Multiple Firewall Products Bypass Vulnerability

Discussion in 'other security issues & news' started by nick s, Jan 3, 2005.

Thread Status:
Not open for further replies.
  1. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    "This is a generic problem of common Personal Firewall products which are accept shortcuts or provide an interface that enables to click without require a password for controlled actions (acting as server -listening ports-, executing another program, connecting to another computer etc.)..."

    Full advisory: Multiple Firewall Products Bypass Vulnerability (link may go down) or Multiple Firewall Products Bypass Vulnerability

    Nick

    more of the advisory (from grc.security):

    Online URL : http://ferruh.mavituna.com/article/?769
    Download POC : http://ferruh.mavituna.com/opensource/firewallbypass.zip
    (Also I attached vbs files as txt, one of them is -mousecontrol.txt- vb.net
    source code)

    This is a generic problem of common Personal Firewall products which are
    accept shortcuts or provide an interface that enables to click without
    require a password for controlled actions (acting as server -listening
    ports-, executing another program, connecting to another computer etc.).

    -------------------------------------------------------------------
    Problem;
    -------------------------------------------------------------------
    Most of personal firewalls allow shortcuts or interface for controlling
    traffic. It's simple to bypass these firewalls by a multithreaded program
    and sending keys or by contolling mouse.

    This flaw enables that any Trojan or similar programs can easily bypass
    firewall and act as a server or access to another computer. Also most of
    these firewalls have a "remember" option so if you bypass firewall and
    successfully exploit it, firewall will never ask again.

    This is a similar threat with shattering attacks, but different method and
    impact.

    Vulnerable Products (Sending Key Method and Mouse Control);
    These products are vulnerable to both of "Sending Key Method" and "Mouse
    Control Method"

    Test Platforms;
    Fully Patched Windows XP Professional and Windows 2003 Enterprise Edition
    (May 19, 2004 - 01.01.2005)

    1. ZoneAlarm / ZoneAlarm Pro (www.zonelabs.com) | Fixed
    I. 4.5.530.000 - Tested
    II. 4.5.538.001 - Tested
    III. 5 and newer versions are not vulnerable...

    2. Kerio (www.kerio.com)
    I. 4.0.14 - Tested
    II. All Versions

    3. Agnitium Outpost Firewall (www.agnitium.com)
    I. 2.1.303.4009 (314) - Tested
    II. 2.5.369.4608 (369) - Tested
    II. All Versions

    4. Kaspersky Anti-Hacker (www.kaspersky.com)
    I. 1.5.119.0 - Tested
    II. All Versions

    5. Look 'n' Stop (www.looknstop.com)
    I. 2.04p2 - Tested
    II. All Versions

    6. Symantec's Norton Personal Firewall (www.norton.com)
    I. 2004 - Tested
    II. All VersionsMultiple Firewall Products Bypass Vulnerability
     
    Last edited: Jan 3, 2005
  2. nick s

    nick s Registered Member

    Joined:
    Nov 20, 2002
    Posts:
    1,430
    The Outpost Pro proof-of-concept worked on my version 2.5.370.4626 (370). Running in "Rules Wizard" mode, when I execute the VBS script, the standard allow/deny dialogue flashes briefly. If I then look at the OP "Applications" dialogue and the "Allowed Connections" log, I see that wscript.exe had been added as a "Trusted" application and established an outbound connection to the test URL.

    When I put OP in "Block most mode", the script fails. For the exploit to work on my system, I did have to allow the script to run when RegRun intercepted it, and I had to allow wscript.exe to run when Process Guard alerted me.

    Nick
     
  3. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    I will just quote what I said on broadband security forum :

    just my 2 cents.
     
  4. kareldjag

    kareldjag Registered Member

    Joined:
    Nov 13, 2004
    Posts:
    622
    Location:
    PARIS AND ITS SUBURBS
    Hi,

    I've recently mentioned in ProcessGuard forum that API calls vulnerabilities could be exploited with shatter attacks to bypass some protections like firewalls or others.

    More information (not the page with the tools' exploit):

    http://www.securityfocus.com/archive/1/383586

    Best Regards
     
  5. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    This is information I've posted previously elsewhere but since it seems relevant to this issue, it is probably worth repeating...

    Any exploit using SendKeys can be blocked via the following methods:
    • Remove Windows Scripting Host - Windows 98 users can remove it via Add/Remove Programs in the Control Panel (Windows Setup/Accessories should list Windows Scripting Host as a component). Windows 2000/XP users will have to use a third-party product like 2000lite/XPlite since Microsoft does not list WSH as a separate component here. Note: Some sites (like Sophos) suggest disabling WSH by removing the .vbs file type from Windows Explorer's recognised file types - while this will work for .vbs files, scripts can have other extensions (e.g. shellscrap .shs/shb files) so this should not be relied upon as a complete solution.
    • Install script-checking software - Some anti-virus software include script scanners or blockers (just try running a test script to verify this) but Script Sentry can be used as a free alternative if they do not.
    • Assigning a firewall configuration password (where this option is available) may prevent (or at least restrict) the changes that can be made by any script - Process Guard's Secure Message Handling option can offer a partial solution since it can be used to prevent a firewall from being shut down and can be extended to include configuration changes accessible via menu options (this may not cover all options however and probably would not handle responses to application prompts).
     
Loading...
Thread Status:
Not open for further replies.