Tooleaky?

Discussion in 'other firewalls' started by Comp01, Oct 21, 2003.

Thread Status:
Not open for further replies.
  1. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Ok, I just recently tried "Tooleaky" and I failed it, so, I'm wondering, what good is a firewall, if it has data leakage?
     
  2. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    tooleaky is not actually that hard to pass. What firewall were you using?
     
  3. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Syagte v5.0 Free edition :doubt: I passed GRC.com's leak program... considering Sygate asked if I wanted to allow it..
     
  4. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    The exploit that tooleaky takes advantage of is simply to piggyback on the access of another program that has already been given permission out to the Internet through your firewall.

    The dangers of allowing too many programs unlimited access to the Internet is that some other program will come along and call upon that program to access the Internet on its behalf. So, the best way to prevent such exploits is to either require permission for every new session of a network aware program that starts on your system, or to have a firewall that can see when a program calls another program to perform a function.

    I've written a number of posts here about tooleaky. Here are some of them...

    https://www.wilderssecurity.com/showthread.php?t=4556;start=msg29964#msg29964

    https://www.wilderssecurity.com/showthread.php?t=5222;start=msg34025#msg34025

    https://www.wilderssecurity.com/showthread.php?t=7419;start=msg49188#msg49188

    https://www.wilderssecurity.com/showthread.php?t=8372;start=msg54303#msg54303

    We'll need to here from other Sygate users regarding it's capabilities to intercept one program calling another for Internet access. I don't use Syagte, so I can't speak about it directly, however almost all Windows based software firewalls have added the protections required to defeat tooleaky.
     
  5. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Most Windows base Software Firewalls offers Link-Level Protection, it’s odd Sygate Personal Firewall would still not have Link-Level Protection…
     
  6. bellgamin

    bellgamin Very Frequent Poster

    Joined:
    Aug 1, 2002
    Posts:
    5,648
    Location:
    Hawaii
    Link-level protection? Explain, please.
     
  7. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Prevention against Application hijacking using dynamic link library (DLL) control hook as done by the "Firehole" and "Tooleaky" attacks. ;)
     
  8. rerun2

    rerun2 Registered Member

    Joined:
    Aug 27, 2003
    Posts:
    338
    Just for clarification I think the Pro version does offer DLL authentication.

    http://www.spfpro.com/products/comparison.htm

    "In addition to application checksum verification, Sygate Personal Firewall Pro 5.0 authenticates application DLLs, ensuring that a malicious program cannot use a trusted applications to execute an intrusion."
    http://www.spfpro.com/products/pro/whatsnew_pro.htm

    Hate to quote PC Mag ;) ... "If you enable DLL authentication in Sygate's firewall, it prompts you to allow or block FireHole DLL hijacking."
    http://www.pcmag.com/article2/0,4149,648838,00.asp

    If you want to stick with sygate personal, maybe you can try another program like SSM to go with it.
     
  9. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Actually, the free version has that, also, I think I'm gonna enable it.. But, Not many programs are totatally trusted, (if any) I just recently moved Internet Explorer to "Ask" and currently, all my security update software is on ask, mIRC is on ask, MSN messenger is on ask, as is Trillian messenger, and Mozilla Firebird.
     
  10. _anvil

    _anvil Registered Member

    Joined:
    Jun 18, 2003
    Posts:
    56
    Tooleaky doesn't even use dll-injection - it just does something like start an IE process with a certain commandline parameter, containing the 'evil' url und your 'personal data.'

    That's why Sygate's dll-authentication should block Firehole (which indeed uses dll-injection), but will likely fail to block Tooleaky... :p

    You see, dll-authentication is not enough...
     
  11. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Sygate hasnt added anything to Prevent against it, I do, however, know somehwere, Sygate has a Beta version, that is suppose to be better, But, since I dont like being a Beta tester, I dont want to bother with it, since, as it seems, Software Firewalls are useless, they can be gotten around, the only "true" hacker protection, is a hardware firewall, i
    I believed thaat Software based firewalls were decent, due to the fact, it closes ports (Or 'stealths' them) and allows for control on outbound connections, but, this, however, remains untrue, considering Tooleaky can penetrate right through Sygate ... I put Internet Explorer on "ask" and I get no prompt, it just comes up saying my internet or computer are very slow, OR GRC.com is down.
     
  12. LowWaterMark

    LowWaterMark Administrator

    Joined:
    Aug 10, 2002
    Posts:
    17,876
    Location:
    New England
    I'm sorry Comp01 but you are making a global statement that all software firewalls are useless based upon the fact that the one product you are using, and the way you are using it, doesn't block one particular exploit demo. That is a major generalization that doesn't hold up as soon as you look at many other software firewalls, running in many different configurations.

    You say the only hacker protection is a hardware firewall based upon this tooleaky demo... Well, a hardware firewall won't stop tooleaky. tooleaky is just using a hidden Internet Explorer window to access a website on TCP port 80. A hardware firewall would allow that, so even with such a firewall you'd still fail the tooleaky test.

    Many software firewalls can intercept tooleaky along with a large number of other types of exploit demos.

    Actually, when you get that message from tooleaky, it means you passed the test. See image below. When there is no leak (ie. if your firewall blocked the access), tooleaky gives you the message box in this image. That's a good thing.
     

    Attached Files:

  13. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Hey Comp01

    If you wanting something that passes this simple Tooleaky Leaktest take a gander at http://perso.wanadoo.fr/jugesoftware/firewallleaktester/eng/pageweb/test.html. ;)
     
  14. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Well, According to that site, its Look'n'stop thats the best, and Zone Alarm:pro but, 1) I dont have enough money at the moment to buy ZA:pro or Look'n'stop and, 2) Look'n'stop is a rule based firewall, I dont really want a rule based firewall, I fell comfortable using Sygate, but, when its has a security flaw :doubt: I guess I'll continue using it ... For the moment, anyways, might as well not have a firewall :doubt:
     
  15. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Only way to have proper control of the Inbounds/Outbounds is with Rule-base Software Firewall.

    I suggest you don’t be so closed minded of other Software Firewalls especially Rule-base, Sygate Personal Firewall is Rule-base and you like that. You should explore and you just might come to find something your really comfortable with.

    Take advantage of Software Firewalls Trials, Look ‘n’ Stop Personal Firewall (PRO) which contains both Application Filtering Layer and Internet Filtering Layer has 30-Day Trial, after 30-Days Application Filtering Layer becomes non-functional. Then you can explore another Software Firewall if still wish so. Otherwise you don’t know what your missing out on and if ZoneAlarm or Sygate Personal Firewall is still the best to your opinion…

    You decide to Trial Look ‘n’ Stop don’t hesitate to poster on the Official Look ‘n’ Stop forums here at wilders with Questions to your heart desires, I’ll be around to assist as much as required and if you want to contact me via E-mail you may do so at will…

    I’ve also made a Look ‘n’ Stop website that you may explore http://www.wilderssecurity.info/, gets updates quite constantly…

    Hope everything does work out for you though, don’t like to see anyone without a Software Firewall of some type…
     
  16. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Well, I'll probably keep Sygate, As, theres nothing I really *need* to block, at the moment, and have Antitrojan software installed, and anti-spyware, and antivirus, I very seldom make advanced rules on Sygate, I mostly use it as a allow/block thing, if I do try another firewall, I might try Kerio, or Look'n'stop, maybe Outpost :doubt:
     
  17. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    And, Because I dont use Internet Explorer that much, anyways, I have put it on "Ask" so it asks on each new window :doubt: I only use it for 1 site ... Also, I'm sure using Sygate is better then using no firewall at all, right?
     
  18. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    The Adventures of exploring, doesn’t that sound even a bit interesting?
    I would suggest try exploring all those that you have listed, not Install/Uninstall with blink of an eye though. Try to understand how these Firewalls works and afterwards uninstall and install another and I’m sure you may find something else you like just as much if not more then Sygate Personal Firewall. Otherwise you aren’t experiencing first hand whether Sygate Personal Firewall is really the best, and just think of a lot you could possibly be missing out… ;)
     
  19. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    Yeah, I guess, just, at the moment, dont feel up-to downloading, and installing different firewalls, I have tried 3 firewalls before, I have tried: Zone Alarm, Zone Alarm Pro, (Didnt like how ZA handled memory) I tried Outpost free, (Didnt like the way the logs were kept) I got to sygate, I like it, logs are seperated (Unlike Outpost free) doesnt eat up my systems memory ... (Lower end system) I like the GUI, so, I really dont know :doubt:
     
  20. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Yea i understand perfectly well, i'm extremely picky over the System Resource usage of a Software Firewall... I guess have been on 486/20mhz 8MB of ram for so long made me quite picky myself... ;)

     
  21. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    I'm actually looking at Kerio Firewall, right now, looks pretty good... It seems alot like Sygate (Well, for the configuration atleast)

    I like the fact where it can also just be a permit and deny (Like sygate offers) and also has the availability of Advanced rules.
     
  22. Peter2150

    Peter2150 Global Moderator

    Joined:
    Sep 20, 2003
    Posts:
    17,046
    Have read the posts by LowWaterMark, I was curious, so I downloaded Tooleaky. I am using Zone Alarm 4.0 Pro, and I have basically given IE access. Tooleaky first stumbled on my first line of defense, Abtrusion Protector. It wouldn't let it run. Once I allowed it and ran it ZA popped up an alert asking me if I want to allow Tooleaky access via IE. A no, put an end to that. I am happy.
     
  23. Comp01

    Comp01 Registered Member

    Joined:
    Sep 4, 2003
    Posts:
    638
    I'm downloading System Safety Monitor right now, hoping to be able to block all malicous programs from ever running ;)
     
  24. Phant0m

    Phant0m Registered Member

    Joined:
    Jun 7, 2003
    Posts:
    3,684
    Location:
    Canada
    Yea, that’s normally the most recommended approach.
    Since it deals with ALL Application Launchings and not just Client/Server base Applications, it should be something you’ll find interesting… :D
     
Thread Status:
Not open for further replies.