XP SP2 Firewall Backdoor
Results 1 to 6 of 6

Thread: XP SP2 Firewall Backdoor

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883

    XP SP2 Firewall Backdoor

    I saw this on Bugtraq and I made some minor tweaks for clarity.

    "By adding a new key to the registry in HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/SharedAccess/Parameters/FirewallPolicy/StandardProfile/AuthorizedApplications/List/ [add apps here] you can circumvent the whole purpose of the firewall with out the users interaction or knowledge. Spyware / Adware manufacturer's are already do this.
    "

    Originally from here:
    http://habaneronetworks.com/viewArticle.php?ID=144

    Has anyone tested this yet? I haven't had the time lately so I'm hoping that some of my pals here can get it checked out. If this works as I suspect it does, a lot of end users are in deep trouble.

    **UPDATE**
    YIKES. I tested it and it DOES work. The registry edits do not show up in the exceptions list within the firewall app either. Time to take action. While I don't see this as a firewall vulnerability, but rather a permissions issue, I cannot blame MS completely but like anything else, you have to assume the end user is a complete retard and incapable of protecting themselves or the PC they are using.




    --TH13
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    AO French Antique News Whore
    Join Date
    Aug 2001
    Posts
    2,126
    It's true but the registry keys are read-only except for administrator but we all know all users are running as administrator. By the way, those are the key that you can use to configure your firewall setting by group policy. That the real reason they exist.
    -Simon \"SDK\"

  3. #3
    Just Another Geek
    Join Date
    Jul 2002
    Location
    Rotterdam, Netherlands
    Posts
    3,403
    Yep. I don't consider this a backdoor or even a bug. An administrator is supposed to be able to configure the firewall. That's the whole point of being an administrator.

    I found similar one. If I log in as root on my linux/bsd/solaris/aix/whatever I can remove the /etc directory and screw up my machine. Duh!

    Originally posted here by thehorse13
    {...} a lot of end users are in deep trouble.
    They're already in trouble. They're all surfing the net as administrator...
    Oliver's Law:
    Experience is something you don't get until just after you need it.

  4. #4
    AO Senior Cow-beller
    Moderator
    zencoder's Avatar
    Join Date
    Dec 2004
    Location
    Mountain standard tribe.
    Posts
    1,177
    Well...I think this is simply an area that needs to be addressed by 'protection' software. MS Antispyware, Lavasoft Ad-Aware, and Spybot SD (as well as all the others) should be reporting stuff like this when they scan the registry.

    TH13, your mission, should you choose to accept it, is to now scan your system and report if the said applications (or others of your choosing) do recognize this differeing firewall 'policy' and notify the user. It looks like a setting that can be easily exploited by malicious applications (when a user surfs as Admin...duh. Thank God...well, I guess we should Thank Bill...for RUNAS.)
    "Data is not necessarily information. Information does not necessarily lead to knowledge. And knowledge is not always sufficient to discover truth and breed wisdom." --Spaf
    Anyone who is capable of getting themselves made president should on no account be allowed to do the job. --Douglas Adams (1952-2001)
    "...people find it far easier to forgive others for being wrong than being right." - Albus Percival Wulfric Brian Dumbledore

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,883
    Spybot's realtime agent does report this kind of foolery. I have yet to try the MS antispyware reatime agent.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,053
    Yeah its not really a backdoor because the front door was left wide open. I didnt realise it was only a reg key!

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

 Security News

     Patches

       Security Trends

         How-To

           Buying Guides