Question about the Labrea vulnerability.

Discussion in 'other firewalls' started by TonyKlein, Jun 29, 2002.

Thread Status:
Not open for further replies.
  1. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Re: this article: Flawed outbound packet filtering in various personal firewalls

    From http://www.hackbusters.net/ob.html :

    "We are pleased to announce that Sygate Personal Firewall v5.0 has corrected this issue. Sygate has been incredibly responsive and helpful-- they contacted us, they listened, and they got it right. Way to go Sygate!
    We are also pleased to announce that Look n' Stop 2.03 Beta 01 now also correctly blocks non-winsock packets.The folks who make Look n' Stop were perhaps the first to react with a proposal of how best to handle packets that don't follow the standard winsock "route".
    Now Kerio Personal Firewall (used to be Tiny Personal Firewall) as of version 2.1.0 correctly blocks non-winsock packets. Kudos to the folks at Kerio"

    Thus far, we have confirmation that the currently released versions of the following personal firewalls are vulnerable on the listed platforms:
    AtGuard v3.2 (Win9x)
    Norton Internet Security (Win2K)
    Tiny Personal Firewall (Win9x/Win2K)
    ZoneAlarm and ZoneAlarmPro (Win9x/Win2K)"

    Is that the latest state of affairs?

    And how much of a clear and present danger is this vulnerability anyway?

    Anything known about systems having been compromised in this way?
     
  2. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hello,

    First of all it's interesting to know that this "vulnerabilitie" only exists if your willingly install
    For Win95/98/ME: packet.dll and packet.vxd
    For WinNT: packetnt.dll and packet.sys
    For Win2K: packet.dll and packet.sys
    on you OS :)
    They are only used by some sniffers and special applications very few people use.
    If you don't use such applications, you don't have those libraries and you need to install them in order to run the test.
    If you don't have those libraries on your OS, do NOT install them : you stay immune, it would be stupid installing anything useless and introduce a possible flaw just for the pleasure of running a leaktest
    which cannot affect you if you stay as you are :-D

    BTW a use a sniffer which does not require those libraries :
    sniffer Pro.

    Rgds,

    JacK
     
  3. TonyKlein

    TonyKlein Security Expert

    Joined:
    Feb 9, 2002
    Posts:
    4,350
    Location:
    The Netherlands
    Thanks for that explanation, Jack.

    So in terms of real danger, this could really be considered a storm in a teacup?
     
  4. JacK

    JacK Registered Member

    Joined:
    Jun 20, 2002
    Posts:
    737
    Location:
    Belgium -Li?ge
    Hi,

    Yes if you don't use such apps requiring those dll
    NO if you have those *.dll already on your system for any good or bad reason :)

    JacK
     
  5. root

    root Registered Member

    Joined:
    Feb 19, 2002
    Posts:
    1,723
    Location:
    Missouri, USA
    I agree, this one is not one of the leaks that is likely to cause much heartache.
    I do not know about the other firewalls, but the developers of Outpost have a fix for all known leaktests in the next major update to version 1.1.
    I think we all need to temper the concern about these firewall exploits with the fact that none of these have shown up yet. (Knock on wood) :) I think the firewall developers need to try to stay one step ahead of the bad guys, and I think most are trying.
    Some of these exploits are going to be tough to counter, since the way Windows is built, it allows one program to use another program with any special permissions.
    It really would help if M$ would get their act together on security without going the route of Palladium.
    Just my $.02. :rolleyes:
     
Loading...
Similar Threads
  1. ttomm1946
    Replies:
    0
    Views:
    506
Thread Status:
Not open for further replies.