Re: Interesting thing about ICF and SP2

From: Matt Ostiguy (ostiguy_at_gmail.com)
Date: 10/15/04

  • Next message: Free, Bob: "RE: Remove domain user from local administrators group" 
    Date: Fri, 15 Oct 2004 11:36:08 -0400
To: Erik Pace Birkholz <erik@specialopssecurity.com>

    On Thu, 14 Oct 2004 12:03:31 -0700, Erik Pace Birkholz
    <erik@specialopssecurity.com> wrote:
    > I wrote a script back in 2002 for Internet Connection Firewall (ICF) called
    > toggleICF.vbs. The purpose of the script was to turn ICF on and off via
    > command line. It saved time (fighting through the GUI) when using port
    > scanners and other security tools. FYI, the script is still available from
    > www.SpecialOpsSecurity.com under the Resources, Scripts section.
    >
    > http://archives.neohapsis.com/archives/ntbugtraq/2003-q4/0140.html
    >
    > The only bummer was WMI prompted the user via Win32 popup and asked for
    > permission before it would activate/deactivate. This made it less useful for
    > scripting purposes, but more secure. Here is a reference from a MSDN page
    > about the ICF disable method and it clearly states (in the remarks) that the
    > user makes the final disabling decision.
    > http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ics/ics/inetsharingconfiguration_disableinternetfirewall.asp
    >
    > Here is the new problem I just found today after finally installing SP2 on
    > my XP system. I noticed that if you run the toggleICF.vbs script, it no
    > longer prompts the user via that annoying popup. Albeit annoying, that
    > little popup did buy some mitigation against the bad guys trying to turn off
    > ICF with a script.
    >
    > Microsoft's new ICF activation/deactivation "process" change has introduced
    > a new attack vector for malicious scripts. If my script can be used to turn
    > ICF on and off for "good" without requiring user-intervention, then it can
    > certainly be done for "evil".
    >
    >

    Couldn't evil hackers use the WSH AppActivate method to ensure the pop
    up is at the front (might be redundant, as the pop up is likely front
    and center), and the WSH SendKeys method to click through any pop up?
    Did you ever try to work around the pop up for completely silent
    scriptage?

    Matt

    ---------------------------------------------------------------------------
    ---------------------------------------------------------------------------

  • Next message: Free, Bob: "RE: Remove domain user from local administrators group"

    Relevant Pages

    • Interesting thing about ICF and SP2
      ... I wrote a script back in 2002 for Internet Connection Firewall (ICF) called ... The purpose of the script was to turn ICF on and off via ... longer prompts the user via that annoying popup. ...
      (Focus-Microsoft)
    • RE: Interesting thing about ICF and SP2
      ... stop running on the machine as an administrator. ... Users outside of the Power Users and Administrators can't change ICF ... I wrote a script back in 2002 for Internet Connection Firewall ... longer prompts the user via that annoying popup. ...
      (Focus-Microsoft)
    • Re: Interesting thing about ICF and SP2
      ... Interesting thing about ICF and SP2 ... Users outside of the Power Users and Administrators can't change ICF ... I wrote a script back in 2002 for Internet Connection Firewall ... longer prompts the user via that annoying popup. ...
      (Focus-Microsoft)
    • RE: Interesting thing about ICF and SP2
      ... Interesting thing about ICF and SP2 ... I wrote a script back in 2002 for Internet Connection Firewall ... longer prompts the user via that annoying popup. ...
      (Focus-Microsoft)
    • Interesting thing about ICF and SP2
      ... I wrote a script back in 2002 for Internet Connection Firewall (ICF) called ... The purpose of the script was to turn ICF on and off via ... longer prompts the user via that annoying popup. ...
      (NT-Bugtraq)
    • Quantcast