Re: Interesting thing about ICF and SP2
From: Thor (thor_at_hammerofgod.com)
Date: 10/16/04
- Previous message: Ken Remley: "RE: Remote connections"
- In reply to: Jim Harrison (ISA): "RE: Interesting thing about ICF and SP2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
To: "Jim Harrison (ISA)" <jmharr@microsoft.com>, <focus-ms@securityfocus.com>, <ntbugtraq@listserv.ntbugtraq.com> Date: Fri, 15 Oct 2004 20:14:27 -0700
Or better yet, don't run exploit code on your box in the first place ;)
But of course, Erik knows all this... If you're to the point where you've
got users running your code on their box, nothing much matters past that. I
think the point was to identify the change in wscript's notification
behavior when ICF/WF configuration changes were initiated via the
NetSharingManager object. In XP/SP1, the NSM object would raise a
confirmation event when called by wscript. In SP2, it does not- and this is
by design... When using scripts (during install, or after the fact) to
configure WF settings, you obviously can't have a confirmation dialog box
required to be applied.
While I would not have used the phrase "new attack vector for malicious
scripts," identifying the change (as noted in the MSDN library) may be
valuable to those who used scripts in pre-SP2 installations, and who
expected some notification.
To that degree, it is a noteworthy observation. But, you knew all that ;)
T
----- Original Message -----
From: "Jim Harrison (ISA)" <jmharr@microsoft.com>
To: <focus-ms@securityfocus.com>; <ntbugtraq@listserv.ntbugtraq.com>
Sent: Friday, October 15, 2004 10:15 AM
Subject: RE: Interesting thing about ICF and SP2
Easy; stop running on the machine as an administrator.
I realize that this is the default for WinXP, but it's not carved in
stone, either.
Users outside of the Power Users and Administrators can't change ICF
settings.
Jim Harrison
MCP(NT4/2K), A+, Network+
Security Business Unit (ISA SE)
"The last 10 years of Internet usage has disproven
the theory that a million monkeys typing on a million
typewriters would eventually produce the complete
works of Shakespeare. ..or maybe it only works for
typewriters..."
(unclaimed)
-----Original Message-----
From: Erik Pace Birkholz [mailto:erik@specialopssecurity.com]
Sent: Thursday, October 14, 2004 12:04 PM
To: focus-ms@securityfocus.com; ntbugtraq@listserv.ntbugtraq.com
Cc: Erik Pace Birkholz
Subject: Interesting thing about ICF and SP2
Importance: High
I wrote a script back in 2002 for Internet Connection Firewall (ICF)
called
toggleICF.vbs. The purpose of the script was to turn ICF on and off via
command line. It saved time (fighting through the GUI) when using port
scanners and other security tools. FYI, the script is still available
from
www.SpecialOpsSecurity.com under the Resources, Scripts section.
http://archives.neohapsis.com/archives/ntbugtraq/2003-q4/0140.html
The only bummer was WMI prompted the user via Win32 popup and asked for
permission before it would activate/deactivate. This made it less useful
for
scripting purposes, but more secure. Here is a reference from a MSDN
page
about the ICF disable method and it clearly states (in the remarks) that
the
user makes the final disabling decision.
http://msdn.microsoft.com/library/default.asp?url=/library/en-us/ics/ics
/inetsharingconfiguration_disableinternetfirewall.asp
Here is the new problem I just found today after finally installing SP2
on
my XP system. I noticed that if you run the toggleICF.vbs script, it no
longer prompts the user via that annoying popup. Albeit annoying, that
little popup did buy some mitigation against the bad guys trying to turn
off
ICF with a script.
Microsoft's new ICF activation/deactivation "process" change has
introduced
a new attack vector for malicious scripts. If my script can be used to
turn
ICF on and off for "good" without requiring user-intervention, then it
can
certainly be done for "evil".
Erik Pace Birkholz, CISSP
Special Ops Security, Inc.
[Cell] 323.252.5916
[SOPS] 888.RU.OWNED
[Email] erik@SpecialOpsSecurity.com
Read Special Ops and mount an assault to eradicate network negligence
today.
www.SpecialOpsSecurity.com
------------------------------------------------------------------------
--- ------------------------------------------------------------------------ --- --------------------------------------------------------------------------- --------------------------------------------------------------------------- --------------------------------------------------------------------------- ---------------------------------------------------------------------------
- Previous message: Ken Remley: "RE: Remote connections"
- In reply to: Jim Harrison (ISA): "RE: Interesting thing about ICF and SP2"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
