lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Message-ID: <OF2B40E573.2F9FA575-ON86256EFD.000B93A5-86256EFD.000CA6AB@fnal.gov>
From: jklemenc at fnal.gov (jklemenc@...l.gov)
Subject: Malware can silently open holes in SP2 Firewall

OK, this is no different than an app mucking around with other 3rd party 
personal firewall configuration files, but I have read statements that one 
must use API functions to manipulate the SP2 firewall. Not true. All of 
the firewall settings for allowed applications and ports are in the 
following registry keys:

Application Exceptions:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List

Port Exceptions:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List

All ones needs to do is edit the registry. Now malware doesn't do that, 
does it?  :)
1) Read the App list and overwrite a legitimate file that is permitted 
(you don't think users will choose the block button when it pops up, do 
you?)
2) Simply add their own app to this list
3) Add their own listener port (if static) to the Port Exceptions

After modifying or creating keys in these locations, they take effect 
immediately. No need to reboot. OK, you need to be an administrator to 
edit these keys. What are XP Home users by default? You can set a policy 
to not allow exceptions, which will ignore these added entries, but that 
is not the default. The point is with 3rd party products, you need to find 
the location of the installed product and edit the config files in the 
right spot. Even that won't guarantee success in all cases. Even in the 
Windows IP Security filters, the data is stored in the registry in an 
undocumented binary data blob, and the filters are crossed to actions and 
policies and GUID's, which makes tracing/creating them manually 
cumbersome. The new XP SP2 Firewall makes all of that very easy. Oh yeah, 
don't forget the netsh.exe command line stuff either. Malware could simply 
execute some commands via cmd /c netsh.exe firewall blah blah blah, but 
that won't be as silent as directly editing the registry.

\

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ