[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: Writing Trojans that bypass Windows XP Service Pack 2 Firewall

To: Justin.Polazzo@xxxxxxxxxxxxxxxxxxxxx, bugtraq@xxxxxxxxxxxxxxxxx
Subject: RE: Writing Trojans that bypass Windows XP Service Pack 2 Firewall
From: Simon Zuckerbraun <szucker@xxxxxxxxxxxx>
Date: Mon, 18 Oct 2004 00:21:35 -0500

An EXE would only be able to change firewall settings if it was running under an account with administrative privileges.

Indeed, a user who conducts day-to-day activities using an administrative account is very much exposed to the type of attack you describe (malicious exe writing to HKEY_LOCAL_MACHINE or stopping the firewall service). Security best practices (on any OS) forbid using an administrative account for day-to-day activities.

Simon

-----Original Message-----
From: Polazzo Justin [mailto:Justin.Polazzo@xxxxxxxxxxxxxxxxxxxxx]
Sent: Friday, October 15, 2004 1:11 PM
To: americanidiot@xxxxxxxxxxxx; bugtraq@xxxxxxxxxxxxxxxxx
Subject: RE: Writing Trojans that bypass Windows XP Service Pack 2 Firewall

I am sorry, I thought (from a previous email in this or another list, I am getting forgetful in my old age) that editing these two registry entries would allow an app to, well if not bypass, at least be allowed thru the firewall.


Application Exceptions:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters
\FirewallPolicy\StandardProfile\AuthorizedApplications\List


Port Exceptions:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters
\FirewallPolicy\StandardProfile\GloballyOpenPorts\List

Is there something I am missing (again)?

Is this another example of "If you click on the .exe, you are exposed" type of exploit?

Are you demo'ing the fact that you can attach yourself to a system process and not be detected by XPSP2?

How did you get the code on the SP2 system? Email an .exe?

I thought the best part of XPSP2 was prevention of code from running on your system. This includes password guesses, bunches of malware, NMAP scans, and compiled programs.

To further demonstrate my point, I wrote this exploit that will disable the WinXP firewall as well, simply extract this text into a .bat file and double-click on it:

net stop "Windows Firewall/Internet Connection Sharing (ICS)"

-JP

MCSEnator CCaNT CISSPell OPSTinate

Prev by Date: apexec.pl is still vulnerable against Directory Traversal.
Next by Date: [ GLSA 200410-14 ] phpMyAdmin: Vulnerability in MIME-based transformation system
Previous by thread: Re: Writing Trojans that bypass Windows XP Service Pack 2 Firewall
Next by thread: Re: EEYE: Windows Shell ZIP File Decompression DUNZIP32.DLL Buffer Overflow Vulnerability
Index(es):
- Date
- Thread