Re: Bypassing Personal Firewalls

[H C <keydet89 () yahoo com>]

Oliver,

> Here's a code snippet that injects code directly
> into a running process 
> without the need for a DLL etc. 

Just for clarification...I'm trying to understand what
you mean...you say "without the need for a DLL", but
the code relys on three DLLs.

> Demonstrates that process boundaries 
> under NT mean very little within the context of a
> given UID.
>
> This allows PFWs to be bypassed, as well as making
> it very easy to hide 
> running malicious code on a system. The example is a
> 'sploit that makes a 
> connection from within IE, and slips under the radar
> of all PFWs I've tested.

How does this code conceptually and significantly
differ from similar code that accesses IE as a COM
server, and makes the same request?  

> Having briefly discussed this with PFW vendors, it
> doesn't appear to be 
> much of a concern to them. I think it illustrates
> that OpenProcess, 
> ptrace, and the like should really enforce
> filesystem priviledges on the 
> processes they can modify.

I think we're back to the old adage of running code on
a system.  For this to execute, thermite.exe will have
to execute on the system...so once you get the code on
the system, in many cases, it's all over with at that
point.  Perhaps that's the larger issue here.


__________________________________________________
Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more
http://taxes.yahoo.com/