Re: Bug in Norton FireWall 2003

[pr00f <pr00f () pr00f org>]

Even a "hard-to-guess window title" wouldn't be enough. There are API
functions to grab window information from any window currently under the
mouse pointer. Throw such a query into a timer, and hover the mouse over
the window you want to get the title of. Bingo.

- pr00f


Michael Wojcik <Michael.Wojcik () microfocus com> wrote
------------------------------------------------------------
> From: Boy Bear [mailto:eyal067 () walla co il] 
> Sent: Saturday, August 09, 2003 4:12 AM
>
>
> The Bug factor so lamb Firewall "ignored" from Trojan.
>
> The Trojan than himself in Firewall and so the actually Trojan worker 
> without disturbance the of Firewall.

Ah, machine translation.

A cursory glance through the VB source [see original message] suggests
that
the proposed exploit is to have a trojan recognize the firewall pop-up
asking if the trojan should be permitted network access, and spoofing
the
user input to grant it.  Simple enough.

There appears to be a bug in the included source:

> Private Sub wHideShow(HideShow As Boolean)
>
> Dim hwnd As Long
> hwnd = FindWindow(vbNullString, "Norton Personal Firewall")
> 'if not found then..
> If hwnd = 0 Then
> Exit Sub
> End If
> 'if not hidden - hide, else - show
> If HideShow Then
> ShowWindow hwnd, SW_SHOW
> Else
> ShowWindow hwnd, SW_SHOW
> End If
>
> End Sub

Presumably one of "SW_SHOW" should be "SW_HIDE".  Since wHideShow is
never
used by the program, and "HideShow" is not exactly a meaningful
parameter
name, it's hard to guess which.  Then again, since wHideShow is never
used,
it doesn't really matter.

I suppose a simple defense for "personal firewall" vendors against this
sort
of thing would be to use hard-to-guess window titles for their popups...

-- 
Michael Wojcik
Principal Software Systems Developer, Micro Focus


-- 
If one cannot enjoy reading a book over and over again, there is no use
in reading it at all.
                -- Oscar Wilde