October 20th, 2004, 11:42 PM
SP2 firewall vunerability
Hi ppl, im no expert on this issue but a friend of mine today gave me this link and i didnt know if this issue has already been discussed here so, here it is for some whatever reason it hasnt.
Cheers to u all!
I removed the link cause it showed how to make the vunerability work and exploit it so im just gonna show the explainatory text itself, if its allowed for me to post the URL i will. (has if it isnt easy with google...)
Windows XP Service Pack 2 incorporates many enhancements to try to better protect systems from malware and other forms of attacks. One of those layers of protection is the Windows XP SP2 Firewall. One of the features of this Firewall is the ability to allow users to decide what applications can listen on the network. By allowing users to control what applications can communicate on the network, Microsoft believes that systems will be protected against threats such as Trojans. Like so many things Microsoft says, this is inaccurate and in fact it is very easy for locally executing code to bypass the Windows Firewall. So don't worry you aspiring Trojan developers, your still going to be able to Trojan consumer and corporate systems to your hearts content
Cheers ppl, and if this was already discussed im sorry for the delay.
Attached to this advisory is proof of concept code that demonstrates how a Trojan could bind to a port and accept connections by piggybacking on the inherent trust of sessmgr.exe. Simply compile this program and run it as any local user. To test if the Firewall has been bypassed (it is!) telnet from another machine to the target machine on port 333 and if your connected, then you've successfully bypassed the Windows XP Service Pack 2 Firewall.
October 21st, 2004, 01:10 PM
This is originally from bugtraq. Just got the mail a few days back . *Hint* for trojan developers
October 22nd, 2004, 08:02 PM
Well the original is far longer, and it's been posted to Usenet as well as SecurityFocus already. A point that's been made in the article is that W2k and WXP share many similarities, but MS isn't going to release any patches for their 'defunct' OSes, which leaves very many organization servers/computers vulnerable.
That's the thing with MS, if they don't want to release a fix nobody else can
October 22nd, 2004, 08:39 PM
By allowing users to control what applications can communicate on the network, Microsoft believes that systems will be protected against threats such as Trojans
Vulnerable? Nobody is vulnerable from this "flaw". If a trojan got on your machine, you've already been compromised and are vulnerable somewhere else. ICF has never been beaten on the inbound connection, AFAIK. Unless you can bypass the firewall from the outside, then this report really doesn't mean anything.
A point that's been made in the article is that W2k and WXP share many similarities, but MS isn't going to release any patches for their 'defunct' OSes, which leaves very many organization servers/computers vulnerable.
If you've got a trojan, then something else needs fixing, not the firewall. Of course, this should be patched, but it hardly makes anyone vulnerable. Why even fight the firewall? Use a reverse bind shell.
October 23rd, 2004, 07:39 AM
Also, IIRC, you have to be running as admin for the "vulnerability" to work. IMHO, if you're running as admin, any program could just disable the firewall, therefore, the vulnerability has no credibility.
October 23rd, 2004, 11:36 AM
Well as I said, that idea [of vulnerability backwards compatibility] was expressed in the full article. But IIRC from reading it, it does not deal solely with 'this' problem, but more generally with anything that was discovered about WinXP that is, most likely, a problem in 2k aswell. I guess it was the author's little blurb, and I admit to maybe having expressed it a bit too vaguely in my previous post... thanks for bringing that to my attention.