|
|
|
|
|
|||||||
 |
Computer Security - Software Firewall Vulnerabilitie |
|
|
Thread Tools | Search this Thread |
12-28-2004, 02:24 AM
|
#1 |
Software Firewall Vulnerabilitie
Below is an excerpt from phrack.com. In the lastest phrack issue
there are a few articles on bypassing firewalls by accessing memory space on a remote machine or injecting code into a trusted process. Note the result of the tested software firewalls. There is more to a softrware firewall then blocking ports. http://www.phrack.org/show.php?p=62&a=13 To sum everything up: We will create a binary executable that carries the injection code as well as the code that has to be injected in order to bypass the software firewall. Or, speaking in high-level programming terms: We will create an exe file that holds two functions, one to inject code to a trusted process and one function to be injected. The sample code presented in this little paper will give you a tiny executable that runs in RING3. I am certain that most software firewalls contain kernel mode drivers with the ability to perform more powerful tasks than this injector executable. Therefore, the capabilities of the bypass code are obviously limited. I have tested the bypass against several software firewalls and got the following results: Zone Alarm 4 vulnerable Zone Alarm Pro 4 vulnerable Sygate Pro 5.5 vulnerable BlackIce 3.6 vulnerable Tiny 5.0 immune Tiny alerts the user that the injector executable spawns the browser process, trying to access the network this way. It looks like Tiny simply acts exactly like all the other software firewalls do, but it is just more careful. Tiny also hooks API calls like CreateProcess() and CreateRemoteThread() - thus, it can protect its users from this kind of bypass. ########################## donnie |
|
|
|
12-28-2004, 08:27 AM
|
#2 |
|
Posts: n/a
|
Re: Software Firewall Vulnerabilitie
"donnie" <> wrote in message news:... [] > ... accessing memory space on a remote machine or > injecting code into a trusted process. [] > http://www.phrack.org/show.php?p=62&a=13 > To sum everything up: We will create a binary executable that > carries the injection code as well as the code that has to be > injected in order to bypass the software firewall. [] Can you say 'duh'? What good is a software firewall if you allow untrusted executables? -- RC rinse cycle |
|
|
|
12-28-2004, 09:01 AM
|
#3 |
|
Posts: n/a
|
Re: Software Firewall Vulnerabilitie
Firefox on that phrack link comes up with "The procedure entry point
PL_DHashTableFinish could not be located in dynamic link library xpcom.dll" then the site displays after OKing this . Funny business or what? Is the site trying to use IE to do nasties? "rinse cycle" <> wrote in message news:... > > "donnie" <> wrote in message > news:... > [] >> ... accessing memory space on a remote machine or >> injecting code into a trusted process. > [] >> http://www.phrack.org/show.php?p=62&a=13 >> To sum everything up: We will create a binary executable that >> carries the injection code as well as the code that has to be >> injected in order to bypass the software firewall. > [] > > Can you say 'duh'? > > What good is a software firewall if you allow untrusted executables? > > -- > RC > > SteveB |
|
|
|
12-28-2004, 04:44 PM
|
#4 |
|
Posts: n/a
|
Re: Software Firewall Vulnerabilitie
Hiya ... yer use of trusted process. For me a trusted process is a (kernel)
process running in a trusted OS. And that (in a nutshell) is an OS that implements mandatory (system managed) vs discretionary (user managed) access contol (e.g. SE Linux on top of whatever with users, domains, types etc). Anything less (i.e. M$) is ... futile  ."donnie" <> wrote in message news:... > Below is an excerpt from phrack.com. In the lastest phrack issue > there are a few articles on bypassing firewalls by accessing memory > space on a remote machine or injecting code into a trusted process. > Note the result of the tested software firewalls. There is more to a > softrware firewall then blocking ports. > > > http://www.phrack.org/show.php?p=62&a=13 > > To sum everything up: We will create a binary executable that > carries the injection code as well as the code that has to be > injected in order to bypass the software firewall. Or, speaking > in high-level programming terms: We will create an exe file that > holds two functions, one to inject code to a trusted process > and one function to be injected. > > > The sample code presented in this little paper will give you a > tiny executable that runs in RING3. I am certain that most > software firewalls contain kernel mode drivers with the ability > to perform more powerful tasks than this injector executable. > Therefore, the capabilities of the bypass code are obviously > limited. I have tested the bypass against several software > firewalls and got the following results: > > Zone Alarm 4 vulnerable > Zone Alarm Pro 4 vulnerable > Sygate Pro 5.5 vulnerable > BlackIce 3.6 vulnerable > Tiny 5.0 immune > > Tiny alerts the user that the injector executable spawns the > browser process, trying to access the network this way. It looks > like Tiny simply acts exactly like all the other software > firewalls do, but it is just more careful. Tiny also hooks API > calls like CreateProcess() and CreateRemoteThread() - thus, it > can protect its users from this kind of bypass. > ########################## > > bowgus |
|
|
|
| Thread Tools | Search this Thread |
|
|
Similar Threads
|
||||
| Thread | Thread Starter | Forum | Replies | Last Post |
| Sewing, Embroidery & SignMaking Software.. | embsupply | Software | 0 | 10-02-2007 04:29 PM |
| Sewing, Embroidery & SignMaking Software.. | embsupply | Software | 0 | 08-14-2007 04:01 PM |
| Guide-how to choose the most satisfactory software to convert DVD to your mobile devices | bobo | DVD Video | 0 | 08-07-2006 03:01 AM |
| Re: XP Firewall sufficient by itself? | Eric Eastridge | A+ Certification | 1 | 06-18-2005 09:08 PM |
| Microsoft to Implement Worldwide Anti-Piracy Initiative | Bum | A+ Certification | 0 | 03-04-2005 08:28 PM |
