lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <653D74053BA6F54A81ED83DCF969DF08014C1103@pivxes1.pivx.com>
Date: Mon, 21 Feb 2005 11:35:05 -0800
From: "Thor Larholm" <thor@...x.com>
To: "Jay Calvert" <jcalvert@...aneronetworks.com>,
	<bugtraq@...urityfocus.com>
Subject: RE: Windows Firewall Has A Backdoor


XPSP2 has a software firewall which like any other firewall has a list
of exceptions, being that it is host based these exceptions are process
based. Having an exceptions list is not a backdoor.

There's no vulnerability or backdoor here, just intended functionality.
You can't add keys to this registry location remotely without first
compromising the machine and gaining Administrator privileges or
convincing the user to infect themselves while they are Administrator.

If you can get malicious code to run on a machine with Administrator
privileges then naturally you can disable the XPSP2 firewall - just like
you can disable, cripple or just plain out uninstall Norton, TrendMicro,
ZoneAlarm, Qwik-Fix, CSA, Entercept or any other application that is
running on the same host. 

If you attended the Blackhat 2004 Briefings in Las Vegas you will
remember that Eugene Tsyrklevich had a presentation called "Attacking
Host Intrusion Prevention Systems" in which he demonstrated on-stage how
to completely circumvent McAfee Entercept, a behavioral host based
protection product which tries to limit the actions of malicious code
once it is already running on the machine.

It will always be an uphill battle when you try to cleanup or protect
post-compromise; the only sane thing is to try and prevent the
compromise from happening in the first place.

I don't like to quote Microsoft but they deserve kudos when they are
right:

http://www.microsoft.com/technet/archive/community/columns/security/essa
ys/10imlaws.mspx
10 Immutable Laws of Security
Law #1: If a bad guy can persuade you to run his program on your
computer, it's not your computer anymore


Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
23 Corporate Plaza #280
Newport Beach, CA 92660
http://www.pivx.com
thor@...x.com
Stock symbol: (PIVX.OB)
Phone: +1 (949) 231-8496
PGP: 0x4207AEE9
B5AB D1A4 D4FD 5731 89D6  20CD 5BDB 3D99 4207 AEE9

PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation. 
<http://www.pivx.com/qwikfix>   

-----Original Message-----
From: Jay Calvert [mailto:jcalvert@...aneronetworks.com] 
Sent: Saturday, February 19, 2005 9:53 PM
To: bugtraq@...urityfocus.com
Subject: Windows Firewall Has A Backdoor



By adding a new key to the registry in
HKEY_LOCAL_MACHINE/SYSTEM/Services/SharedAccess/Parameters/FirewallPolic
y/StandardProfile/AuthorizedApplications/List you can circumvent the
whole purpose of the firewall with out the users interaction or
knowledge.  Spyware / Adware manufacturer's are already do this.

More information and a little rant at:
http://habaneronetworks.com/viewArticle.php?ID=144


--
Jay Calvert
HabaneroNetworks.com


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ