Full Disclosure mailing list archives
Malware can silently open holes in SP2 Firewall
From: jklemenc () fnal gov
Date: Thu, 26 Aug 2004 21:18:10 -0500
OK, this is no different than an app mucking around with other 3rd party personal firewall configuration files, but I have read statements that one must use API functions to manipulate the SP2 firewall. Not true. All of the firewall settings for allowed applications and ports are in the following registry keys: Application Exceptions: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List Port Exceptions: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List All ones needs to do is edit the registry. Now malware doesn't do that, does it? :) 1) Read the App list and overwrite a legitimate file that is permitted (you don't think users will choose the block button when it pops up, do you?) 2) Simply add their own app to this list 3) Add their own listener port (if static) to the Port Exceptions After modifying or creating keys in these locations, they take effect immediately. No need to reboot. OK, you need to be an administrator to edit these keys. What are XP Home users by default? You can set a policy to not allow exceptions, which will ignore these added entries, but that is not the default. The point is with 3rd party products, you need to find the location of the installed product and edit the config files in the right spot. Even that won't guarantee success in all cases. Even in the Windows IP Security filters, the data is stored in the registry in an undocumented binary data blob, and the filters are crossed to actions and policies and GUID's, which makes tracing/creating them manually cumbersome. The new XP SP2 Firewall makes all of that very easy. Oh yeah, don't forget the netsh.exe command line stuff either. Malware could simply execute some commands via cmd /c netsh.exe firewall blah blah blah, but that won't be as silent as directly editing the registry. \ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- RE: Automated ssh scanning, (continued)
- RE: Automated ssh scanning Ron DuFresne (Aug 26)
- Re: Automated ssh scanning Deigo Dude (Aug 26)
- RE: Automated ssh scanning Ron DuFresne (Aug 26)
- RE: Automated ssh scanning Todd Towles (Aug 26)
- Re: Automated ssh scanning Tremaine (Aug 26)
- Re: Automated ssh scanning Deigo Dude (Aug 26)
- Re: Automated ssh scanning Gary E. Miller (Aug 26)
- Re: Automated ssh scanning Ron DuFresne (Aug 26)
- Re: Automated ssh scanning VeNoMouS (Aug 26)
- Re: Automated ssh scanning Tremaine (Aug 27)
- Re: Automated ssh scanning Tremaine (Aug 26)
- Re: Automated ssh scanning Ng Pheng Siong (Aug 26)
- Malware can silently open holes in SP2 Firewall jklemenc (Aug 26)