XP SP2 Firewall Backdoor

Printable View

February 22nd, 2005, 03:19 PM
thehorse13

XP SP2 Firewall Backdoor

I saw this on Bugtraq and I made some minor tweaks for clarity.

"By adding a new key to the registry in HKEY_LOCAL_MACHINE/SYSTEM/CurrentControlSet/Services/SharedAccess/Parameters/FirewallPolicy/StandardProfile/AuthorizedApplications/List/ [add apps here] you can circumvent the whole purpose of the firewall with out the users interaction or knowledge. Spyware / Adware manufacturer's are already do this.
"

Originally from here:
http://habaneronetworks.com/viewArticle.php?ID=144

Has anyone tested this yet? I haven't had the time lately so I'm hoping that some of my pals here can get it checked out. If this works as I suspect it does, a lot of end users are in deep trouble.

**UPDATE**
YIKES. I tested it and it DOES work. The registry edits do not show up in the exceptions list within the firewall app either. Time to take action. While I don't see this as a firewall vulnerability, but rather a permissions issue, I cannot blame MS completely but like anything else, you have to assume the end user is a complete retard and incapable of protecting themselves or the PC they are using.

--TH13
February 22nd, 2005, 03:52 PM
SDK

It's true but the registry keys are read-only except for administrator but we all know all users are running as administrator. By the way, those are the key that you can use to configure your firewall setting by group policy. That the real reason they exist.
February 22nd, 2005, 04:10 PM
SirDice

Yep. I don't consider this a backdoor or even a bug. An administrator is supposed to be able to configure the firewall. That's the whole point of being an administrator.

I found similar one. If I log in as root on my linux/bsd/solaris/aix/whatever I can remove the /etc directory and screw up my machine. Duh!

Quote:

Originally posted here by thehorse13
{...} a lot of end users are in deep trouble.

They're already in trouble. They're all surfing the net as administrator...
February 22nd, 2005, 04:31 PM
zencoder

Well...I think this is simply an area that needs to be addressed by 'protection' software. MS Antispyware, Lavasoft Ad-Aware, and Spybot SD (as well as all the others) should be reporting stuff like this when they scan the registry.

TH13, your mission, should you choose to accept it, is to now scan your system and report if the said applications (or others of your choosing) do recognize this differeing firewall 'policy' and notify the user. It looks like a setting that can be easily exploited by malicious applications (when a user surfs as Admin...duh. Thank God...well, I guess we should Thank Bill...for RUNAS.)
February 22nd, 2005, 04:45 PM
thehorse13

Spybot's realtime agent does report this kind of foolery. I have yet to try the MS antispyware reatime agent.
February 22nd, 2005, 05:16 PM
oofki

Yeah its not really a backdoor because the front door was left wide open. I didnt realise it was only a reg key!