[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <C04DA9B5.2204%thor@hammerofgod.com>
Date: Mon, 27 Mar 2006 14:39:49 -0800
From: "Thor (Hammer of God)" <thor@...merofgod.com>
To: <edubp2002@...mail.com>, Bugtraq <bugtraq@...urityfocus.com>
Subject: Re: Microsoft Windows XP SP2 Firewall issue
If you're going to get someone to run the mytrojan.exe file, why not just
have it add itself to the exception list for you? I've said it a million
times, and here is a million-and-one: When a statement starts off with "If I
get someone to run X on their their system, I can," then it doesn't matter
how it ends.
t
On 3/24/06 2:34 AM, "edubp2002@...mail.com" <edubp2002@...mail.com> wrote:
> Windows XP firewall had improvements after SP2 and it display alerts about
> programs trying to listen on a port (acting as a 'server') to the users. It
> doesnt display the path for the file nor the last extension, instead, it only
> displays its description or name without the final extension.
>
> if u place a trojan with 'no name' in some dir, windows firewall will
> mistakenly alert about a 'folder name\', this can be misused to trick people
> into giving access to a malicious application thinking it is a legitim one.
> example below will make people think Internet Explorer is asking for access,
> when actually,it is not! :
>
> ==============example============================
> in a cmd prompt:
> copy mytrojan.exe "\program files\Internet Explorer\.exe"
> cd \program files\internet explorer
> start .exe
> =================================================
> An alert will show up saying 'Internet Explorer\' has been blocked and will
> ask if you want unblock it when it should alert about '.exe'.This could trick
> most people into thinking the firewall alerted about a well known legitim
> application.
>
> another issue with the firewall is using NTFS alternate data streams. if u
> execute a file that is 'forked' to another one, no alerts will show up, not at
> all, but I dont think this is a security issue since on the computers I tested
> I wasnt able to direct connect.
> example:
>
> ===============================================
> in a cmd prompt:
> type c:\mytrojan c:\windows\notepad.exe:mytrojan.exe
> start c:\windows\notepad.exe:mytrojan.exe
> ===============================================
> no alerts ;)
>
> ps: every exploit code or details about a vulnerability here in Securityfocus
> are not found.
> when you click in the exploit menu of any vulnerability and there is some kind
> of exploit code attached it will return an error such as 'the document you are
> looking for cannot be found' ... just like a broken link. and this issue is
> happening for some weeks. is this an error ?... waiting feedback on this
> issue.
> cheers,
> Edu
>
>
>
>
>
>
>
>
>
>
>
Powered by blists - more mailing lists