Bugtraq mailing list archives

Re: ITCP Advisory 13: Bypassing of ATGuard Firewall possible


From: UMusBKidN () aol com
Date: Tue, 30 Apr 2002 14:54:29 -0400

Hi,

Ye Olde Disclaimer: The information contained in this email is believed to be true. However, exhaustive regression 
testing has not been performed. No guarantees or warranties are implicitly or explicitly granted. Use the information 
within at your own risk.

Tested AtGuard version: 3.21.05
Tested OS's: NT4 SP6a, Win95 (don't hit me, I'm cheap)

BlueScreen wrote:

- ------------------------------------------------------------
itcp advisory 13 advisories () it-checkpoint net
http://www.it-checkpoint.net/advisory/12.html
April 29th, 2002
- ------------------------------------------------------------

ITCP Advisory 13: Bypassing of ATGuard Firewall possible
- -------------------------

*snip*

DETAILS
*snip*
Sadly ATGuard doesn't save the file paths / doesn't use checksums (would be
much better), to
determine wether the executed program is real the one, that is allowed to
connect to all hosts on port 80.
It just uses the filename (in this case "IEXPLORE.EXE").

Only if you've created your rule in interactive learning mode. See discussion below.

*snip*

SOLUTION

There doesn't exist an solution, since ATGuard is not developped anymore. We
were not able to test the Norton Personal Firewall
for this problem, since no one of us owns it. We are contacting Norton
directly with this Advisory.

Not quite correct. The bug reported in BlueScreen's advisory does exist. However, either the method of testing was 
incomplete, or the report was incomplete. Also, there is a workaround.

AtGuard has the ability to create firewall rules on the fly (in it's "interactive learning mode"). When a connection is 
attempted and AtGuard cannot find a matching rule, in "interactive learning mode" the user is presented with a window 
containing four options. Two of those options allow the user to specify whether the connection should be allowed or 
blocked, this one time only. The other two of those options allow the user to create a rule for particular connections 
(that may either block or allow the connections). This works on either incoming or outgoing connections.

When a rule is created in interactive learning mode, *only the application executable name* is stored in the rulebase. 
This is the bug that BlueScreen pointed out. Without a path to the application file in the rulebase, any application 
with a similar name can make use of the firewall rule (block or allow, as the case may be).

However, AtGuard also allows the user to create their own firewall rules manually. Click on the dashboard or tray icon, 
and launch the "Settings" menu item. Click the "Add" button, create a rule, and make sure you specify an application 
that the rule applies to (on the Application tab, click "Application Shown Above", click the Browse button, and specify 
the proper application with the File Dialog box). You will find the full path to the file specified in the rule. Shut 
down your machine, and start it up again, and you'll find the full path still there. You can verify the full path in 
the registry under the key:

HKEY_LOCAL_MACHINE\SOFTWARE\WRQ\IAM\FirewallObjects\Applications

Workaround: Manually create firewall rules instead of using interactive learning mode to create rules. If you do use 
interactive learning mode, you should reopen the "Settings" menu, and manually adjust the "Application Shown Above" so 
it shows the full path to the application that the rule applies to (you apparently don't have to trash all your current 
rules). This *appears* to resolve the issue (from my brief testing, YMMV).

Of course, this still wouldn't prevent someone from replacing the specified file with malware. However, if you're 
machine has been compromised to that level, it seems to me you've got more to worry about than a few firewall rules :/

It should be noted that AtGuard rules may be created that allow or block access to *all* applications. Such rules 
appear to not be affected by this bug.

ADDITIONAL INFORMATION
Vendor has not been contacted. (since he doesn't exist anymore).

Actually, the original vendor does exist: http://www.wrq.com. They simply don't sell the product any more. From what I 
can tell, the original firewall has been sufficiently morphed by Symantec so that it no longer has much resemblance to 
AtGuard. Thus, I don't think comparisons between products from these two vendors are fair or valid.

-UMus B. KidN


Current thread: