new leaktest released : DNStester (from Jarkko Turkulainen)

Discussion in 'other firewalls' started by gkweb, Apr 1, 2004.

Thread Status:
Not open for further replies.
  1. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Hi,

    a new leaktest has been released, DNStester v1.0, available here : http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/leaktest14.htm



    a description from the page :

    The author's main work is about DNSshell, more information on his website :
    http://www.klake.org/~jt/dnshell/


    All information and explanations are very detailed and interesting, i advise you to take a look at it.

    regards,

    gkweb.




    url repaired==bigc
     
    Last edited by a moderator: Apr 26, 2004
  2. halc

    halc Guest

    Just FYI: DNS Client is not really needed (on most systems) and can be disabled. I always disable it on my XP systems and run an alternative DNS Proxy/Cache (AnalogX FastCache).
     
  3. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Indeed, it's a workaround to disable it :)

    the point however is that this service is unfortunaly enabled by default on windows XP (probably in windows 2000 too) and not every users know they can disable it.

    regards,

    gkweb.
     
  4. RedLobster

    RedLobster Guest

    as stated the service is not need....an if the vendor of this so-called leak test wanted to do the public a service than fine just make a program that will disable the service.....instead of saying this:

    **=> In order to use DNStester, you must left enabled the DNS client windows service.**


    There are many settings that are enabled by default within the Windows operating system....not all of which are good......an there are forums like this one were people help others secure their systems.........
    This so-called leak test has the gall to actually ask a user to hack his own firewall by turning on the service if its been disabled......
    But also stated by the vendor:

    **Indeed, the DNS client windows service must be allowed to acces the Internet. **

    Wait...didn't we all just agree that the service can be disable......so whats the purpose of the "MUST" BE ALLOWED"""

    Leaktest huh..........
     
  5. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    A leaktest is just a proof of 'concept' to show that personal firewalls which are supposed to block programs to access the internet fails in some case :)

    That's an important information to show the user to layer his security instead of relying on a single product, i don't see any bad thing in that.

    For instance Zone Alarm Pro last version, even with the service enabled catch the leaktest asking the user what to do, so you can see that all of that has a meaning.

    There is a difference between to block a leaktest and to pass a leaktest, to pass means to pass the idea behind the leaktest (that ZA does with this one) and to block means to block the leaktest regarding another totally different thing the leaktest triggers, like simply prevent it to launch by a sandboxe or by preventing it to do it's job by disabling a service, or even by keeping up to date his AV to detect it before it can run.
    Few leaktests like Copycat can't even be passed currently by firewalls features.

    Leaktests are just a way to show that in some way, trojans authors can defeat your firewall (by unpublished exploits) and that you should add layers, may be you think that's stupid, but I do think it's a benefit for everyone, it's just an information, after that, you can behave accordingly or not, it's your choice.

    regards,

    gkweb.
     
  6. RedLobster

    RedLobster Guest

    That plus $1.50 will get you a cup of coffee....where is the proof of concept in a person hacking his own firewall....by enabling a service
    lets see....there is a botton on the Tower....press the botton an the computer shuts down....proof of concept.......well thats what that so-called leaktest is doing....telling a person TO ENABLE A SERVICE SO THE LEAK TEST CAN PASS THE FIREWALL.

    Leaktests have been around a few years an have severed a purpose....several firewalls have improved because of leaktests.......
    But to ask that a service be enable.....thats the gall of it all.........not worth discussion....I just can't believe anyone.....not even a newbie......actually enabling a service KNOWING ITS GOING TO BE EXPLOITED...
     
  7. RedLobster

    RedLobster Guest

    Gkweb

    Say..please don't think I am posting to offend you.....most definitely not!
    My post are about the so-called leaktest......not in anyway personal...ok
    Leaktest can have a purpose.....the right kind of leaktest
     
  8. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Install Zone Alarm Pro trial and you will see it does NOT pass the firewall, which show that all of the firewalls failing it _while_ this service enabled are vulnerable, that's a fact.

    Then in best guidances/pratices or safe hex, whatever you call it, it is advised to not enabled it, it is two totally different area and you can't argue against one taking argues from the other.

    If you mean that as a leaktest author that i am i suggest to users to decrease their security, take a look at my website, in particular to these two pages :

    http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/advices.htm

    http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/software.htm

    and probbaly this little tool can interest you too : http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/wwdc.htm


    As you can see, the first purpose of leatests is to demonstrate vulnerabilities to make users aware of them, and then to improve their security, the purpose is not (and was never) to tell the users to permanently disable his overall security.
    It seems that you don't understand what is a proof of concept, you can disable a service, but the idea can be used into another protocol with a service you can't disable for instance, or may be simply the user beginner into security who is clueess about that will feel compelled now to disable this service.

    Once again, i see only benefits for everyone.

    regards,

    gkweb.

    EDIT : no offense taken, you opinion is as good as anyone else.

    url's repaired==bigc
     
    Last edited by a moderator: Apr 26, 2004
  9. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    No offense intended, snowman: but that's right on target IMO.

    regards.

    paul
     
  10. RedLobster

    RedLobster Guest

    ok,,we agree that this is a discussion..no offense taken...just taliking...


    *but the idea can be used into another protocol with a service you can't disable for instance*


    Ok, then make a leaktest for that service that can't be disable.....
    if I un-install my firewall good chance I will eventually be hacked.....an If I enable a service that I already know is exploitable...how is that any differant than your test? Of course ZA will fail...how could it possibly pass....the user just hacked the firewall himself...your test didn't..the user did.
    As for the newbies..of course they don't know.....they are just newbies....they don'y know that media player is known as the super cookie either.....but they can learn....without being scared......by smoke and mirrors.....
    An again i STRONGLY SAY THAT NO OFFENSE INTENDED.
    Do you believe that a firewall can be improved to prevent this service from bypassing ito_O If you can honestly say yes to that question then I humble myself an offer an apology.............understand of course that I already that disabling the service works.....but can a firewall be improved to prevent the ENABLE service.........?
     
  11. RedLobster

    RedLobster Guest

    GW

    I just noticed that your are no login...so must have left.
    In fairness I wont post on this topic anymore.........I am not someone who goes behind another person's back......instead I prefer to discuss matters openly and honestly with the person......so, perhaps another time.
     
  12. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Once again, Zone Alarm Pro already does it.
    If i didn't understand your question, can you say it in another way ?

    Then, once a trojan put on your system, it is very easy to start the service if it isn't started, the end user will just see the firewall asking him to allow or not "svchost.exe" to access the internet in best cases (if not ZA) and won't have any clue that a trojan is there, so that the service is started or not in fact doesn't matter since a trojan can simply enable it.
    If the end user isn't lucky, svchost is already allowed to access the Internet (because svchost is involved in more network services than just DNS requests).

    But leaktests aren't trojans, just vulnerability demo, so don't expect a leakest to totally destroy your system just to show you that it can do it.

    regards,

    gkweb.

    EDIT : going to plug off the Internet, i can't continue the discussion until tomorrow probably.
     
  13. RedLobster

    RedLobster Guest

    GB

    no need to continue..your last explaination settled the matter.....
    An as promise....you have my humble aplogy.

    We were actually talking about totally diffrant things....I didn't see it until your last post.......your point of a trojan turning on the service.....
    again my apology........
     
  14. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    No need to apology RedLobster, I must admit that all things around leaktests aren't so obvious sometimes.


    hm, bed time now ;)

    regards,

    gkweb.
     
  15. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    gkweb - I could stop it with ZAP and NIS 2004. NIS 2004 says the .exe is trying to connect to a DNS server. I click always block connections on all ports, and it's stopped.
     
  16. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
    Is your DNS client service running and allowed ?
    (svchost.exe - XP, services.exe - 2000).
    Are you on XP or 2000 for i can do the test accordingly ?

    thanks you.

    regards,

    gkweb.
     
  17. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    Yes, and I am on Windows XP Home edition.
     
  18. Pilli

    Pilli Registered Member

    Joined:
    Feb 13, 2002
    Posts:
    6,217
    Location:
    Hampshire UK
  19. gkweb

    gkweb Expert Firewall Tester

    Joined:
    Aug 29, 2003
    Posts:
    1,932
    Location:
    FRANCE, Rouen (76)
  20. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    GKWeb,

    Out of curiosity, does ZoneAlarm simply detect DNStest as a new application requesting DNS access (like any other application) or does it catch on that there is something more unusual about it? (zero TTL, use of TXT queries, etc).

    Leaktest comments aside, combining this approach with address space injection (allowing a trojan to assume the identity of a trusted application) would bypass virtually any firewall (Outpost's DNS Cache plugin would block repeated access always returning the first cached result instead, but this is more by accident than design). Stopping this would require the likes of ProcessGuard or System Safety Monitor.
     
  21. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    Going OT slightly, running the DNS Client service can allow "rogue" DNS servers to spoof you with false replies redirecting you to other sites. Follow the recommendations at the bottom of the Adjust Windows XP DNS Cache Settings article to prevent this (Registry editing required - similar advice is included at the bottom of Microsoft's Windows 2000 DNS article - presumably this has not yet merited a Security Advisory *typical*).
     
  22. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    I have tried both SSM and PG, and they didn't stop it. Maybe they require special settings. Only ZAP and NPF have stopped it. I wish Outpost would - it sounds like a serious thing.
     
  23. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    DNStest does not use address space or DLL injection so SSM and PG will have no effect on it (SSM should have prompted you when you ran it though). I was talking about a (currently) theoretical combination of it with a trojan using techniques to hide itself in other running processes.

    Outpost can block it, but you have to have it tightly configured. Specifically use the "Application DNS" settings in A Guide to Producing a Secure Configuration for Outpost (when the Outpost Firewall forum is back up from the vBulletin upgrade).
     
  24. mvdu

    mvdu Registered Member

    Joined:
    Oct 14, 2003
    Posts:
    1,151
    Location:
    PA
    Thanks for those settings - while my experiences with Outpost haven't been good lately, I haven't given up on it because I could have conflicting software - you never know.

    So it must be combined with the address space to transfer the info to the remote computer?
     
  25. Jason_DiamondCS

    Jason_DiamondCS Former DCS Moderator

    Joined:
    Nov 11, 2002
    Posts:
    1,046
    Location:
    Perth, Western Australia
    If I recall correctly, if you have blocked WRITE access on svchost.exe and made sure the leaktest doesn't have allow write access, then Process Guard should block this. Unless of course the author has recently changed his methods.
     
Loading...
Thread Status:
Not open for further replies.