lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: 28 Oct 2007 09:40:24 -0000
From: komarov@...efence.ru
To: bugtraq@...urityfocus.com
Subject: Webroot Desktop Firewall <=5.5.10.20 DNS recursion

Webroot Desktop Firewall 5.5.10.20 

ITDEFENCE.ru Advisory 
Author: Komarov Andrej (komarov@...efence.ru

I. BACKGROUND
The Webroot Desktop Firewall secures your computer from Internet threats and reduces the risks of being a victim of online crimes. Unlike the Windows XP and Vista Firewall, Webroot Desktop Firewall combines intelligent firewall technology with intrusion prevention for inbound and outbound protection that is both powerful and easy to use. http://www.webroot.com/

II. DESCRIPTION
DNS tunnelling involves inserting data into the DNS packet using "space" in the packet that can take additional data. For example, A DNS packet can contain a TXT record into which any text, up to 220 bytes, can be inserted. You fragment the data, maybe an HTTP request, add it to the packet, and send the modified DNS traffic over the web to a receiving server. It recompiles the sent data, and enables internet access. DNS packets can be used to transfer extra data and this is why they should be controlled by firewalls as any other packets. 

III. ANALYSIS
Windows DNS API using can help an attacker to make data transfer possible. If the successfull recursive DNS query for “x-site” is done, it is possible to transfer information from your computer past personal and network firewalls. There is a "stealth" way of DNS connectivity checking using Windows System Services (services.exe / svchost.exe) and if it is not controlled there is a possibility of covert channel creating. 

Additional links:
NSTX-suite by Florian Heinz and Julien Oster (http://nstx.dereference.de)

Gray-World NET Team (http://gray-world.net/papers.shtml)

The DNS-shaped holes that one cuts into firewalls. (http://homepages.tesco.net/~J.deBoynePollard/FGA/dns-shaped-firewall-holes.html)

DNSTest by Jarkko Turkulainen (http://www.klake.org/~jt/dnshell/)

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ