Re: Bypass personal firewall application protection . Again.

[Andrei Zlate-Podani <azlate () bitdefender com>]

offtopic wrote:

> Bypass personal firewall  application protection . Again. 
> (c)oded by offtopic (offtopic () mail ru) 2004
> Special thank to 3APA3A for links to the debuggers for Windows. 
>
> <quote src=  http://www.security.nnov.ru/advisories/bypassing.asp?l=EN >
> Personal  firewall  usually restricts access to network to the list of   allowed  application.  In addition, integrity 
> of these applications is controlled to prevent code insertion into executable file. It makes it impossible to install 
> trojan application with direct network access.
> </qoute>
>
> Modern personal firewalls hook such  unsafe  API calls like WriteProcessMemory CreateRemoteThread, and controls modification of trusted application code. Some personal firewalls even catch CAT+ sometimes.  
> So we got protected  high-privileged  application, which can communicate with network,  low-privileged  application   trojan, and personal firewall as access control system.  
> The best way for bypass any accesses control in windows is a SHATTER attacks.  Because most if not all of  high-privileged  applications use GUI trojan can use window messages to modify application memory and execute code in the context of trusted application. 
>
> <quote src=  http://security.tombom.co.uk/shatter.html >
> Any application on a given desktop can send a message to any window on the same desktop, regardless of whether or not 
> that window is owned by the sending application, and regardless of whether the target application wants to receive 
> those messages. There is no mechanism for authenticating the source of a message; a message sent from a malicious 
> application is indistinguishable from a message sent by the Windows kernel. It is this lack of authentication that we 
> will be exploiting, taking into consideration that these messages can be used to manipulate windows and the processes 
> that own them.
> </qoute>
>
>
> So, attack is very simple:
> 1. Trojan finds trusted application and appropriate.
> 2. Trojan inserts shellcode in selected window 
>
> <quote src= http://www.google.com/search?q= input+-+if+crafted '>
> +This is generally a very easy thing to do, as any user-supplied input   if crafted
> correctly   can be interpreted as a sequence of valid CPU instructions+
> </quote>
>
> 3. Afterward trojan founds shellcode address, and transfer control to the shellcode. 
>
> It s not a problem, because 
>
> <quote src= http://www.securityassessment.com/Papers/Shattering_By_Example-V1_03102003.pdf >
> +even the most obscure of messages can be used to make a process execute code that it was not intended to run. 
> </quote>
>
> I don t experiment on this too much but several of widely used personal firewalls are tested and vulnerable. If any 
> vendors need addition details, they can contact me.
>
> Thanks for your attention and sorry for my English.  
>
> (c)oded by offtopic () mail ru
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>
>
>  
You don't need all this shell code stuff to send data through a 
firewall. It's enough to have a browser allowed to access the internet 
to send
whatever you want. When the host is compromised you cannot stop a 
malicious application from doing damage.

--
Imagine a school with children that can read and write, but with teachers who cannot, and you have a metaphor of the 
Information Age in which we live.
--- Peter Cochrane



--
This message was scanned for spam and viruses by BitDefender
For more information please visit http://www.bitdefender.com/

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html