lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <417352DF.6050802@sst-pr-1.com>
Date: Mon, 18 Oct 2004 00:21:35 -0500
From: Simon Zuckerbraun <szucker@...-pr-1.com>
To: Justin.Polazzo@...ilities.gatech.edu, bugtraq@...urityfocus.com
Subject: RE: Writing Trojans that bypass Windows XP Service Pack 2 Firewall


An EXE would only be able to change firewall settings if it was running 
under an account with administrative privileges.

Indeed, a user who conducts day-to-day activities using an 
administrative account is very much exposed to the type of attack you 
describe (malicious exe writing to HKEY_LOCAL_MACHINE or stopping the 
firewall service). Security best practices (on any OS) forbid using an 
administrative account for day-to-day activities.

Simon

-----Original Message-----
From: Polazzo Justin [mailto:Justin.Polazzo@...ilities.gatech.edu]
Sent: Friday, October 15, 2004 1:11 PM
To: americanidiot@...hmail.com; bugtraq@...urityfocus.com
Subject: RE: Writing Trojans that bypass Windows XP Service Pack 2 Firewall


I am sorry, I thought (from a previous email in this or another list, I 
am getting forgetful in my old age) that editing these two registry 
entries would allow an app to, well if not bypass, at least be allowed 
thru the firewall.


Application Exceptions:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters
\FirewallPolicy\StandardProfile\AuthorizedApplications\List


Port Exceptions:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters
\FirewallPolicy\StandardProfile\GloballyOpenPorts\List



Is there something I am missing (again)?

Is this another example of "If you click on the .exe, you are exposed" 
type of exploit?

Are you demo'ing the fact that you can attach yourself to a system 
process and not be detected by XPSP2?

How did you get the code on the SP2 system? Email an .exe?

I thought the best part of XPSP2 was prevention of code from running on 
your system. This includes password guesses, bunches of malware, NMAP 
scans, and compiled programs.

To further demonstrate my point, I wrote this exploit that will disable 
the WinXP firewall as well, simply extract this text into a .bat file 
and double-click on it:

net stop "Windows Firewall/Internet Connection Sharing (ICS)"

-JP

MCSEnator CCaNT CISSPell OPSTinate


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ