[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Writing Trojans that bypass Windows XP Service Pack 2 Firewall

To: <americanidiot@xxxxxxxxxxxx>, <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: RE: Writing Trojans that bypass Windows XP Service Pack 2 Firewall
From: "Polazzo Justin" <Justin.Polazzo@xxxxxxxxxxxxxxxxxxxxx>
Date: Fri, 15 Oct 2004 14:11:05 -0400

I am sorry, I thought (from a previous email in this or another list, I
am getting forgetful in my old age) that editing these two registry
entries would allow an app to, well if not bypass, at least be allowed
thru the firewall.


Application Exceptions: 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters
\FirewallPolicy\StandardProfile\AuthorizedApplications\List 


Port Exceptions: 
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters
\FirewallPolicy\StandardProfile\GloballyOpenPorts\List 


Is there something I am missing (again)?

Is this another example of "If you click on the .exe, you are exposed"
type of exploit? 

Are you demo'ing the fact that you can attach yourself to a system
process and not be detected by XPSP2? 

How did you get the code on the SP2 system? Email an .exe?

I thought the best part of XPSP2 was prevention of code from running on
your system. This includes password guesses, bunches of malware, NMAP
scans, and compiled programs.

To further demonstrate my point, I wrote this exploit that will disable
the WinXP firewall as well, simply extract this text into a .bat file
and double-click on it:

net stop "Windows Firewall/Internet Connection Sharing (ICS)"

-JP

MCSEnator CCaNT CISSPell OPSTinate

Prev by Date: [IE 6 SP2] Possible URL Spoofing
Next by Date: Re: Adobe acrobat / Adobe Reader 6 can read local files
Previous by thread: Writing Trojans that bypass Windows XP Service Pack 2 Firewall
Next by thread: Re: Writing Trojans that bypass Windows XP Service Pack 2 Firewall
Index(es):
- Date
- Thread