Software Firewall Vulnerabilitie

Discussion in 'Computer Security' started by donnie, Dec 28, 2004.

  1. donnie

    donnie Guest

    Below is an excerpt from phrack.com. In the lastest phrack issue
    there are a few articles on bypassing firewalls by accessing memory
    space on a remote machine or injecting code into a trusted process.
    Note the result of the tested software firewalls. There is more to a
    softrware firewall then blocking ports.


    http://www.phrack.org/show.php?p=62&a=13

    To sum everything up: We will create a binary executable that
    carries the injection code as well as the code that has to be
    injected in order to bypass the software firewall. Or, speaking
    in high-level programming terms: We will create an exe file that
    holds two functions, one to inject code to a trusted process
    and one function to be injected.


    The sample code presented in this little paper will give you a
    tiny executable that runs in RING3. I am certain that most
    software firewalls contain kernel mode drivers with the ability
    to perform more powerful tasks than this injector executable.
    Therefore, the capabilities of the bypass code are obviously
    limited. I have tested the bypass against several software
    firewalls and got the following results:

    Zone Alarm 4 vulnerable
    Zone Alarm Pro 4 vulnerable
    Sygate Pro 5.5 vulnerable
    BlackIce 3.6 vulnerable
    Tiny 5.0 immune

    Tiny alerts the user that the injector executable spawns the
    browser process, trying to access the network this way. It looks
    like Tiny simply acts exactly like all the other software
    firewalls do, but it is just more careful. Tiny also hooks API
    calls like CreateProcess() and CreateRemoteThread() - thus, it
    can protect its users from this kind of bypass.
    ##########################
    donnie, Dec 28, 2004
    #1
    1. Advertising

  2. donnie

    rinse cycle Guest

    "donnie" <> wrote in message
    news:...
    []
    > ... accessing memory space on a remote machine or
    > injecting code into a trusted process.

    []
    > http://www.phrack.org/show.php?p=62&a=13
    > To sum everything up: We will create a binary executable that
    > carries the injection code as well as the code that has to be
    > injected in order to bypass the software firewall.

    []

    Can you say 'duh'?

    What good is a software firewall if you allow untrusted executables?

    --
    RC
    rinse cycle, Dec 28, 2004
    #2
    1. Advertising

  3. donnie

    SteveB Guest

    Firefox on that phrack link comes up with "The procedure entry point
    PL_DHashTableFinish could not be located in dynamic link library xpcom.dll"
    then the site displays after OKing this . Funny business or what? Is the
    site trying to use IE to do nasties?



    "rinse cycle" <> wrote in message
    news:...
    >
    > "donnie" <> wrote in message
    > news:...
    > []
    >> ... accessing memory space on a remote machine or
    >> injecting code into a trusted process.

    > []
    >> http://www.phrack.org/show.php?p=62&a=13
    >> To sum everything up: We will create a binary executable that
    >> carries the injection code as well as the code that has to be
    >> injected in order to bypass the software firewall.

    > []
    >
    > Can you say 'duh'?
    >
    > What good is a software firewall if you allow untrusted executables?
    >
    > --
    > RC
    >
    >
    SteveB, Dec 28, 2004
    #3
  4. donnie

    bowgus Guest

    Hiya ... yer use of trusted process. For me a trusted process is a (kernel)
    process running in a trusted OS. And that (in a nutshell) is an OS that
    implements mandatory (system managed) vs discretionary (user managed) access
    contol (e.g. SE Linux on top of whatever with users, domains, types etc).
    Anything less (i.e. M$) is ... futile :).

    "donnie" <> wrote in message
    news:...
    > Below is an excerpt from phrack.com. In the lastest phrack issue
    > there are a few articles on bypassing firewalls by accessing memory
    > space on a remote machine or injecting code into a trusted process.
    > Note the result of the tested software firewalls. There is more to a
    > softrware firewall then blocking ports.
    >
    >
    > http://www.phrack.org/show.php?p=62&a=13
    >
    > To sum everything up: We will create a binary executable that
    > carries the injection code as well as the code that has to be
    > injected in order to bypass the software firewall. Or, speaking
    > in high-level programming terms: We will create an exe file that
    > holds two functions, one to inject code to a trusted process
    > and one function to be injected.
    >
    >
    > The sample code presented in this little paper will give you a
    > tiny executable that runs in RING3. I am certain that most
    > software firewalls contain kernel mode drivers with the ability
    > to perform more powerful tasks than this injector executable.
    > Therefore, the capabilities of the bypass code are obviously
    > limited. I have tested the bypass against several software
    > firewalls and got the following results:
    >
    > Zone Alarm 4 vulnerable
    > Zone Alarm Pro 4 vulnerable
    > Sygate Pro 5.5 vulnerable
    > BlackIce 3.6 vulnerable
    > Tiny 5.0 immune
    >
    > Tiny alerts the user that the injector executable spawns the
    > browser process, trying to access the network this way. It looks
    > like Tiny simply acts exactly like all the other software
    > firewalls do, but it is just more careful. Tiny also hooks API
    > calls like CreateProcess() and CreateRemoteThread() - thus, it
    > can protect its users from this kind of bypass.
    > ##########################
    >
    >
    bowgus, Dec 28, 2004
    #4
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Phil
    Replies:
    1
    Views:
    2,076
    Walter Roberson
    Dec 11, 2004
  2. Replies:
    1
    Views:
    530
    Walter Roberson
    Jun 14, 2005
  3. Sentinel
    Replies:
    7
    Views:
    1,008
    Evan Platt
    May 14, 2005
  4. Sandi
    Replies:
    33
    Views:
    1,426
    Sheila aka Pippie
    Apr 4, 2005
  5. Internet Highway Traveler
    Replies:
    5
    Views:
    1,948
    Internet Highway Traveler
    Nov 14, 2009
Loading...

Share This Page