Educause Security Discussion mailing list archives
Re: Correction: XP SP2 ports open to local subnet
From: Brian Eckman <eckman () UMN EDU>
Date: Fri, 11 Jun 2004 15:07:01 -0500
Niedens, Travis wrote:
Honestly, I am certain with SP2 Betas being out that these guys are already working on one that gets in and shuts down the firewall. They have been pretty proficient in disabling, blocking and hindering most AV products (disabling services, adding in hosts file entries, etc.)
After a brief investigation, I tend to disagree. If you are an attacker, there is no point shutting down the firewall and opening up your newly 0wned computer to other hax0rs when adding a simple registry key will allow only your malware to bypass the firewall, while otherwise keeping it intact. It's quite trivial in fact (assuming the functionality doesn't change before its released). Simply create a key like this: [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List] "C:\\WINDOWS\\system32\\mybot.exe"="C:\\WINDOWS\\system32\\mybot.exe:*:Enabled:KaZaA" (change mybot.exe to whatever you want, and KaZaA to whatever you want displayed to the end user if they ever bother to check their exceptions) The "cool" thing is, now mybot.exe can listen on whatever port you want, even random or multiple ports. Of course, you could simply do this as well: [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile] "EnableFirewall"=dword:00000000 (Sorry, no million dollar prizes for whoever guesses what that setting would do....) However, my point above stands - if you (the attacker) disable the firewall, someone else might kick you off of that machine when *they* compromise it. Also, the user is informed when the firewall is turned off (unless Windows detects another firewall product installed). Of course, I imagine that could be modified fairly easily as well. The attacker also might want to do this: [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List] "139:TCP"="139:TCP:127.0.0.1/255.255.255.255:Disabled:NetBIOS Session Service" "445:TCP"="445:TCP:127.0.0.1/255.255.255.255:Disabled:SMB over TCP" "137:UDP"="137:UDP:127.0.0.1/255.255.255.255:Disabled:NetBIOS Name Service" "138:UDP"="138:UDP:127.0.0.1/255.255.255.255:Disabled:NetBIOS Datagram Service" That way, the default exceptions for file sharing are gone. This again helps prevent them from getting kicked off by another attacker. BTW, I tested all of this on a RC1 computer, and the registry keys were all modifiable by a .reg file run as an administative-level user. All changes took place immediately, and functioned correctly. That is, changing "EnableFirewall"=dword:00000001 to "EnableFirewall"=dword:00000000 does indeed turn off the firewall. (Instead of waiting for an attacker to do it, you can give your users a .reg file with that last set of registry key modifications. If you can get them to run it, the default exceptions for File and Print Sharing will be turned off.) As always, if an attacker can *successfully* run their code on your computer ("successfully" often requires administrative or system privileges, but not always), your computer is no longer yours. They can defeat any protections that you have left once they run their code. Even if you have Symantec Client Firewall, ZoneAlarm and such, that prevent unblessed outbound communications, they can sidestep those as well. (Agobot and others simply kill the running processes.) However, I'm sure there are plenty of other ways around those firewalls when you can run whatever commands that you want to run on the system. The only defense against something like this is a firewall (or similar filtering) in front of the compromised computer. Brian P.S. If you are upset that I posted any/all of these details, please realize the bad guys already know it. It took significantly longer to word this response and check it for proper spelling and grammar than the actual research took. -- Brian Eckman Security Analyst OIT Security and Assurance University of Minnesota ********** Participation and subscription information for this EDUCAUSE Discussion Group discussion list can be found at http://www.educause.edu/cg/.
Current thread:
- Correction: XP SP2 ports open to local subnet Phil Rodrigues (Jun 09)
- <Possible follow-ups>
- Re: Correction: XP SP2 ports open to local subnet Niedens, Travis (Jun 09)
- Re: Correction: XP SP2 ports open to local subnet John Kristoff (Jun 11)
- Re: Correction: XP SP2 ports open to local subnet Brian Eckman (Jun 11)
- Re: Correction: XP SP2 ports open to local subnet Niedens, Travis (Jun 11)
- Re: Correction: XP SP2 ports open to local subnet Brian Eckman (Jun 11)
- Re: Correction: XP SP2 ports open to local subnet Niedens, Travis (Jun 11)
- Re: Correction: XP SP2 ports open to local subnet Jeff Bollinger (Jun 13)