Results 1 to 5 of 5

Thread: Multiple Firewall Products Bypass Vulnerability

  1. #1
    Junior Member
    Join Date
    Dec 2003
    Posts
    1

    Multiple Firewall Products Bypass Vulnerability

    http://ferruh.mavituna.com/article/?769

    Most of personal firewalls allow shortcuts or interface for controlling traffic. It's simple to bypass these firewalls by a multithreaded program and sending keys or by contolling mouse.

    This flaw enables that any Trojan or similar programs can easily bypass firewall and act as a server or access to another computer. Also most of these firewalls have a "remember" option so if you bypass firewall and successfully exploit it, firewall will never ask again.

    This is a similar threat with shattering attacks, but different method and impact.

    Vulnerable Products (Sending Key Method and Mouse Control);
    These products are vulnerable to both of "Sending Key Method" and "Mouse Control Method"

    Test Platforms;
    Fully Patched Windows XP Professional and Windows 2003 Enterprise Edition (May 19, 2004 - 01.01.2005)


    ZoneAlarm / ZoneAlarm Pro (www.zonelabs.com) | Fixed
    4.5.530.000 - Tested
    4.5.538.001 - Tested
    5 and newer versions are not vulnerable...
    Kerio (www.kerio.com)
    4.0.14 - Tested
    All Versions
    Agnitium Outpost Firewall (www.agnitium.com)
    2.1.303.4009 (314) - Tested
    2.5.369.4608 (369) - Tested
    All Versions
    Kaspersky Anti-Hacker (www.kaspersky.com)
    1.5.119.0 - Tested
    All Versions
    Look 'n' Stop (www.looknstop.com)
    2.04p2 - Tested
    All Versions
    Symantec's Norton Personal Firewall (www.norton.com)
    2004 - Tested
    All Versions
    Vulnerable Products (Mouse Control);
    These products are only vulnerable to "Mouse Control Method", because they don't accept shortcuts but still vulnerable to "Mouse Control" attacks.


    Panda Platinum Internet Securiy
    8.03 (tested)
    All Versions
    Omniquad Personal Firewall
    1.1 (tested)
    All Versions



    Proof of Concept;
    2 Proof of Concepts attached to advisory (also some other POCs for some firewalls)

    First POC (bypassSendKey.vbs) written in VBScript (.vbs), This POC include required samples for ZoneAlarm, Kerio, Agnitium, Kaspersky Anti-Hacker, Look 'n' Stop and Symantec's Norton Personal Firewall. This script is executing an instance of itself for multithreading and send shortcuts to firewall while first instance trying to connect internet. I didn't write an auto determine firewall function (but it's so easy), so you need to set it by yourself.

    Second (bypassMouseControl.txt) simulates an example of bypassing Zone Alarm Firewall by with mouse control, code in VB.NET. Program is not using a real multithread because some firewalls interrupt executing of program directly. So program is executing another instance of itself with an argument.

    Both of them add themselves to secure app list of firewalls and then bypass active firewall.

    Also I attached testFirewall.vbs for testing your firewall for application control.

    Solution;
    All firewalls should ask password for all kind of "Allow" actions. In fact passwords can be fooled because of its nature but it is the best user friendly / secure solution for protection.

    As a user of these firewalls, if your firewall supports to "deny all default" option, enable it, so your firewall deny all connections by default. After that you may can manually select programs for allow them.

    Final Words;
    This is a methodology for bypassing interacted firewalls so it's possible that this advisory affects other firewalls in market. Also it's possible that future firewalls will be affected too. I think for now this is a serious problem for firewalls, until they imply password/random human need text method for "Allow/Deny" actions.

    History;
    Discovered: 03.05.2004
    Vendors Informed: 28.08.2004
    Published: 03.01.2005


    Vendors Status;
    Special thanks to ZoneLabs Team.


    Ferruh Mavituna

    Web Application Security Specialist

  2. #2
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    Cool. Some day Windows will build in an authentication mechansim for their window messaging. Someday.


    -Maestr0
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  3. #3
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177

    Question

    So I've read through this a few times, and I recognize the author isn't a native North American English speaker...not a problem at all, just acknowledging one hurdle to consider. I think I've pretty much understood his message...but I don't get it..."mouse control method"? "Sending key method"? What are these, specifically?

    I think it has to do with a pop up window (example is Norton Personal Firewall asking if the user want's to allow a service that is trying to connect outbound) and exploit methods of this pop up service. Can anyone offer a bit of insight for those of us whose focus lies elsewhere and didn't get this immediately?

    Thanx!
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  4. #4
    Senior Member Maestr0's Avatar
    Join Date
    May 2003
    Posts
    604
    It has to do with the Widnows messaging system which allows a window to "talk" to another window. You can simply get the handle of a Window and basically do whatever you want to it since there isnt any kind of security in the intercommunication. You could say change the bounds on a Text Box control and then paste shell code into it overflowing a field the coder thought was safe, or send a MouseEvent that signifies the user has clicked the "OK, Always accept these out going connections to Evil Hackerville" At least thats what I assume he's used, f00n was the orginal author of these "shatter" type atacks and wrote some interesting stuff worth reading. This is why you dont see any text box controls in any processes that display Windows and runs as Admin or System. You can't paste shellcode into a checkbox or buttons , at the time of f00ns paper there where some text fields in some AV products that could be shattered and since most AV runs as Admin or System, this allowed a privilege escalation to that of the AV software. Nowadays most of the processes which display Windows on the desktop run in userland to avoid this kind of chicanery.

    -Maestr0

    PS. Dirtyrider correct me if I'm wrong, I just assumed it was this same window messaging system being exploited from your post.
    \"If computers are to become smart enough to design their own successors, initiating a process that will lead to God-like omniscience after a number of ever swifter passages from one generation of computers to the next, someone is going to have to write the software that gets the process going, and humans have given absolutely no evidence of being able to write such software.\" -Jaron Lanier

  5. #5
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177

    Lightbulb

    Awesome Maestr0, thanks! That answered it perfectly. The key word that might have helped my was 'shatter', I guess. Yes, certainly not my area of expertise.

    That makes tremendous sense now...interprocess authorization...in the same arena as the NSA's SELinux code.
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •