new leaktest available : Ghost v1.0

Discussion in 'other firewalls' started by gkweb, Dec 12, 2003.

Thread Status:
Not open for further replies.
  1. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi there,

    I release in a kind of "beta test" my new leaktest "Ghost".
    In fact, my website ( http://firewallleaktester.webhop.net ) had a major update which is waiting your feedback first about "Ghost" leaktest before i put it online.
    When all will be ok with "Ghost", i will add it to my site in same time of all others update (including new leaktests results).

    Ghost beta test version available here :
    http://perso.wanadoo.fr/jugesoftware/Ghost.exe
    MD5 : D5F8069EEDC4AA75EE0F001D517DE972

    I would want your input about it, if you think something need to be improved or explained, as well as of course results you can see with your firewall.

    How it works ?
    In a very simple way.
    First step, It just call directly Internet Explorer, in the same way that the "test 2" from Wallbreaker or Tooleaky does, and which is seen by firewalls i evaluated.
    Second Step, the "secret" :) , is that since firewall reacts to events, if you are quicker and can "disapears" you can put them in trouble to locate the source.
    This is why "Ghost" rerun itself, modifying by the way his PID.

    Ghost just reach one page, but by doing multiple time this trick, i was able to transmit data through firewalls whereas they were able to block it if done normally.

    So i would want to know what do you think about it, and if it works on any OS (was tested on win98/Millenium/Win2000/XP) and if you think it's ready to add it to the site and release it officialy (not as beta test version).

    Thanks you :)

    EDIT : to test it, you have to give full access to IE and see what happens.
     
  2. mraka

    mraka Guest

    It hasn't leaked on Win2k with Sygate 5.5 or Outpost 2. If you put IE in trusted applications it will leak in both. Component control made no difference.
     
  3. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    you have too :)

    For understand why, you just have to know that when IE is fully trusted, direct access are nevertheless blocked (ex : "Tooleaky" leaktest).

    So apparently Sygate Pro 5.5 and Outpost Pro v2 fails "Ghost", that was i found too, but let's wait more results.

    thanks you for your testing.
     
  4. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    I tried it with ZAP 4.5, with Internet Explorer given access to the internet and network. ZAP sees internet explorer trying to use internet explorer to connect to the network, and the page doesn't load. It does not see the application Ghost, though.
     
  5. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hmm, strange, on my comp ZA PRo 4.5 see ghost.exe trying to launch
    iexplore.exe, that made me thinking that ZA passes it.

    I didn't well understand your sentence, even with IE having full access ZA block without seeing Ghost so without reason ?
     
  6. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    No it did not see Ghost - maybe our settings are different in some way.
     
  7. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    can you recall me your OS please ?
    And btw your CPU speed.

    thanks you :)

    (i attached what i see on my comp)
     

    Attached Files:

  8. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    Never mind, when I saved the file on my hard drive, ZAP sees Ghost and stops it. Our results are the same, then. :)
     
  9. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    So if i understood right, ZA saw it the first time and then you blocked it definitly, and now ZA just block IE to open without saying it is coming from Ghost ?

    Sorry i have difficulties to understand it's pretty late where i live :)
     
  10. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    When I just opened the file from your link, ZAP stops the page from loading, but it doesn't see Ghost.

    When I save the file on my hard drive and run it, ZAP stops the page from loading AND sees Ghost.
     
  11. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    ok so ZA passes Ghost, thanks you ;)
     
  12. mraka

    mraka Guest

    It is good to standardize testing, especially when detecting certain features, but how many actually run IE as trusted? :D Now that itself is a risk :D
     
  13. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    You're welcome. Have you tested this with Norton Personal Firewall? If you haven't, I have that on the downstairs computer, and can later give you results. Do you want results with automatic configuration of Internet Explorer?
     
  14. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Of course i would be intesrested too.
    As for any firewall i am evaluating i have already results on my side but they need to be checked by other people just in case :)

    I think that the result with automatic configuration or full access for IE will lead to the same result for NPF _2004_ :)
     
  15. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    @mraka

    of course in normal circumstances you should restrict your applications ;)
     
  16. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    to sume up :

    no stability issue or any other pb on Win 98 / Millenium / Win 2000 / Win XP.

    from here :
    passed by : ZA Pro 4.5
    failed by : Sygate Pro 5.5, Outpost Pro 2.0

    from my tests :
    passed by : ZA Pro 4.5, NPF 2004
    failed by : Sygate Pro 5.5, Outpost Pro 2, Look'n'Stop 2.05b1, Kerio 4.0.8

    Is anyone else can check results ?
    (mvdu for example about NPF)

    About how "Ghost" works, i will just add that in addition of the two steps i gave, when you click on "try" it creates an internal thread giving him the highest priority possible in windows (critical priority), and push code into it, to ensure to be the fastest possible.
    "Ghost" leaktest is in fact more a "timing attack" than a complex trick.


    If you think that all results are good, that there is no pb, and you have or haven't any comments, please tell me.

    If no one see any pb with Ghost, i could update my site with Ghost and all the stuff currently waiting, i'm just waiting for you, i can't update it by adding a leaktest that makes computer to crash for example ;)

    Thanks you :)
     
  17. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    Just tested with NPF, and got the same result - it passes Ghost.
     
  18. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    that was i found too, NPF and ZA passes it and other failes it.

    EDIT : Ghost in fact tests where firewall system "hooks" are put,
    if they are put too late in the application calling processus, they will missed Ghost.
     
  19. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    With "out of the box" settings, NPF passes it but not ZA, right ?
     
  20. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    ok, website updated, i quote the "news" page here :

    Of course if you encounter any issue with Ghost, feel free to post it here.

    I hope you will like all the new stuff, and that some people will find help on it.

    regards,

    gkweb.
     
  21. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    Under my test, the latest version of Kerio, 4.0.10, passes Ghost. Internet Explorer has access to the internet and network.
     
  22. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    email me for i can keep record and redo test, thx ;)

    EDIT : only enable the "network security" under kerio and disable all other, including "system security" which is application monitoring.
     
  23. controler

    controler Guest

    Look & Stop didn't stop it with default settings

    con
     
  24. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    I don't think that should be disabled. Because it just watches for modifications like ZAP does with component control.
     
  25. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    i just redo test with 4.0.10 and it fails it.

    The reason for what it should be disable is that intrusion detection and web filtering feature has nothing to do with leaktests.
    In addition, if you want i even can create an executable for you, with "system security" enabled Kerio just check when an access is done, not an internet access, it has been discussed with you in another thread.

    From the Kerio help :
    about "system security" of course.

    EDIT : And so, if it's only component related like you said, how can it detect Ghost whereas it doens't modify/inject any components ?
     
Loading...
Thread Status:
Not open for further replies.