Metasploit/Armitage vs. Win2k with Outpost Firewall

perhaps better described as Godzilla vs. Bambi.

I have spent this evening experimenting with Kali Linux and Win2k KVM sessions. The Win2k VM is equipped with Outpost Firewall Free 6.51, with full paranoid settings - full system call interception, ask for all unknown executables, etc.

To say that Outpost fails miserably would be a vast understatement.

This is what I did:
- Set up the IE exploit used in Operation Aurora:
http://en.wikipedia.org/wiki/Operation_Aurora
- Directed IE6 to the exploit page
- Waited ~5 seconds for Metasploit to compromise the process
- Migrated to another process
- Got a view of the filesystem and uploaded an unsigned executable installer
- Ran the installer
- Ran the (also unsigned) program installed by the installer

All of this was without a single notification from Outpost. Even when running unsigned, unknown, third-party executables. Not only did the EXEs run without complaint, they weren't even visible to Outpost - they didn't show up in its list of known programs after running.

I'm not sure about other FW/HIPS software, but Outpost Free seems to be very broken.

Next up, Sunbelt Personal Firewall. Let's see if that fairs any better.

Edit: I'll probably test old versions of Online Armor and Privatefirewall after Sunbelt. Maybe System Safety Monitor or such as well. I would use WinXP and more recent versions, but I don't have a spare XP license; and anyway the Aurora exploit works on XP, and with newer versions of IE.

 

Awesome! Armitage is great, I've loved using it. Nothing proves how terrible security software out there is like opening up your own shell and poking around.

 

When IE6 was successfully exploited, it's pretty much game over. IE6 was little more than an easy path to the kernel. If you want to explore this farther, make a 2nd test setup. Use IEradicator or XPLite to completely remove IE6, then attack the setup via a non-MS attack surface app. Compare the results.

 

Okay, Sunbelt does a bit better. It doesn't raise any alarms when IE is compromised... But it does force IE to crash when I try to migrate to or inject code into another process. Executables and scripts can be written to the hard drive, but Sunbelt successfully blocks attempts to execute them.

So, not bad! It would still be possible to upload a nasty binary somewhere and set up an autorun entry, but this firewall at least does what it claims to.

 

It shouldn't matter that it's IE6 in this case, it's running as admin anyway. But the Aurora exploit works on Windows XP, and on newer versions of IE (though IIRC less reliably).

 

System Safety Monitor: works as advertised. Doesn't block the exploit, but does intercept attempts to migrate to other processes and to start command shells. Also seems to prevent token stealing.

(But sadly this doesn't change the fact that SSM is an utter pain to use!)

Edit: I'm having trouble finding old enough versions of PF and OA. I think I'll try an antivirus next, assuming any current ones still work on 2k.

(I'll probably try this with an XP VM tomorrow. Or maybe 2003, if I can find a copy of the evaluation version...)

 

IE6, the most targeted attack surface app of its day, was almost completely integrated into the desktop. Attack surface apps should be as isolated from the OS as possible, not tightly integrated into them. Exploiting IE6 gave you access to most every part of the system. Experiment with a few of the exploits and you'll see just how vulnerable that integration made those systems.

Which version of SSM did you test?

 

As I said, it shouldn't matter. Exploits are definitely more plentiful in IE6, maybe in part because of the desktop integration and other added functionality; but in the end a compromised program running as Administrator is a compromised program running as Administrator.