Interesting thing about ICF and SP2
From: Erik Pace Birkholz (erik_at_SPECIALOPSSECURITY.COM)
Date: Thu, 14 Oct 2004 12:03:31 -0700 To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
I wrote a script back in 2002 for Internet Connection Firewall (ICF) called
toggleICF.vbs. The purpose of the script was to turn ICF on and off via
command line. It saved time (fighting through the GUI) when using port
scanners and other security tools. FYI, the script is still available from
www.SpecialOpsSecurity.com under the Resources, Scripts section.
The only bummer was WMI prompted the user via Win32 popup and asked for
permission before it would activate/deactivate. This made it less useful for
scripting purposes, but more secure. Here is a reference from a MSDN page
about the ICF disable method and it clearly states (in the remarks) that the
user makes the final disabling decision.
Here is the new problem I just found today after finally installing SP2 on
my XP system. I noticed that if you run the toggleICF.vbs script, it no
longer prompts the user via that annoying popup. Albeit annoying, that
little popup did buy some mitigation against the bad guys trying to turn off
ICF with a script.
Microsoft's new ICF activation/deactivation "process" change has introduced
a new attack vector for malicious scripts. If my script can be used to turn
ICF on and off for "good" without requiring user-intervention, then it can
certainly be done for "evil".
Erik Pace Birkholz, CISSP
Special Ops Security, Inc.
Read Special Ops and mount an assault to eradicate network negligence today.
-- NTBugtraq Editor's Note: Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field. --