«

Below is an excerpt from phrack.com. In the lastest phrack issue
there are a few articles on bypassing firewalls by accessing memory
space on a remote machine or injecting code into a trusted process.
Note the result of the tested software firewalls. There is more to a
softrware firewall then blocking ports.


http://www.phrack.org/show.php?p=62&a=13

To sum everything up: We will create a binary executable that
carries the injection code as well as the code that has to be
injected in order to bypass the software firewall. Or, speaking
in high-level programming terms: We will create an exe file that
holds two functions, one to inject code to a trusted process
and one function to be injected.


The sample code presented in this little paper will give you a
tiny executable that runs in RING3. I am certain that most
software firewalls contain kernel mode drivers with the ability
to perform more powerful tasks than this injector executable.
Therefore, the capabilities of the bypass code are obviously
limited. I have tested the bypass against several software
firewalls and got the following results:

Zone Alarm 4 vulnerable
Zone Alarm Pro 4 vulnerable
Sygate Pro 5.5 vulnerable
BlackIce 3.6 vulnerable
Tiny 5.0 immune

Tiny alerts the user that the injector executable spawns the
browser process, trying to access the network this way. It looks
like Tiny simply acts exactly like all the other software
firewalls do, but it is just more careful. Tiny also hooks API
calls like CreateProcess() and CreateRemoteThread() - thus, it
can protect its users from this kind of bypass.
##########################

"donnie" <> wrote in message
news:...
[]
> ... accessing memory space on a remote machine or
> injecting code into a trusted process.
[]
> http://www.phrack.org/show.php?p=62&a=13
> To sum everything up: We will create a binary executable that
> carries the injection code as well as the code that has to be
> injected in order to bypass the software firewall.
[]

Can you say 'duh'?

What good is a software firewall if you allow untrusted executables?

--
RC

Firefox on that phrack link comes up with "The procedure entry point
PL_DHashTableFinish could not be located in dynamic link library xpcom.dll"
then the site displays after OKing this . Funny business or what? Is the
site trying to use IE to do nasties?



"rinse cycle" <> wrote in message
news:...
>
> "donnie" <> wrote in message
> news:...
> []
>> ... accessing memory space on a remote machine or
>> injecting code into a trusted process.
> []
>> http://www.phrack.org/show.php?p=62&a=13
>> To sum everything up: We will create a binary executable that
>> carries the injection code as well as the code that has to be
>> injected in order to bypass the software firewall.
> []
>
> Can you say 'duh'?
>
> What good is a software firewall if you allow untrusted executables?
>
> --
> RC
>
>

Hiya ... yer use of trusted process. For me a trusted process is a (kernel)
process running in a trusted OS. And that (in a nutshell) is an OS that
implements mandatory (system managed) vs discretionary (user managed) access
contol (e.g. SE Linux on top of whatever with users, domains, types etc).
Anything less (i.e. M$) is ... futile .

"donnie" <> wrote in message
news:...
> Below is an excerpt from phrack.com. In the lastest phrack issue
> there are a few articles on bypassing firewalls by accessing memory
> space on a remote machine or injecting code into a trusted process.
> Note the result of the tested software firewalls. There is more to a
> softrware firewall then blocking ports.
>
>
> http://www.phrack.org/show.php?p=62&a=13
>
> To sum everything up: We will create a binary executable that
> carries the injection code as well as the code that has to be
> injected in order to bypass the software firewall. Or, speaking
> in high-level programming terms: We will create an exe file that
> holds two functions, one to inject code to a trusted process
> and one function to be injected.
>
>
> The sample code presented in this little paper will give you a
> tiny executable that runs in RING3. I am certain that most
> software firewalls contain kernel mode drivers with the ability
> to perform more powerful tasks than this injector executable.
> Therefore, the capabilities of the bypass code are obviously
> limited. I have tested the bypass against several software
> firewalls and got the following results:
>
> Zone Alarm 4 vulnerable
> Zone Alarm Pro 4 vulnerable
> Sygate Pro 5.5 vulnerable
> BlackIce 3.6 vulnerable
> Tiny 5.0 immune
>
> Tiny alerts the user that the injector executable spawns the
> browser process, trying to access the network this way. It looks
> like Tiny simply acts exactly like all the other software
> firewalls do, but it is just more careful. Tiny also hooks API
> calls like CreateProcess() and CreateRemoteThread() - thus, it
> can protect its users from this kind of bypass.
> ##########################
>
>