Bugtraq mailing list archives
Re: Bypassing Personal Firewalls
From: Shaun Clowes <shaun () securereality com au>
Date: Sat, 22 Feb 2003 13:14:04 +1100
Hi xenophi1e,
Here's a code snippet that injects code directly into a running process without the need for a DLL etc. I believe that it demonstrates that process boundaries under NT mean very little within the context of a given UID.
While I can see your point here, from the OS's perspective a user doesn't need to be protected from themselves.
Having attempted to discuss this with PFW vendors, it doesn't appear to be much of a concern to them; after almost two business weeks, Symantec is the only company to have responded with any concern. To be fair, this isn't remotely exploitable, and is fundamentally an issue with how OSs are designed, not how PFWs work (although one might wonder if some of the claims made by PFW vendors are really ethical).
I'm not convinced that it is an 'issue' at all, the OS goes to great lengths to restrict the ability of one user to hurt another.
I think it illustrates that OpenProcess, ptrace, and the like should really enforce filesystem priviledges on the processes they can modify. I think that this is something that needs to be done proactively.
I don't really understand what you mean by enforce filesystem privileges?Personal Firewalls exist to try and enforce order upon chaos, I can't see any reason why they couldn't disable OpenProcess for any user other than users with the SeDebug privilege (though this will stop some non-malicious applications from functioning).
The implication of allowing processes to modify each other this way is that PFWs can not be easily made secure, but also that malicious code has nice support from windows for doing some very bad things. For instance it would be a simple addition to intercept syscalls made by any process into which code can be injected, and in so doing hide the presence of malicious activity from all local processes a user runs.
Why do you believe that the responsibility of protecting users from themselves should be bourne by the operating system? People who are using Personal Firewall systems may indeed want to be protected in this fashion but I suspect that for most people this is a non issue.
When all is said and done, if malicious code can run under your user ID then everything you do is compromised, I can't see much point in giving ourselves a false sense of security.
Cheers,Shaun
Current thread:
- Bypassing Personal Firewalls xenophi1e (Feb 21)
- RE: Bypassing Personal Firewalls Drew Copley (Feb 21)
- RE: Bypassing Personal Firewalls Oliver Lavery (Feb 21)
- RE: Bypassing Personal Firewalls Drew Copley (Feb 21)
- RE: Bypassing Personal Firewalls Oliver Lavery (Feb 21)
- Re: Bypassing Personal Firewalls Shaun Clowes (Feb 23)
- Re: Bypassing Personal Firewalls Johan Verrept (Feb 24)
- Re: Bypassing Personal Firewalls Shaun Clowes (Feb 24)
- Re: Bypassing Personal Firewalls Zow (Feb 24)
- Re: Bypassing Personal Firewalls Johan Verrept (Feb 24)
- Re: Bypassing Personal Firewalls Darwin (Feb 28)
- <Possible follow-ups>
- RE: Bypassing Personal Firewalls John Howie (Feb 23)
- RE: Bypassing Personal Firewalls Oliver Lavery (Feb 24)
- Re: Bypassing Personal Firewalls Torbjörn Hovmark (Feb 24)
- RE: Bypassing Personal Firewalls John Howie (Feb 24)
- RE: Bypassing Personal Firewalls Drew Copley (Feb 21)