Firewalls Bypassed

Discussion in 'other firewalls' started by snowy, Aug 11, 2002.

Thread Status:
Not open for further replies.
  1. snowy

    snowy Guest

    http://www.securiteam.com/securitynews/5HP0Y007PK.html


    ***The following exploit constitutes a security flaw in JavaScript's "Same Origin Policy" (SOP) [1]. Please note that this is *not* the IE-specific flaw reported in February [2].
    The exploit allows an attacker to use any JavaScript-enabled web browser behind a firewall to retrieve content from (HTTP GET) and interact with (HTTP <form/> POST) any HTTP server behind the firewall. If the client in use is Microsoft Internet Explorer 5.0+, Mozilla, or Netscape 6.2+, the attacker can also make calls to SOAP or XML-RPC web services deployed behind the firewall
     
  2. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    I think I've seen some of these -- especially if those XML-RPC calls are outbound Port 135.

    Running NIS/NPF and ICS, I've got unsolicited inbound RPC (Port 135) blocked about half a dozen different ways from Sunday. However, I do use it within the LAN here.

    However, that leaves the little matter of outbound -- and that's where it occasionally gets a bit interesting.

    I have highly customized firewall rules in effect for MSIE -- very specific ports for very specific functionality. Immediately after those rules, I have a "Block everything else from MSIE" rule -- yes, an explicit rule. (And there's a reason for the explicit rule that I'll get to in a moment.)

    This rule looks like
    Code:
    Rule Name:           Block all other Internet Explorer
    Rule Creation:       Customized Internet access for this application
    Category:            General
    Status:              Enabled
    Logging:             Yes (Event Log) after 1 match(es)
    Protocol:            TCP or UDP
    Action:              Block
    Direction:           Either
    Application:         Internet Explorer
                    C:\...\IEXPLORE.EXE
    Local Service:       Any Service
    Local Address:       Any Address
    Remote Service:      Any Service
    Remote Address:      Any Address
    Rule Status:         Active (Application Executable has not changed since Rule creation)
    SHA1 Hash:           ***
    
    (Again, this rule follows all other rules for MSIE.)
    And, every now and then, this rule does catch something; for example:
    Code:
    Action:              Blocked Outbound TCP connection
    Local IP, Port:      127.0.0.1, 4776
    Remote IP, Port:   66.44.60.111 (66-44-60-111.s111.tnt4.lnhva.md.dialup.rcn.com), 135
    Process:             C:\...\IEXPLORE.EXE
    Well, there's our old buddy -- Port 135! The other interesting fact about this event is that it's directed to another dial-up subscriber on the ISP's subnet that I was using at the time.

    I had not created a similar "Block Everything Else" rule for MS Outlook; and, not surprisingly, less than two weeks later, I got the following event:
    Code:
    07/31/2002  12:34:40:774 - This one time the user has decided to Block communications.
    
    Action:              Blocked Outbound TCP connection
    Remote IP, Port:   66.44.60.198 (66-44-60-198.s198.tnt4.lnhva.md.dialup.rcn.com), 135
    Process:             C:\...\OUTLOOK.EXE
    
    Note that, once again, this outbound communication was directed to another dial-up user on the same ISP subnet. (I have no idea what precipitated this event because I hadn't opened any OL e-mails when it occurred, but OL was running at the time.)

    However, this is the important part: I got a pop-up alert from the firewall informing me that MS Outlook was attempting to access the Internet. Would I care to PERMIT, DENY, or CREATE a rule for this communication? Well, hold on, boys 'n girls! I've got rules for Outlook -- again, highly detailed rules. What was this all about? Now, typically, a message like this would indicate that the Outlook executable had been changed. Well, I hadn't changed or updated Outlook (indeed, it's a bit difficult to do these days with OL 98.) What the hell? Quick check, . . . nope, same executable. Look at details. What's this? OL 98 is trying to communicate outbound to remote Port 135. Well, that's interesting!

    So, yes, there does appear to be some sort of exploit out there relying on this vulnerability. I haven't seen it pop up in Outlook Express (which I frequently use as a NewsReader), but I'm fairly certain that OE would also be vulnerable.

    Watch for this -- and be verrry careful what you allow your firewall to PERMIT if you see a similar pop-up query.
     
  3. jvmorris

    jvmorris Registered Member

    Joined:
    Feb 9, 2002
    Posts:
    618
    snowy,

    Oops, left out the important part. At least in my experience, this does not bypass my firewall . . . . but that's because I've got highly customized rules set up for my browsers, e-mail clients, and newsreaders.

    However, it might bypass something like ZA (free) which, if I understand correctly simply permits or denies Internet access for a specific application without regard to the remote ports being called. And, again if I understand correctly, denying MSIE, OE, or OL server privileges is not involved in this instance, so that setting will have no impact, either.

    Addendum: In this instance, the exploit is not so much bypassing the firewall as simply using the inherent PERMIT privileges granted by the firewall.
     
  4. snowy

    snowy Guest

    Joe

    greetings my friend.......a rather interesting exploit we have here..........you would seem correct in saying that zone alarm free would not withstand this exploit......which may well be cause for some rather interesting activity in the future............
    we do seem to have a commonality......most my hits are coming from my own ip customers..or china.......china is hitting on udp port 4001......a rather odd choice imo....unless they are searching for Jap users...which is tcp 4001.........maybe trying to "mask" an hoping no one will notice that its udp ?
    well for sure.....by whatever it was...my computer is acting like an intoxicated silly willy......was really banged yesterday....my firewall icon actually began blinking......then poof...gone! my finger was already pressing the disconnect.
    I was postponing installing another firewall but guess I best get on the job an just do it.........right now there are several exploits floating around.....plus a couple of new release "tools" for Linux that could wash windows..
    will keep in touch with you on this one......an keep an eye on port 135..........only oddities I noticed is tcp 243 .....an high scanning on the 20,000 range....

    snowman
     
  5. snowy

    snowy Guest

    Joe

    well my instinct was right........just finshed re-newing the registry after being alerted that my firewall files were not the same..........computer screen was flickering as if a program was running in the background.....thought my monitor was ready to go......but no problem since cleaning and renewing.......I don't believe that whatever hit me was able to complete its job........
    as for what it was....I've no idea.....my set-up is rather unusual.........never had anything like this happen before an I've been hard hit in the past......eventually I will get to the root of it........no I wasn't hacked..partcially parhaps....this was more like a massive flood......I forgot to enable one of my firewall protection progarms....so have to blame myself for not letting it run at start-up....impatient

    snowman
     
  6. snowy

    snowy Guest

    Well the flickering screen has returned (on and off thing)
    I am positive that its not a "hook" exploit.. nor a change in the registry.......no scanning being done unless its the most unknown stealth ever made...........in a few moments I'll do a restore back a day before this began......

    sure would be nice to know what hammered me so hard.......this is no trojan or virus.....more like something trying to get in .....

    snowman
     
  7. snowy

    snowy Guest

    Joe

    can't offer an explanation.....however..my problem appears to be resolved......found this tuxed away an removed it: >http://~i< without the <>.....the scanner was moving fast so its possible that it was ~f but cannot confirm.........an idea how this could effect a computer in the manner mine was ?

    a search revealed also this >http://~i./< an the search engine was blocked by something I already have listed as a block....no idea what......
    right now its just guessing on my part..yet that massive flood I mention earlier could it have been outbound.....but being prevented?? my registry shows no changes....no trojans either.....
    I was able to see in search that there is an <~i-advertising.com> the thing is these sort of things just never make into my os......
    well......thats all I have to offer..............

    snowman
     
  8. snowy

    snowy Guest

    can anyone tell me if ~i equals "!" ? as in <yahoo!) an a zillion other uses

    snowman
     
  9. spy1

    spy1 Registered Member

    Joined:
    Dec 29, 2002
    Posts:
    3,139
    Location:
    Clover, SC
  10. snowy

    snowy Guest

    Pete

    thanks for the reminder......I had completely forgot about bots........going to check right now.
    yes this is most curious......at 3:58 a.m. hundreds of ico.temp files were created in my temporary folder.....all had zero bytes
    my screen is stable once again.......but having trouble with mouse control...just barely able to use mouse......

    snowman
     
  11. Mr.Blaze

    Mr.Blaze The Newbie Welcome Wagon

    Joined:
    Feb 3, 2003
    Posts:
    2,842
    Location:
    on the sofa
    lol im here representing the newby asochiation in newby enghlish pleas lol.

    im not only a newby but the newby presdent lol
     
  12. controler

    controler Guest

    This is the simple explaination of what Jason's Tool does.

    @echo off
    @echo The commands this batch file executes will check for the
    @echo presense of IRC Bots. Each test will let you know how to
    @echo whether or not your system passed the test.

    @echo Make sure any valid IRC program is closed down before
    @echo you run this or you might get a false positive. (If you
    @echo don't know what IRC is, chances are you don't have to
    @echo worry about closing down any programs.)
    pause

    @echo Test #1:
    @echo on
    netstat -an | find ":6667"
    @echo off
    @echo Test #1 complete. If there is no line between this and the
    @echo command above, your system passed the test.
    pause

    @echo Test #2:
    @echo on
    netstat -an | find ":113 "
    @echo off
    @echo Test #2 complete. If there is no line between this and the
    @echo command above, your system passed the test.
    pause

    @echo Test #3:
    @echo off
    c:\
    cd c:\
    @echo on
    dir rundil.exe /s
    @echo off
    @echo Test #3 complete. If "File Not Found" is displayed your
    @echo system passed the test.

    @echo Tests Completed.
    pause
     
  13. snowy

    snowy Guest

    Sir Blaser

    at your request Sir....in newbes talk:

    "I don't like Spiders and Snakes an that aint what it takes to surf.........stomp..stomp....squash...squash....no I don't like Spiders and Snakes an none am I going to tolarate..."



    Spy 1

    Checked for "bot" all clean.......made a few adjustments here and there an reached the conclusion that the biggest "bot" is "Windows"" LOL



    Sir Blaser....in newbes talk: "no I don't like Spiders and Snakes an "Windows" aint what it takes to surf......no I don't like Spiders and Snakes an thats why I will install Mandrake......cause Windows aint what it takes...stomp..stomp...squash..squash....
     
Loading...
Thread Status:
Not open for further replies.