Backdoor access to Windows Firewall

Discussion in 'other security issues & news' started by nadirah, Mar 14, 2005.

Thread Status:
Not open for further replies.
  1. nadirah

    nadirah Registered Member

    Oct 14, 2003
    Backdoor Access To Windows Firewall

    As you probably know, Windows XP comes with its own firewall. In Service Pack 2, that firewall may come enabled by default, if no other firewall is present. The purpose of a software firewall basically is to close network ports to any piece of software trying to access those ports, as well as to keep remote traffic from entering through those ports.

    Someone recently discovered that Microsoft has left a glaring hole in this firewall. Any application running on the computer simply is allowed to edit the registry and have itself exempted from the firewall's rules. That means that the Windows firewall will just ignore a piece of software if that software performs a simple registry edit. That defeats the purpose of having a firewall in the first place if software can bypass it so easily.

    Spywareinfo Newsletter Mar 13/05
    Last edited by a moderator: Mar 14, 2005
  2. Chris12923

    Chris12923 Registered Member

    May 31, 2004
    Thanks for the info.


  3. no13

    no13 Retired Major Resident Nutcase

    Sep 28, 2004
    Wouldn't YOU like to know?
    ya know what?

    the remote registry service is also a threat here... any remote user can change your registry... its a part of that "remote desktop" thing.

    sorry for being so vague.
    More info about WinXP services.
  4. CrazyM

    CrazyM Firewall Expert

    Feb 9, 2002
    BC, Canada
    "One addtional note:
    "The Windows Firewall API makes it possible to programmatically manage the features of Windows Firewall (formerly known as Internet Connection Firewall) by allowing applications to create, enable, and disable firewall exceptions." MSDN
    What this means in relation to system security is that applications (must be run in an Administrator account) can now add themselves to and change exceptions in the Windows Firewall without a user prompt. So be sure to follow best practices and do not run or install unknown/untrusted applications and routinely check your exceptions list and remove anything that does not need to be there."

    Windows Firewall Overview & Tips


  5. kareldjag

    kareldjag Registered Member

    Nov 13, 2004

    The news was already given in this ill-frequented area (regarding to AV's and Firewall's section):

    I still not totally convinced by this kind of proof of concept.
    But in all case, it's not serious to use Windows firewall.
    And originally, all Windows is backdoored.

  6. SvS

    SvS Security Expert

    Aug 28, 2004
    It's even easier than this Microsoft provided a nice API to control every aspect of Windows Firewall, no application has to edit the registry to add itself as exception to the Windows Firewall, this can be done by adding a few lines of code or just by using the sample code Microsoft provided.

    On the other hand you'll have to run the code as Admin which allows other great things to be done. You may programmatically start and stop services or uninstall every application you like including AV, AT, Firewalls or whatever other strange "protection" software one may run. If I would try to bypass the Firewall I wouldn't even mess with the nasty COM stuff involved or dig deep into the Windows Registry, I'd would just stop the security center and Firewall services (to stop the security center service would'nt be really necessary I think since most users disable it first to get rid of the "silly" notifications it displays and if Symantec NIS or NAV were or are installed it's broken anyway) to get things done and start them afterwards. This would have the advantage that even if the user manages to review the exception list there would be no traces left.

    A computer administrator always has full access to the entire system, including service control and full access to the system registry keys. The Windows Firewall is neither backdoored nor ineffective it just allows administration (which may come in handy for enterprise usage). How to avoid this backdoor? Don't use the Administrator account for every day use or wait for you favorite "security" vendor to release a tool to protect from this "flaw".
Thread Status:
Not open for further replies.