Re: [FW-1] firewall exploit and stateful packet inspection

Tue, 13 Nov 2001 13:33:56 -0800 

On Tue, 13 Nov 2001, Grobe, Gary wrote:

> Anyone have any ideas about how the effects of the "firewall" exploit would
> effect a stateful packet analyzer firewall. Something like NetGears FR314,
> etc...

This has no bearing on the firewall 'statefull technology'.  Note
the sentence:

    However if a malicious program modifies a DLL used by Internet
    Explorer to make an outbound connections to port 80 on its behalf
    then this protection is bypassed.

Basically, this states if your firewall is compromised, then bad
things can happen outbound.  If your enterpise firewall is
compromised, you have bigger concerns then the firewall making outbound
connections :)

> ---
> Below is taken from the article
> http://www.theregister.co.uk/content/55/22788.html
> ---
>
> Security researchers have highlighted a potential shortcoming
> with personal firewall products.
>
> To alert users of the presence of a Trojan or privacy threatening
> program running on their systems, personal firewalls have been
> adapted so they monitor and block outbound traffic (as well as
> blocking inbound network traffic).
>
> If a malicious program becomes active a user will be alerted and
> the application will be blocked by a personal firewall (unless a
> user is daft enough to agree that it should be able to access the
> Internet, of course).
>
> This would normally stop a Trojan sending out data (which might
> be your passwords) disguised as HTTP traffic on port 80.
>
> However if a malicious program modifies a DLL used by Internet
> Explorer to make an outbound connections to port 80 on its behalf
> then this protection is bypassed.
>
> Security researcher Robin Keir, has developed a proof-of-concept
> tool, called FireHole, which illustrates how the trick can fool
> personal firewalls (such as Zone Alarm, Norton Personal Firewall
> and Black Ice Defender).
>
> ===============================================
> To unsubscribe from this mailing list,
> please see the instructions at
> http://www.checkpoint.com/services/mailing.html
> ===============================================
>

--
Lance Spitzner
http://project.honeynet.org

===============================================
To unsubscribe from this mailing list,
please see the instructions at
http://www.checkpoint.com/services/mailing.html
===============================================

Reply via email to