Re: Win32 vulnerability? Or application vulnerability?

From: Deus, Attonbitus (Thor@HAMMEROFGOD.COM)
Date: 08/08/02


Date:         Thu, 8 Aug 2002 09:14:57 -0700
From: "Deus, Attonbitus" <Thor@HAMMEROFGOD.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

At 07:28 AM 8/8/2002, Chris Paget wrote:

>The scenario: A user has a Windows 2000 box running a personal
>firewall. The firewall only "trusts" Internet Explorer to access the
>Internet.
>
>Somehow or other, some malicious code gets onto the system. It fires
>up an IE window, and makes it invisible. It injects a DDoS client (or
>whatever) into IE, using exactly the same technique described in my
>paper. That malicious code within IE then accesses the network
>freely, since the personal firewall can't tell the difference. It
>could even send out its traffic as legitimate HTTP requests, so that
>it is more or less untraceable.

<snip>

Not withstanding the implications of exploiting privileged services, one
really has to question the validity of any exploit that first requires
malicious code to get onto the system. Why worry about firing up an IE
window when you can load a kernel mode driver? If they run our code, then
we immediately own the box.

I honestly feel any sentence that starts out "If you can get your code on
the box..." must end in a ".. then nothing else matters."

Cheers,

AD



Relevant Pages

  • Re: Win32 vulnerability? Or application vulnerability?
    ... >>that needs both a UI and admin-level rights is to split it into two ... The firewall only "trusts" Internet Explorer to access the ... some malicious code gets onto the system. ... Window messaging as used in NT is evil. ...
    (NT-Bugtraq)
  • Re: Malicious Code, IE and firewalls
    ... > At my workplace, we have some sort of firewall that blocks things like ... What that firewall is, I'm not sure. ... There may not be malicious code on that site. ... The IT staff may simply have reacted to that with a block. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Malicious Code, IE and firewalls
    ... At my workplace, we have some sort of firewall that blocks things like ... What that firewall is, I'm not sure. ... I can access both the residential and the business portion of the ... there was a malicious code on the Canada411 website. ...
    (microsoft.public.windows.inetexplorer.ie6.browser)
  • Re: Are you protected by NAT?
    ... If you configured your firewall right, ... >> impossible to get on your local network. ... > can get in if either you run malicious code on the local network (callback ... connects to the attacker instead of attacker connecting to victim) ...
    (comp.security.firewalls)
  • Re: Are you protected by NAT?
    ... If you configured your firewall right, ... >> impossible to get on your local network. ... > can get in if either you run malicious code on the local network (callback ... connects to the attacker instead of attacker connecting to victim) ...
    (comp.security.firewalls)