[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <44C1A761.2000000@herr-der-mails.de>
Date: Sat, 22 Jul 2006 06:19:45 +0200
From: "H. Wiedemann" <dpr@...r-der-mails.de>
To: full-disclosure@...ts.grok.org.uk
Subject: Outpost Firewall vulnerability,
users gaining system rights
Hi,
all current available "Outpost Firewall" versions do have severe
vulnerabilities, every local user is able to run programs under the very
high privileged LocalSystem account.
Steps to reproduce:
1.) create an empty text file (e.g. "empty.txt")
2.) create a batch file which will open a command shell.
sth. like:
cmd.exe
3.) open the Outpost Firewall GUI
4.) call one of the open or save file dialogs
e.g. "File - Load Configuration"
change the file type to "All Files *.*"
5.) drag the "empty.txt" and drop it over the created batch file
6.) a command shell opens running under the LocalSystem account
(you can check this with "whoami.exe" from the windows resource kit
tools)
There're of course a lot other drag&drop possibilites ... you could e.g.
drop the text file over "notepad.exe" which will open a notepad with
system privileges.
Even if Agnitum disables the Drag&Drop functionality: the open/save
dialog will always be able to read and write files with the rights of
the LocalSystem account. Thus every user could severely damage the system.
This vulnerability is by design, there're dozens of other possibilities
to gain system privileges with Outpost. The problem is that the GUI is
part of the windows service and is running with SYSTEM privileges. Even
MS says that the so called "Interactive Services" shouldn't be used -->
MSDN Library, topic "Interactive Services" - "Security Considerations
for Interactive Services".
--
H. WIEDEMANN
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
Powered by blists - more mailing lists