Vulnerability Development mailing list archives

RE: Query

From: "Eric D. Williams" <eric () infobro com>
Date: Tue, 16 Jul 2002 15:38:18 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Liam,

I would say it depends on the trust relationship between the URN/URL
of the script and the personal firewall application.  If the firewall
does not trust [or can't be spoofed into believing] the configuration
URN/URL that is used to configure it remotely (i.e.. turn it off,
load profiles, etc.) without some in-band verifier for example a
shared (and confidential, non-replayable) secret than it's a
"feature."

If on the other-hand the firewall trusts implicitly the JavaScript:
from any URN/URL purported to be appropriate (e.g. configured) or
from arbitrary locations (e.g. XSS, MITM or spoofed IP addresses)
than its a vulnerability.

That's my $.02

InfoBro
- -----
Information Brokers, Inc.    Phone: +1 202.889.4395
http://www.infobro.com/        Fax: +1 202.889.4396
               mailto:eric () infobro com
                    PGP Public Key
   http://new.infobro.com/KeyServ/EricDWilliams.asc
Finger Print: 1055 8AED 9783 2378 73EF  7B19 0544 A590 FF65 B789
- ----------------------------------------------------------------
The information in this message is confidential.  It is intended
solely for addressee(s).  Access to this message by anyone else
is unauthorized.  If you are not the intended recipient, any
disclosure, copying, distribution or any action taken or omitted
to be taken in reliance on it, is prohibited and may be unlawful.

On Tuesday, July 16, 2002 10:51 AM, TLR () portcullis-security com
[SMTP:TLR () portcullis-security com] wrote:

I think I know the answer to this but I just wanted to get a straw
Poll type opinion from you guys.

Recently, whilst performing a Penetration Test I developed a Java
script which, with the use of some tools, disables a well known
personal firewall. This personal firewall was designed as is used
so that the company can centrally control what Hosts and Networks a
user can access via the use of profiles. Can you see what it is
yet? Anyway, would you guys consider the ability to disable the
firewall remotely a vulnerability or does it fall simply in the
arena of technique in the use of already existing tools and
vulnerabilities?

Cheers,Liam.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBPTR2KgVEpZD/ZbeJEQI+eACgnLgq05BJQQQ1XaXvAVZ6zAku4T0An1If
rg1XZv6KZlx4FOU+1z4OV3jL
=zKaY
-----END PGP SIGNATURE-----

Current thread:

Query TLR (Jul 16)
- Re: Query rogue (Jul 16)
- Re: Query Blue Boar (Jul 16)
- Re: Query Roland Postle (Jul 16)
- <Possible follow-ups>
- RE: Query Eric D. Williams (Jul 16)
- RE: Query TLR (Jul 17)