Gibson Leaktest can bypass Online Armor?

Discussion in 'other firewalls' started by Necropsie, May 30, 2009.

Thread Status:
Not open for further replies.
  1. Necropsie

    Necropsie Registered Member

    Joined:
    May 6, 2009
    Posts:
    31
    There is actually a thread about this but when i wanted to post there, it says "thread is too old, please start a new one", so.. here you go.

    It is a fresh Windows Vista SP2 install. Using Avira Anti-Virus Premium and Onlina Armor 3.5.0.14 (paid version.) It is a "out of the box" install, changed nothing, except for the "firewall log" entry and unchecked "mail shield", which i don't need. I downloaded leaktest.exe (v.1.2) from GRC site.

    When i tried to open the leaktest.exe, OA give me the warning about if i allow the program start or not. I clicked allow. (That is because it is a warning about program start, not creating a outbond connection. I expect that i must get another warning about leaktest when it tries to connect the internet. This is why OA has "program shield" and "firewall" options. In another words, if i uncheck the "program shield" and leave only "firewall" checked, i still must get a warning about programs trying to connect somewhere. At least i think this is what a firewall must do.) Anyway, program started. Voila! Some info about updating OASIS database and OA asked me if i allow it to connect internet or not. I clicked "block". And leaktest.exe said to me it succesfully connected to GRC..

    Interesting. I repeated the test again. (At first time, i didn't check any of the "remember my decision" boxes.) OA asked again if i allow or not. I clicked yes. Leaktest.exe started. And connected to GRC once again and this time, OA didn't warned me.

    For the next step, i unchecked "program shield" to see it will make any difference or not and tried the test. As i mentioned, even if the program shield isn't active, i expect a warning about outbond connections, still. Leaktest.exe started, connected to GRC, OA didn't reported anything..

    Interesting? I thought there must be something wrong with my installation of OA or Wİndows. Tried to check carefully. Re-formatted Windows one week ago, so no bloaty Windows. Check. Using only Avira Antivirus, no conflicts. Check. Didn't change anything for OA install (except for the two things i mentioned above). Check. So? Something with the OASIS database maybe? I am really confused.

    Here is my firewall log, if anyone wants to take a look. ( ı changed only my user name.)

    Type,Date/Time,Action,Description
    Program Guard,30.05.2009 13:08:12,Blocked,C:\Users\.....\Documents\Downloads\Programs\LeakTest.exe(404:cool: wants to use C:\Windows\system32\svchost.exe(1540)
    Program Guard,30.05.2009 13:08:06,Allowed,C:\Users\......\Documents\Downloads\Programs\LeakTest.exe
    Program Guard,30.05.2009 13:06:41,Blocked,C:\Users\......\Documents\Downloads\Programs\LeakTest.exe(518:cool: wants to use C:\Windows\system32\svchost.exe(1540)
    Program Guard,30.05.2009 13:06:39,Allowed,C:\Users\.....\Documents\Downloads\Programs\LeakTest.exe
    Program Guard,30.05.2009 13:05:58,Blocked,C:\Users\......\Documents\Downloads\Programs\LeakTest.exe(4116) wants to use C:\Windows\system32\svchost.exe(1540)
    Firewall: User decision,30.05.2009 13:05:55,Blocked,"C:\Users\.....\Documents\Downloads\Programs\LeakTest.exe, Outgoing ICMP access blocked"
    Program Guard,30.05.2009 13:05:43,Allowed,C:\Users\.....\Documents\Downloads\Programs\LeakTest.exe

    And this is the screenshot, you can also see firewall automatically allowed leaktest.exe in the log view. (This can not be seen in the log above, i wanted to take a ss, started the leaktest.exe again, and seen that it has also granted access.)

    http://img9.imageshack.us/img9/2269/grc1p.jpg

    So;

    1) Is this a bug?
    2) Something wrong with my installation?
    3) Or, when you allow a program to run in OA, it automatically grant internet access too? If this is the case, i think it is a really bad thing.
     
  2. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    i don't think it is a bug nor is oa bypassed. the app was allowed to execute
     
  3. Necropsie

    Necropsie Registered Member

    Joined:
    May 6, 2009
    Posts:
    31
    Yes. That is the point. I wrote that very clear. App was allowed to execute. This is the "HIPS" part. But app was not allowed to create a connection. You can see this in the log too. In the end, OA gave automatic internet rights to leaktest.exe, as you can see in the ss. When i allow a application to run, it automatically gains rights to gain internet access too? If so, what is the meaning of "firewall"?
     
  4. arran

    arran Registered Member

    Joined:
    Feb 5, 2008
    Posts:
    1,139
    The Test is about controlling the app's behavior and preventing it from making outgoing connections, not about whether OA can prevent it from executing in the first place.



    And Necropsie it looks like OA hasn't been configured properly. you have blocked it from using svchost but the app itself hasn't been blocked.
     
  5. subset

    subset Registered Member

    Joined:
    Nov 17, 2007
    Posts:
    825
    Location:
    Austria
    The pic shows svchost accessing IP 192.168.1.1. at Port 53...

    However, with XP SP3 and default settings I get this prompt.

    OAleaktest.png

    And if I block, I get this one.

    Leaktest.png

    Leaktest.exe is also Unknown at OASIS.
    http://www.tallemu.com/oasis2/search/file_hash/206C0533CE9BF83ECDF904BEC2F3532D

    Something went wrong, maybe with your tests, maybe it's because of Vista SP2, I'm not quite sure.

    Cheers
     
  6. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
    Hi,

    Leaktest seems to be proxied by Antivir's Webshield. To intercept this connection you need to intercept loopback interface in OA (options / firewall)

    Regards,

    MaB
     
  7. Necropsie

    Necropsie Registered Member

    Joined:
    May 6, 2009
    Posts:
    31
    I got the same screen at my first try too. But as i said, i choosed block and log shows it is blocked, but unfortunaletly, leaktest.exe itself reported it was succesful. When i tried the test again, i never get the same OA screen again.

    Yes, that is because (i think) i choosed "block" at the first time. But again, leaktest was succesful to create a connection. Other than that, i am not sure how to configure OA. It was a out of the box install. I can send my configuration screens too if needed.

    I searched TellEmu forums and found three threads about this. Exactly the same thing happened to some of the users. Allow the program to run, block when prompted, log shows blocked but program shows it penetrated.. A OA beta user said this may be caused if you use a proxy. I don't. Another one said this is how OA works, if you allow any program in HIPS, it grants access to internet too.

    Still, i am confused why OA made a automated decision to allow acces for leaktest.exe.
     
  8. Necropsie

    Necropsie Registered Member

    Joined:
    May 6, 2009
    Posts:
    31
    That did the trick! I was about to get worried :) Thank you! Seems like i am using a proxy afterall, hehe.

    http://img20.imageshack.us/img20/629/grc2.jpg
     
    Last edited: May 30, 2009
  9. MaB69

    MaB69 Registered Member

    Joined:
    Dec 9, 2005
    Posts:
    540
    Location:
    Paris
  10. Cudni

    Cudni Global Moderator

    Joined:
    May 24, 2009
    Posts:
    6,956
    Location:
    Somethingshire
    so not a bug and OA was not bypassed unless you class misconfiguration as a bypass ;)
    as for the app being allowed to execute then you need to be prepared to have your defences tested (but hopefully not broken), was my point :)
     
  11. Necropsie

    Necropsie Registered Member

    Joined:
    May 6, 2009
    Posts:
    31
    On a second thought, can this be identified as a security hole? I mean, using Avira and not checking the necessary item in OA makes you vulnerable? Or you are still protected?
     
  12. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,047
    I wouldn't consider this a security hole. Just like other aspects of life, you have to make a bit of effort to learn how to properly use tools. In the end the user has to take that responsibility.

    Pete
     
  13. MikeNash

    MikeNash Security Expert

    Joined:
    Jun 9, 2005
    Posts:
    1,654
    Location:
    Sydney, Australia

    If you install a proxy server on your computer, and then grant it access to the internet , you have implicitly granted everything that is allowed to use that proxy internet access.

    In OA we do not by default monitor loopback interface. We should do some testing to see if the default option should be changed on the basis that more and more AV/AS programs are now acting as proxies.
     
  14. Xitrum

    Xitrum Registered Member

    Joined:
    Apr 20, 2009
    Posts:
    56
    This time, the log showed grc leaktest.exe was blocked to tcp access out to the localhost loopback interface 127.0.0.1. How did you get it to this you did not get it before when leaktest.exe went through to the internet even though you got OA block it go out the internet. On my box, leaktest.exe asked to have tcp:80 out to the grc site, it failed when let OA block it.
    My box has vmware-authd.exe is listening on local port 912:tcp, and lsass.exe listening on 1025:tcp and svchost.exe listening on 135:tcp - all are trusted in OA. Either loopback interface is checked in protection or not in OA.

    Mike's respond was in corresponding to your OA default configurations of non-enable loopback interface protection.

    Let see how OA logged the leaktest.exe on my box:

    31/05/09 03:46:33 [TDI] TCP, Connect, 0.0.0.0:1597 -> 4.79.142.200:80, F:\leaktest.exe(1644/1796)
    [TDI] Blocked by rule: TCP, --> leaktest.exe, [80], -(*)
    31/05/09 03:46:33 [TDI] TCP, Connect, 0.0.0.0:1597 -> 4.79.142.200:80, F:\leaktest.exe(1644/1796)
    [TDI] Blocked by rule: "TCP, --> leaktest.exe, [80], -(*)"

    31/05/09 03:46:37 [TDI] TCP, Connect, 0.0.0.0:1598 -> 4.79.142.200:80, F:\leaktest.exe(1644/1992)
    [TDI] Blocked by rule: "TCP, --> leaktest.exe, [80], -(*)"
    31/05/09 03:47:06 [TDI] TCP, Connect, 0.0.0.0:1599 -> 4.79.142.200:80, F:\leaktest.exe(2120/1256)
    [TDI] Blocked by rule: "TCP, --> leaktest.exe, [80], -(*)"

    31/05/09 03:47:26 [TDI] TCP, Connect, 0.0.0.0:1600 -> 4.79.142.200:80, F:\leaktest.exe(2120/1592)
    [TDI] Blocked by user.
    31/05/09 03:47:31 [TDI] TCP, Connect, 0.0.0.0:1600 -> 4.79.142.200:80, F:\leaktest.exe(2120/1592)
    [TDI] Blocked by user.
    31/05/09 04:04:03 [TDI] TCP, Connect, 0.0.0.0:1604 -> 4.79.142.200:80, F:\leaktest.exe(2984/1412)
    [TDI] Blocked by rule: TCP, --> leaktest.exe, [80], -(*)
    31/05/09 04:04:03 [TDI] TCP, Connect, 0.0.0.0:1604 -> 4.79.142.200:80, F:\leaktest.exe(2984/1412)
    [TDI] Blocked by rule: "TCP, --> leaktest.exe, [80], -(*)"

    As seen, no localhost access was done by leaktest.exe anyway with non-enable loopback interface protection in OA.
     
  15. Necropsie

    Necropsie Registered Member

    Joined:
    May 6, 2009
    Posts:
    31
    I agree. The thing is, i am not aware that i installed a proxy server to my pc. Or, i am not aware that Avira can act like a proxy. I choose my security software from trusted sources, like this forum. Avira and OA was recommended in here and lots of other resources. But, i didn't know that when installed together, Avira can bypass OA (or any other firewall) protection. That is why i said a "security hole". Maybe it was the wrong term. What i really meant was, "can this be identified as a security risk?". (as you can see, English isn't my native language.) I am not a professional on security software, but not a amateur too. If i didn't post this on this forum, i will live my internet life happy, thinking i am protected. So.. i am happy :)

    I don't know what to say. All i can say is, before checking interface loopback thingy, leaktest was succesful (as you can see in the screenshot, even it was shown as blocked in the log), after i checked the loopback option, it worked like a charm. If it is going to help anything, i can send more information. Just tell me what is needed.
     
  16. WigglyTheGreat

    WigglyTheGreat Registered Member

    Joined:
    Jul 10, 2006
    Posts:
    137
    It seems many Antivirus software now do this with their webshields. Sorry to be to off topic, but in regards to the leaktest do you guys know if in Comodo firewall if enabling alerts for loopback requests is what I want to enable to protect againt this sort of thing when I use avira webshield too?

    update:
    I just tested it and it seems that with Comodo with the setting to enable alerts for loopback requests then I get a Defense plus alert first about leaktest.exe trying to access the DNS/RPC client service, and if I do allow once on that alert I get a second alert from the firewall saying leaktest is trying to connect to the internet. If I disable alerst for loopback requests then I never get asked from the firewall for leaktest trying to connect to internet so I think I answered my own question. I keep that option enabled anyway and I think it is default too.
     
    Last edited: May 31, 2009
  17. Xitrum

    Xitrum Registered Member

    Joined:
    Apr 20, 2009
    Posts:
    56
    Can you remove the entry of leaktest.exe from OA program tab, then retest it with no loopback interface checked by OA, and post your captures of the OA firewall log?
    Then you repeat the test with loopback interface checked and post the corresponding log.
    On my box, I do not see anything as you said about leaktest.exe - it failed even with check/non-check loopback interface when I chose BLOCk to 3 messages asking leaktest.exe asking for dns, key logging, and tcp access on port 80.
     
  18. Dregg Heda

    Dregg Heda Registered Member

    Joined:
    Dec 13, 2008
    Posts:
    830
    Hi guys to be certain this problem only exists with the webshield of Avira right? I dont have to enable loopback interface if I am usinf Avira free right or have the webshield on avira paid disabled right?
     
  19. alex_s

    alex_s Registered Member

    Joined:
    Aug 13, 2007
    Posts:
    1,251
    This problem exists with any hooking proxy. When you deal with normal proxy this is you who enable or disable proxy, but hooking proxy is something that acts behind your back in most cases. And yes, this is intended to filter you traffic, but from the other side you lose control of where your programs are going to connect to.
     
Thread Status:
Not open for further replies.