Interesting thing about ICF and SP2

From: Erik Pace Birkholz (erik_at_SPECIALOPSSECURITY.COM)
Date: 10/14/04

  • Next message: Reed Darsey: "Most Oct 2004 patches for NT won't install on Workstation"
    Date:         Thu, 14 Oct 2004 12:03:31 -0700
    To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
    
    

    I wrote a script back in 2002 for Internet Connection Firewall (ICF) called
    toggleICF.vbs. The purpose of the script was to turn ICF on and off via
    command line. It saved time (fighting through the GUI) when using port
    scanners and other security tools. FYI, the script is still available from
    www.SpecialOpsSecurity.com under the Resources, Scripts section.

    http://archives.neohapsis.com/archives/ntbugtraq/2003-q4/0140.html

    The only bummer was WMI prompted the user via Win32 popup and asked for
    permission before it would activate/deactivate. This made it less useful for
    scripting purposes, but more secure. Here is a reference from a MSDN page
    about the ICF disable method and it clearly states (in the remarks) that the
    user makes the final disabling decision.
    http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ics/ics/inetsharingconfiguration_disableinternetfirewall.asp

    Here is the new problem I just found today after finally installing SP2 on
    my XP system. I noticed that if you run the toggleICF.vbs script, it no
    longer prompts the user via that annoying popup. Albeit annoying, that
    little popup did buy some mitigation against the bad guys trying to turn off
    ICF with a script.

    Microsoft's new ICF activation/deactivation "process" change has introduced
    a new attack vector for malicious scripts. If my script can be used to turn
    ICF on and off for "good" without requiring user-intervention, then it can
    certainly be done for "evil".

    Erik Pace Birkholz, CISSP
    Special Ops Security, Inc.
    [Cell] 323.252.5916
    [SOPS] 888.RU.OWNED
    [Email] erik@SpecialOpsSecurity.com

    Read Special Ops and mount an assault to eradicate network negligence today.
    www.SpecialOpsSecurity.com

    --
    NTBugtraq Editor's Note:
    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
    --
    

  • Next message: Reed Darsey: "Most Oct 2004 patches for NT won't install on Workstation"