lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Mon, 3 Jan 2005 22:09:38 +0200
From: "Ferruh Mavituna" <ferruh@...ituna.com>
To: <bugtraq@...urityfocus.com>
Subject: Multiple Firewall Products Bypass Vulnerability

-------------------------------------------------------------------
Multiple Firewall Products Bypass Vulnerability 
-------------------------------------------------------------------
Online URL		: http://ferruh.mavituna.com/article/?769
Download POC	: http://ferruh.mavituna.com/opensource/firewallbypass.zip
(Also I attached vbs files as txt, one of them is -mousecontrol.txt- vb.net
source code)

This is a generic problem of common Personal Firewall products which are
accept shortcuts or provide an interface that enables to click without
require a password for controlled actions (acting as server -listening
ports-, executing another program, connecting to another computer etc.).

-------------------------------------------------------------------
Problem;
-------------------------------------------------------------------
Most of personal firewalls allow shortcuts or interface for controlling
traffic. It's simple to bypass these firewalls by a multithreaded program
and sending keys or by contolling mouse.

This flaw enables that any Trojan or similar programs can easily bypass
firewall and act as a server or access to another computer. Also most of
these firewalls have a "remember" option so if you bypass firewall and
successfully exploit it, firewall will never ask again.

This is a similar threat with shattering attacks, but different method and
impact.

Vulnerable Products (Sending Key Method and Mouse Control);
These products are vulnerable to both of "Sending Key Method" and "Mouse
Control Method" 

Test Platforms;
Fully Patched Windows XP Professional and Windows 2003 Enterprise Edition
(May 19, 2004 - 01.01.2005)

1.	ZoneAlarm / ZoneAlarm Pro (www.zonelabs.com) | Fixed
	I.	4.5.530.000	- Tested
	II.	4.5.538.001	- Tested
	III.	5 and newer versions are not vulnerable...

2.	Kerio (www.kerio.com)
	I.	4.0.14		- Tested
	II.	All Versions

3.	Agnitium Outpost Firewall (www.agnitium.com)
	I.	2.1.303.4009 (314)	- Tested
	II.	2.5.369.4608 (369)	- Tested
	II.	All Versions

4.	Kaspersky Anti-Hacker (www.kaspersky.com) 
	I.	1.5.119.0	- Tested
	II.	All Versions

5.	Look 'n' Stop (www.looknstop.com)
	I.	2.04p2		- Tested
	II.	All Versions

6.	Symantec's Norton Personal Firewall (www.norton.com)
	I.	2004		- Tested
	II.	All Versions

-------------------------------------------------------------------
Vulnerable Products (Mouse Control);
-------------------------------------------------------------------
These products are only vulnerable to "Mouse Control Method", because they
don't accept shortcuts but still vulnerable to "Mouse Control" attacks.

1.	Panda Platinum Internet Security
	I.	8.03 (tested)
	II.	All Versions

2.	Omniquad Personal Firewall
	I.	1.1 (tested)
	II.	All Versions


-------------------------------------------------------------------
Proof of Concept;
-------------------------------------------------------------------
2 Proof of Concepts attached to advisory (also some other POCs for some
firewalls)

First POC (bypassSendKey.vbs) written in VBScript (.vbs), This POC include
required samples for ZoneAlarm, Kerio, Agnitium, Kaspersky Anti-Hacker, Look
'n' Stop and Symantec's Norton Personal Firewall. This script is executing
an instance of itself for multithreading and send shortcuts to firewall
while first instance trying to connect internet. I didn't write an auto
determine firewall function (but it's so easy), so you need to set it by
yourself.

Second (bypassMouseControl.txt) simulates an example of bypassing Zone Alarm
Firewall by with mouse control, code in VB.NET. Program is not using a real
multithread because some firewalls interrupt executing of program directly.
So program is executing another instance of itself with an argument.

Both of them add themselves to secure app list of firewalls and then bypass
active firewall.

Also I attached testFirewall.vbs for testing your firewall for application
control. 

-------------------------------------------------------------------
Solution;
-------------------------------------------------------------------
All firewalls should ask password for all kind of "Allow" actions. In fact
passwords can be fooled because of its nature but it is the best user
friendly / secure solution for protection.

As a user of these firewalls, if your firewall supports to "deny all
default" option, enable it, so your firewall deny all connections by
default. After that you may can manually select programs for allow them.

-------------------------------------------------------------------
Final Words;
-------------------------------------------------------------------
This is a methodology for bypassing interacted firewalls so it's possible
that this advisory affects other firewalls in market. Also it's possible
that future firewalls will be affected too. I think for now this is a
serious problem for firewalls, until they imply password/random human need
text method for "Allow/Deny" actions.

-------------------------------------------------------------------
History;
-------------------------------------------------------------------
Discovered: 03.05.2004
Vendors Informed: 28.08.2004
Published: 03.01.2005

-------------------------------------------------------------------
Vendors Status;
-------------------------------------------------------------------
Special thanks to ZoneLabs Team.


Ferruh Mavituna
http://ferruh.mavituna.com
pgpkey : http://ferruh.mavituna.com/PGPKey.asc


View attachment "outpost.txt" of type "text/plain" (1733 bytes)

View attachment "anti-hacker.txt" of type "text/plain" (2410 bytes)

View attachment "ZoneAlarm.txt" of type "text/plain" (1241 bytes)

View attachment "testFirewall.txt" of type "text/plain" (1089 bytes)

View attachment "norton.txt" of type "text/plain" (1287 bytes)

View attachment "mousecontrol.txt" of type "text/plain" (3652 bytes)

View attachment "bypassSendKey.txt" of type "text/plain" (3444 bytes)

View attachment "Kerio.txt" of type "text/plain" (1435 bytes)

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ