling mouse.

This flaw enables that any Trojan or similar programs can easily bypass
firewall and act as a server or access to another computer. Also most of
these firewalls have a "remember" option so if you bypass firewall and
successfully exploit it, firewall will never ask again.

This is a similar threat with shattering attacks, but different method and
impact.

Vulnerable Products (Sending Key Method and Mouse Control);
These products are vulnerable to both of "Sending Key Method" and "Mouse
Control Method"

Test Platforms;
Fully Patched Windows XP Professional and Windows 2003 Enterprise Edition
(May 19, 2004 - 01.01.2005)

1. ZoneAlarm / ZoneAlarm Pro (www.zonelabs.com) | Fixed
I. 4.5.530.000 - Tested
II. 4.5.538.001 - Tested
III. 5 and newer versions are not vulnerable...

2. Kerio (www.kerio.com)
I. 4.0.14 - Tested
II. All Versions

3. Agnitium Outpost Firewall (www.agnitium.com)
I. 2.1.303.4009 (314) - Tested
II. 2.5.369.4608 (369) - Tested
II. All Versions

4. Kaspersky Anti-Hacker (www.kaspersky.com)
I. 1.5.119.0 - Tested
II. All Versions

5. Look 'n' Stop (www.looknstop.com)
I. 2.04p2 - Tested
II. All Versions

6. Symantec's Norton Personal Firewall (www.norton.com)
I. 2004 - Tested
II. All VersionsMultiple Firewall Products Bypass Vulnerability

[nick s]

The Outpost Pro proof-of-concept worked on my version 2.5.370.4626 (370). Running in "Rules Wizard" mode, when I execute the VBS script, the standard allow/deny dialogue flashes briefly. If I then look at the OP "Applications" dialogue and the "Allowed Connections" log, I see that wscript.exe had been added as a "Trusted" application and established an outbound connection to the test URL.

When I put OP in "Block most mode", the script fails. For the exploit to work on my system, I did have to allow the script to run when RegRun intercepted it, and I had to allow wscript.exe to run when Process Guard alerted me.

Nick

[gkweb]

I will just quote what I said on broadband security forum :

Quote:

Hi,

personally I do not see "sending keystrokes to the firewall GUI" as a firewall bypass vulnerability at all (it's not a "leaktest").
A real "firewall bypass" method will bypass the firewall without interferring with it, without attacking it nor modifying/terminating it.
As soon as it targets the firewall, it turns into a trojans or malicious code, not a "bypass", just an attack.

In addition, this problem raised about sending keystrokes to the various GUI to control the applications is not new, and concerns many more applications than just personal firewalls, every security apps is concerned like the AV, AT, etc...

I second Ghost16825 about that this has more to do with sandboxes than anything else, and I second Wayne about ProcessGuard which already protects against that kind of remote process control.
With ProcessGuard you can not only define that you want a password protected popup when "something" or someone click on "File -> Exit" or anything else, but you can also define this for any button on the GUI, just hold the INSERT button while doing the action you want to be protected, and ProcessGuard will learn it and protect it for you

regards,

gkweb.

just my 2 cents.

[kareldjag]

Hi,

I've recently mentioned in ProcessGuard forum that API calls vulnerabilities could be exploited with shatter attacks to bypass some protections like firewalls or others.

More information (not the page with the tools' exploit):

http://www.securityfocus.com/archive/1/383586

Best Regards

[Paranoid2000]

This is information I've posted previously elsewhere but since it seems relevant to this issue, it is probably worth repeating...

Any exploit using SendKeys can be blocked via the following methods:

• Remove Windows Scripting Host - Windows 98 users can remove it via Add/Remove Programs in the Control Panel (Windows Setup/Accessories should list Windows Scripting Host as a component). Windows 2000/XP users will have to use a third-party product like 2000lite/XPlite since Microsoft does not list WSH as a separate component here. Note: Some sites (like Sophos) suggest disabling WSH by removing the .vbs file type from Windows Explorer's recognised file types - while this will work for .vbs files, scripts can have other extensions (e.g. shellscrap .shs/shb files) so this should not be relied upon as a complete solution.
• Install script-checking software - Some anti-virus software include script scanners or blockers (just try running a test script to verify this) but Script Sentry can be used as a free alternative if they do not.
• Assigning a firewall configuration password (where this option is available) may prevent (or at least restrict) the changes that can be made by any script - Process Guard's Secure Message Handling option can offer a partial solution since it can be used to prevent a firewall from being shut down and can be extended to include configuration changes accessible via menu options (this may not cover all options however and probably would not handle responses to application prompts).