Lies, Betrayal, and Misplaced Trust?

[Relyt]

Oh, My Beloved Software Firewall, protector of all my treasures and secrets, why do you let me down so? After all the advertisements and promises of security and protection, you are so easily fooled! I would tend to believe that you were a naive child instead of a stalwart sentry.

Despite much of the publicity to the contrary, whether that be on the Internet or elsewhere, many of those Software Firewalls you depend upon to protect you from the nasty deviants, may not be as secure as we are led to believe.

Someone didn't hack into my home network (yet – that I have detected anyway). However even while some of the “free” versions of Software Firewalls are suppose to be standing guard, it would be a trivial matter if my security relied solely upon those firewalls. I guess the tired old adage, “You get what you pay for”, most definitely applies in this case.

This won't be a step-by-step guide on how to exploit software firewalls. So don't expect to be able to take this information and bypass those firewalls without being detected. Additionally, you will still need to have a thorough understanding of the OSI Layers, TCP/IP, Protocols etc., and their interaction with the firewall drivers. Anyway, so off we go...


1. Some Vulnerabilities.

While tinkering with these vulnerabilities, I found myself reflecting back in the day when we would work some magic with: Relyt@play: #nc -1 -p (some port number) -e /bin/sh or for the Windows command line commandos: C:\>nc -1 -p (some port number) -e cmd.exe. Of course we didn't do any harm, but changing your buddy's prompt and leaving him a message about what you could have done sure was fun! Nowadays, seems the fun has given way to wreaking havoc and destruction. Anyhow here's some of the ways they are accomplishing their dirty deeds.


Tucked away in your clandestine state, we are told that you will nobly examine all packets. Well every day must be Halloween, because as long as you see a mask that you are accustomed to seeing, you'll let almost anything pass!


Packet Filter: Spoofing packets with an address that appears to come from within your own network (private address, etc.). Trivial with packet building software.


Process/Application Filter: piggyback deviant process (code) to a common process accepted by the firewalls. Pick one...in essence; the common process will execute the code of the deviant process simultaneously. Another easy method is to mask deviant code to fool the firewall or even disable it.

“As soon as the user gives trust to an executable, he also gives trust to any processes that has been created from that executable...The firewall trusts a certain process as long as the executable that created it remains the same.” (www.phrack.org/show.php?p=62&a=13, Using Process Infection to Bypass Windows Software Firewalls; by rattle)


TCP/IP: Data can be hidden in several of the fields of the headers. Such as Sequence Number, Acknowledgement Number, IP Addee, etc. (See Sedative Section)


Camouflaging Applications: make it look like something that is normally accepted by the rule sets of the firewalls. Normal Web traffic is an outstanding example of this.


Steganography, Watermarking, etc. – Malicious programs can be transmitted, in a passive existence, meaning they cannot automatically execute. However Stego does offers a convenient place to store the payload while awaiting use.


WWW Reverse – These shell programs are difficult to detect due to its semblance of normal Web Traffic.


Direct Data Exchange - Interprocess Communications:

http://www.security.nnov.ru/Jdocument825.html

From:
Debasis Mohanty <mail_@_hackingspirits.com>
Date: 29.09.2005
Subject: Bypassing Personal Firewall (Zone Alarm Pro) Using DDE-IPC


“...I found that a very old flaw still exists in many latest versions of desktop based firewalls. It is possible for a malicious program to bypass a desktop based firewall by using DDE-IPC (Direct Data Exchange - Interprocess Communications) which enables an un-trusted program to communicate with the attacker or access internet via other trusted programs...”

[Full-disclosure] Zone Labs response to "Bypassing Personal Firewall (Zone Alarm Pro) Using DDE-IPC"

Zone Labs Security Team security at zonelabs.com
Fri Sep 30 00:43:00 BST 2005
Zone Labs response to "Bypassing Personal Firewall

Affected Products:

“...Zone Alarm free versions lack the “Advanced Program Control” feature and are therefore unable to prevent this bypass technique...”

Firewar: Can remotely disable firewalls. Written by Paolo Iorio www.paoloiorio.it/fw.htm

It is a security exploit which can disable the protection of your active firewall!

FIREWAR is available in two versions:

1) A standalone application that can be executed locally by any user,
2) An ActiveX (included in a Web Page) which can disable your firewall when you visit a site!

2. Sedative Section.

A. TCP Segment Format and Size:

Source Port (16bit), Destination Port (16bit),Sequence Number (32bit), Acknowledgment Number (32bit), HLEN (number of 32bit words in the header) (4bit)), Reserved (6bit), Code Bits (6bits), Window (16bit), Checksum (16bit), Urgent Pointer (16bit), Option (0 or 32bit), Data (variable).


B. UDP Segment Format and Size:

Source Port (16bit), Destination Port (16bit), Length (16bit), Checksum (16bit), Data (variable)


C. IP Datagram and Size:

Version Number (4bit), HLEN (number of 32bit words in the header) (4bit), Type of Service (8bit), Total Length (header & data) (16bit), Identification (16bit), Flags (3bit), Flag Offset (13bit), TTL (8bit), Protocol (8bit), Header Checksum (16bit), Source IP (32bit), IP Options (variable), Data (variable).



3. Nuts and Bolts of Many Software Firewalls.

After perusing the posts (up to the end of page 4) of the Purpose of personal firewalls? thread and gleaning the information of value, I really didn't get the feeling that some folks were implementing those Software Firewalls based upon a clear understanding of the firewall's functionality. So thought I'd break out the crayons and scribble something up.

Located somewhere between the receptacles on the back of your computer that lead to the Internet and those ever useful applications we rely upon so much; lies the hope and trust of many a Internet User. That object of trust is the Software Firewall. Though they have many brand names, differing popularity, some pretty interfaces, and so on, in essence most of these mystical creatures are actually only packet and/or process/application filter implementations. That's correct. And worse, – using only a couple of drivers to protect your treasures from the ever present evil souls running loose on the Internet. Anyway, back to functionality.


A. Application/Process Filter Functionality.

Allows network connections for approved applications and attempts to block unknown/deviant applications. Driver strategically located between an application/process and the Routing (transport) Protocols.

Google for more information.


B. Packet Filter Functionality.

Allows or Denies packet access based on packet header information. Usually only IP Addresses, Ports, Flags, and Network Protocols. Driver strategically located after the protocols drivers and the NIC driver and/or between the Routing Protocols and Physical Layer.


“Packet Filtering: A basic ACL firewall operating at the Network or Transport level.” (by Catch)

Google for more information.



4. Great! So what do we do now?

Coming Soon!



References:

- Cisco Networking Companion Guides First & Second Year; Cisco Press
- Secrets of Computer Espionage, Tactics and Countermeasures; by Joel NcNamara
- Hiding in Plain Sight, Steganography and the Art of Covert Communication; by Eric Cole
- Various Authors and Sites mentioned in the text.

[zencoder]

Looks like a good start. I can't wait to read the "Coming Soon!" bits.