[<prev] [next>] [day] [month] [year] [list]
Message-ID: <653D74053BA6F54A81ED83DCF969DF08014C1103@pivxes1.pivx.com>
Date: Mon, 21 Feb 2005 11:35:05 -0800
From: "Thor Larholm" <thor@...x.com>
To: "Jay Calvert" <jcalvert@...aneronetworks.com>,
<bugtraq@...urityfocus.com>
Subject: RE: Windows Firewall Has A Backdoor
XPSP2 has a software firewall which like any other firewall has a list
of exceptions, being that it is host based these exceptions are process
based. Having an exceptions list is not a backdoor.
There's no vulnerability or backdoor here, just intended functionality.
You can't add keys to this registry location remotely without first
compromising the machine and gaining Administrator privileges or
convincing the user to infect themselves while they are Administrator.
If you can get malicious code to run on a machine with Administrator
privileges then naturally you can disable the XPSP2 firewall - just like
you can disable, cripple or just plain out uninstall Norton, TrendMicro,
ZoneAlarm, Qwik-Fix, CSA, Entercept or any other application that is
running on the same host.
If you attended the Blackhat 2004 Briefings in Las Vegas you will
remember that Eugene Tsyrklevich had a presentation called "Attacking
Host Intrusion Prevention Systems" in which he demonstrated on-stage how
to completely circumvent McAfee Entercept, a behavioral host based
protection product which tries to limit the actions of malicious code
once it is already running on the machine.
It will always be an uphill battle when you try to cleanup or protect
post-compromise; the only sane thing is to try and prevent the
compromise from happening in the first place.
I don't like to quote Microsoft but they deserve kudos when they are
right:
http://www.microsoft.com/technet/archive/community/columns/security/essa
ys/10imlaws.mspx
10 Immutable Laws of Security
Law #1: If a bad guy can persuade you to run his program on your
computer, it's not your computer anymore
Regards
Thor Larholm
Senior Security Researcher
PivX Solutions
23 Corporate Plaza #280
Newport Beach, CA 92660
http://www.pivx.com
thor@...x.com
Stock symbol: (PIVX.OB)
Phone: +1 (949) 231-8496
PGP: 0x4207AEE9
B5AB D1A4 D4FD 5731 89D6 20CD 5BDB 3D99 4207 AEE9
PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation.
<http://www.pivx.com/qwikfix>
-----Original Message-----
From: Jay Calvert [mailto:jcalvert@...aneronetworks.com]
Sent: Saturday, February 19, 2005 9:53 PM
To: bugtraq@...urityfocus.com
Subject: Windows Firewall Has A Backdoor
By adding a new key to the registry in
HKEY_LOCAL_MACHINE/SYSTEM/Services/SharedAccess/Parameters/FirewallPolic
y/StandardProfile/AuthorizedApplications/List you can circumvent the
whole purpose of the firewall with out the users interaction or
knowledge. Spyware / Adware manufacturer's are already do this.
More information and a little rant at:
http://habaneronetworks.com/viewArticle.php?ID=144
--
Jay Calvert
HabaneroNetworks.com
Powered by blists - more mailing lists