AuthorMessage
C0D3Z3R0
Pro
Posts: 166

-------------------------------------------------------------------
Multiple Firewall Products Bypass Vulnerability
-------------------------------------------------------------------
Online URL : http://ferruh.mavituna.com/article/?769
Download POC : http://ferruh.mavituna.com/opensource/firewallbypass.zip
(Also I attached vbs files as txt, one of them is -mousecontrol.txt- vb.net
source code)
This is a generic problem of common Personal Firewall products which are
accept shortcuts or provide an interface that enables to click without
require a password for controlled actions (acting as server -listening
ports-, executing another program, connecting to another computer etc.).
-------------------------------------------------------------------
Problem;
-------------------------------------------------------------------
Most of personal firewalls allow shortcuts or interface for controlling
traffic. It's simple to bypass these firewalls by a multithreaded program
and sending keys or by contolling mouse.
This flaw enables that any Trojan or similar programs can easily bypass
firewall and act as a server or access to another computer. Also most of
these firewalls have a "remember" option so if you bypass firewall and
successfully exploit it, firewall will never ask again.
This is a similar threat with shattering attacks, but different method and
impact.
Vulnerable Products (Sending Key Method and Mouse Control);
These products are vulnerable to both of "Sending Key Method" and "Mouse
Control Method"
Test Platforms;
Fully Patched Windows XP Professional and Windows 2003 Enterprise Edition
(May 19, 2004 - 01.01.2005)
1. ZoneAlarm / ZoneAlarm Pro (www.zonelabs.com) | Fixed
I. 4.5.530.000 - Tested
II. 4.5.538.001 - Tested
III. 5 and newer versions are not vulnerable...
2. Kerio (www.kerio.com)
I. 4.0.14 - Tested
II. All Versions
3. Agnitium Outpost Firewall (www.agnitium.com)
I. 2.1.303.4009 (314) - Tested
II. 2.5.369.4608 (369) - Tested
II. All Versions
4. Kaspersky Anti-Hacker (www.kaspersky.com)
I. 1.5.119.0 - Tested
II. All Versions
5. Look 'n' Stop (www.looknstop.com)
I. 2.04p2 - Tested
II. All Versions
6. Symantec's Norton Personal Firewall (www.norton.com)
I. 2004 - Tested
II. All Versions
-------------------------------------------------------------------
Vulnerable Products (Mouse Control);
-------------------------------------------------------------------
These products are only vulnerable to "Mouse Control Method", because they
don't accept shortcuts but still vulnerable to "Mouse Control" attacks.
1. Panda Platinum Internet Security
I. 8.03 (tested)
II. All Versions
2. Omniquad Personal Firewall
I. 1.1 (tested)
II. All Versions
...
...
...
-------------------------------------------------------------------
Solution;
-------------------------------------------------------------------
All firewalls should ask password for all kind of "Allow" actions. In fact
passwords can be fooled because of its nature but it is the best user
friendly / secure solution for protection.
As a user of these firewalls, if your firewall supports to "deny all
default" option, enable it, so your firewall deny all connections by
default. After that you may can manually select programs for allow them.
...
Source: http://www.securityfocus.com/archive/1/385930
Corayzon
Regular
Posts: 67

interesting read