RE: Bug in Norton FireWall 2003

[nowak.a () pg com]

> I suppose a simple defense for "personal firewall" vendors against this sort
> of thing would be to use hard-to-guess window titles for their popups...

Hello,

This simple defense may not be enough, as there are ways to find out the names
of all "child" windows belonging to specific process.

Regards,
Andrzej



                                                                
 Internet Mail Message                                          
 Received from host:      [205.206.231.26]                      
                                                                


From: Michael Wojcik <Michael.Wojcik () microfocus com> on 08/11/2003 07:24 PM GMT
                                                                                      
                  Michael Wojcik           To:   vuln-dev () securityfocus com           
 <Michael.Wojcik () microfocus com>           Cc:    (bcc: Andrzej Nowak-A/PGI)          
                                   Subject:      RE: Bug in Norton FireWall 2003      
                                                                                      
             08/11/2003 03:24 PM                                                      
                                                                                      
                                                                                      





> From: Boy Bear [mailto:eyal067 () walla co il]
> Sent: Saturday, August 09, 2003 4:12 AM
>
>
> The Bug factor so lamb Firewall "ignored" from Trojan.
>
> The Trojan than himself in Firewall and so the actually Trojan worker
> without disturbance the of Firewall.

Ah, machine translation.

A cursory glance through the VB source [see original message] suggests that
the proposed exploit is to have a trojan recognize the firewall pop-up
asking if the trojan should be permitted network access, and spoofing the
user input to grant it.  Simple enough.

There appears to be a bug in the included source:

> Private Sub wHideShow(HideShow As Boolean)
>
> Dim hwnd As Long
> hwnd = FindWindow(vbNullString, "Norton Personal Firewall")
> 'if not found then..
> If hwnd = 0 Then
> Exit Sub
> End If
> 'if not hidden - hide, else - show
> If HideShow Then
> ShowWindow hwnd, SW_SHOW
> Else
> ShowWindow hwnd, SW_SHOW
> End If
>
> End Sub

Presumably one of "SW_SHOW" should be "SW_HIDE".  Since wHideShow is never
used by the program, and "HideShow" is not exactly a meaningful parameter
name, it's hard to guess which.  Then again, since wHideShow is never used,
it doesn't really matter.

I suppose a simple defense for "personal firewall" vendors against this sort
of thing would be to use hard-to-guess window titles for their popups...

--
Michael Wojcik
Principal Software Systems Developer, Micro Focus