FireHole Leak Test passed my fw

Discussion in 'other firewalls' started by blacknight, May 18, 2010.

Thread Status:
Not open for further replies.
  1. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    I tried it ( by: http://www.testmypcsecurity.com/securitytests/all_tests.html#AllTests ) with CIS. Defense+ detects it and alerts, but if I allow it and then I run, FireHole success to launch my browser and " to send " his message. My fw policy is " custom policy mode ", highly restricted, but FireHole use port 80.

    Would someone try the test on his fw and then post the result ?


     
  2. fax

    fax Registered Member

    Joined:
    May 30, 2005
    Posts:
    3,726
    Location:
    localhost
    Firehole is a rather old leakdemo. Anyway, FireHole fails to connect out with ZA Extreme 9.1.507.000 (had to turn off the ZA cloud database of whitelisted/blacklisted applications before testing it).
     
  3. Brummelchen

    Brummelchen Registered Member

    Joined:
    Jan 3, 2009
    Posts:
    1,732
    I dont really mind those tests - i dont serve any confidental data on a server
    nor do i use unsecure software on my host system.
    Port 80 is used - so what?

    >> FireHole success to launch my browser and " to send " his message.
    This is the really important part. so my default browser is blocked completely.
    and my trusted software can launch my favorite browser.
    but clever malware can determine which browser is running (the main stream
    browser are not many) and inject any crap. so you need to observe
    the com-API and allow/deny rules - is D+ capable of that?
    (Malware Defender can do)
     
  4. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    First of all PEG blocks it

    peg.gif

    Allow and then ProcessGuard blocks it

    pgfh.gif

    if i don't allow, it doesn't launch, so i do. Then Zemana blocks it, same again. And also ZA alets me to allow/deny. Deny and even though IE6 is launched, it doesn't get out.

    fh.gif

    If i allow ProcessGuard blocks it another way

    pgbl.gif

    Even after putting ProcessGuard in learning mode and allowing Hooks etc, it still fails

    fail.gif

    This time by Prevx

    [​IMG]
    View attachment 218063

    If i exclude the test from Prevx and allow through ZA it still fails with the same FAILED message. Actually i'm not sure what finally blocks it, but it has to get through a lot of hoops on my comp :D

    Try setting your FW to Always PROMPT as i do :thumb:

    -

    Edit - Don't know why my 218063 Att hasn't shown ? from here https://www.wilderssecurity.com/attachment.php?attachmentid=218063&d=1274210174
     
    Last edited by a moderator: May 18, 2010
  5. CloneRanger

    CloneRanger Registered Member

    Joined:
    Jan 4, 2006
    Posts:
    4,833
    @LowWaterMark

    Ok thanks :) It's auto showing now, well logged in that is. Maybe you fixed this one ? If so :thumb:

    Please see here though https://www.wilderssecurity.com/showthread.php?t=272920

    -

    Return to topic ;)

    What news blacknight ?
     
  6. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    To run Firehole (a.k.a "Hemorrhoids") I shut down all my security apps except OnlineArmor.

    OA alerted when FH installed & again when it executed & again when it started Firefox. OA further alerted me when FH set global hooks & again when it added itself to start & again when FH did other nefarious things. I allowed ALL of those actions, even though OA's alerts made it abundantly clear that FH was doing some really nasty things.

    In other words, I failed the test (on purpose) but OA fully accomplished its protective job & then some.
     
  7. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    For those who were not computer users back when a firewall was just a firewall, this article by the author of FireHole will be of interest:

    FireHole
    http://keir.net/firehole.html

    Of special note is this comment,

    Assuming the code can execute, in order to stop it from doing anything, a firewall had to encompass other security measures, culminating in the "firewalls" and their suites that we have today, which easily catch these old exploits.

    But in an interview, Keir noted the "race" condition always present:

    Again, firewalls had to morph into something more than just a firewall, in order to stay in the "race."

    (I notice that "race conditions" have returned in the latest Matoussec revelation. And so it goes...)

    However, those of us who learned early on the importance of Default-Deny as a layer in one's security strategy, leaktests were given no thought, and many continued using simple firewall packet filters, knowing that the malicious program referred to above could not find its way onto the computer.

    So, rather than download/run the LeakTests, several of us took all of the leakest executables and put them into various web-based exploits to demonstrate a real-world situation. Here is the Firehole executable in an old IE exploit:

    firehole.gif

    Keir mentions Steve Gibson's Leak Test as the groundbreaking event that started all of this stuff. From this point forward, users fell into two broad camps:

    1) Those who worked from the premise that all malicious code had the potential to execute on the system and bypass the firewall. This resulted in the never-ending cat and mouse game to "keep up with the latest leak test" and continues today.

    2) Those who worked from the premise that malicious code could not install unawares, thereby negating playing the cat and mouse game.

    Vendors, of course, have to play the game; otherwise, their product will fall into oblivion. They've become captives to the Leak Testers. Some Firewall "suites" have incorporated some type of execution protection.

    There is nothing inherently good or bad in either of the above -- it's just the way things are.

    Sadly, for those in the second group above, the result is that today, there are few (if any) choices for a simple, packet filter firewall in the old mode that will run on the newer Operating Systems.

    Too bad.

    ----
    rich
     
  8. wat0114

    wat0114 Guest

    Sure there is. Right under your nose, already built into the O/S :D
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    In one sense you are correct. However, by "simple" I should elaborate, in that several who have compared configuring rules in Vista to the old Kerio, find Kerio simpler. See Stem's Vista Firewall tutorial:

    https://www.wilderssecurity.com/showthread.php?t=239750

    I haven't heard about Win 7.

    But it's true that even if a bit more complicated than the simpler older firewalls, the OS firewall is a great alternative to the larger suites. Thanks for pointing that out.

    ----
    rich
     
  10. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    I was not worry, the HIPS ( Defense+ ) anyway blocked the test immediately, as I wrote. I only wanted know the behaviour, about this test, of other firewalls alone HIPS or not using the HIPS, as I tried.
     
  11. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    The behavior without HIPS or the like, is as follows:

    Allowing the executable to run, extracts the DLL as Keir describes in his article:

    firehole_1.gif

    Permitting the test to continue shows my firewall bypassed successfully, since my Browser firewall rule grants the Browser unrestricted access to the internet via Port 80:

    firehole_2.gif

    The only solution for a basic firewall is to set a rule for the browser to always prompt, again as Keir describes:

    firehole_3.gif

    This is not very practical, as the user would have to make a judgment in every case of connecting to a web site!

    The only practical solutions, then, are:

    1) to block the executable from running in the first place (simulating a malware exploit as I show in my post above)

    2) to have a HIPS-type program that prompts, as Cloneranger shows in his post.

    The problem with HIPS is that the user has to make a decision (ALLOW - DENY). For experienced users, OK. But I would never be comfortable putting that setup in the average home system. How would Mr. and Mrs. Smith deal with those types of prompts?

    Bellgamin writes,

    but doesn't show a screenshot whether or not there is a ALLOW-DENY Prompt.

    The most secure way, IMO, is Default-Deny: that executable (Firehole.exe) is not already installed (White Listed) therefore it has no permission to run. Period.

    ----
    rich
     
  12. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    Thanks for the complete answer Rmus.;) You confirm what I thought.

    I add: using a program like GesWAll or Sandboxie the malicious action of the " malware " remains isolated form the system. GesWall for exemple would alert me if the result of FireHole action was a different action form use my - isolated - browser.


     
  13. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    703
    With the GUI of OA closed by via the taskbar icon OA becomes a default-deny AE. When you open the GUI up again OA will show a pop-up with any actions that were denied.
    I ran first ran Firehole with OA in this configuration.
    First was the pop-up in the first screen shot. I then opened the GUI for the second screenshot, Firehole had been blocked from running.

    I then ran Firehole with the GUI open as Bellgamin did (next post)
     

    Attached Files:

  14. wat0114

    wat0114 Guest

    Although it took me years to figure this out, I agree 100% with this statement :thumb: The whitelist (Default Deny) approach is unbeatable imo.
     
  15. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    703
    Running Firehole with the Gui open so that I got all the pop-ups.

    I started Firehole and answered 'Allow' to all the OA pop-ups until I got to the actual Firehole 'Start' pop-up which I started and allowed the subsequent OA pop-up. Eventually stopped when it could not connect out due to Sandboxie restrictions. Four screenshots in this post, the last two in the next post.
     

    Attached Files:

  16. Dark Star 72

    Dark Star 72 Registered Member

    Joined:
    May 27, 2007
    Posts:
    703
    The last two screenshots.
    Although you would have to be pretty dumb to allow all those red pop-ups a in real life scenario I also prefer the default - deny approach which is why I usually run with the OA GUI closed.
     

    Attached Files:

  17. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks, Dark Star 72, for the screenshots. They always make explanations much clearer!

    ----
    rich
     
  18. kmr1685

    kmr1685 Registered Member

    Joined:
    Aug 22, 2009
    Posts:
    62
    nothing is running i my pc after executing the exe file. it just show the command prompt and terminate itself i do not know what is wrong in my pc. firewall is outpost firewall pro v7 RC and emsisoft antimalware realtime enabled.:p
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    You are welcome. You have good solutions in place!

    ----
    rich
     
  20. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe

    Defense+ in Paranoid Mode and setted to alert for every exe. file gives me one alert only for FireHole. If I allow FH as executable, as I said previous, no more alert by Defense.
     
  21. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    See my previous post. Now I'm asking if OA has better ( more complete detection ) than Defense+ and if, eventually, happens only for FH or always.
     
  22. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857

    Rich,


    I like the simplicity of your explanation.

    A firewall primary function is to filter out unwanted (packets) of data traffic. When you do not want to execute potentially deny (the right) to run it.

    The above is not the lonely preference of a Wilders Veteran, like Rick, these ideas are the back bone of our ICT architecture (e.g. OSI model), communication infrastructure (e.g. TCP layers) and even how Operating Systems work (hardware -> kernel -> applications).

    So option 2 really makes things easier because it matches the basic idea/architecture of all IT releated stuff surrounding us.

    Regards Kees
     
    Last edited: May 20, 2010
  23. timestand

    timestand Former Poster

    Joined:
    May 7, 2010
    Posts:
    172
    Yes if all Wilder use this no more need to post may be! Took me about 2 year to figure it out since looking on Wilders. Pity no one listen.
     
  24. Kees1958

    Kees1958 Registered Member

    Joined:
    Jul 8, 2006
    Posts:
    5,857
    Answer to your questions

    1. Yes OA has

    2. No, for more see Comodo part in https://www.wilderssecurity.com/showpost.php?p=1639116&postcount=20


    Regards
     
  25. blacknight

    blacknight Registered Member

    Joined:
    Sep 25, 2007
    Posts:
    2,433
    Location:
    Europe
    Thanks for the linked post Kees. I read it in the past, but I use CIS 4 only as fw/HIPS: I disable immediately after the installation reboot the sandbox and I set Defense+ in a customer and highest level. The only thing that makes me regret it's to see that his alerts are less complete than OA; but, until now, I' d not problem of security.
     
Loading...
Similar Threads
  1. Overkill
    Replies:
    5
    Views:
    725
Thread Status:
Not open for further replies.