Re: Bypassing Personal Firewalls

From: H C (keydet89@yahoo.com)
Date: 02/21/03

  • Next message: xenophi1e: "RE: Bypassing Personal Firewalls" 
    Date: Fri, 21 Feb 2003 08:38:07 -0800 (PST)
From: H C <keydet89@yahoo.com>
To: vuln-dev@securityfocus.com

    Oliver,

    > Here's a code snippet that injects code directly
    > into a running process
    > without the need for a DLL etc.

    Just for clarification...I'm trying to understand what
    you mean...you say "without the need for a DLL", but
    the code relys on three DLLs.

    > Demonstrates that process boundaries
    > under NT mean very little within the context of a
    > given UID.
    >
    > This allows PFWs to be bypassed, as well as making
    > it very easy to hide
    > running malicious code on a system. The example is a
    > 'sploit that makes a
    > connection from within IE, and slips under the radar
    > of all PFWs I've tested.

    How does this code conceptually and significantly
    differ from similar code that accesses IE as a COM
    server, and makes the same request?

    > Having briefly discussed this with PFW vendors, it
    > doesn't appear to be
    > much of a concern to them. I think it illustrates
    > that OpenProcess,
    > ptrace, and the like should really enforce
    > filesystem priviledges on the
    > processes they can modify.

    I think we're back to the old adage of running code on
    a system. For this to execute, thermite.exe will have
    to execute on the system...so once you get the code on
    the system, in many cases, it's all over with at that
    point. Perhaps that's the larger issue here.

    __________________________________________________
    Do you Yahoo!?
    Yahoo! Tax Center - forms, calculators, tips, more
    http://taxes.yahoo.com/

    Relevant Pages

    • RE: Bypassing Personal Firewalls
      ... code injection I've seen to date involves injecting a DLL into a process, ... using AppInit_DLLs, or DLL injection. ... For this to execute, thermite.exe will have ... Do you Yahoo!? ...
      (Vuln-Dev)
    • Re: LogonUser / CreateProcessAsUser - Behaves differently from different calling applications
      ... >CreateProcessAsUser to execute the command. ... Calling the DLL from another win32 ... > * This object maintains data for the Authentication and Process ...
      (microsoft.public.win32.programmer.kernel)
    • Re: IIS and .dll file access problems
      ... IIS treats resources with the .DLL extension as "executable" ... like .ASP, as "scripts". ... .DLL extension is requested by the browser, IIS WILL attempt to execute the ...
      (microsoft.public.inetserver.iis)
    • Re: How can call a DLL function using GetProcAddress
      ... I think that I can use this method for calling my DLL method. ... The shim would load the library, get the address and call the ... Consider donating to support us! ... >>> all the necessary information but as I must execute the method that he is ...
      (microsoft.public.dotnet.framework.compactframework)
    • Re: Calling VSTO Class/Procedure from an External Application
      ... We are thinking about moving from using Office Macros to VSTO DLLs in these ... However we can not find any specific way to execute these ... VSTO code from the external .NET application. ... > import the correct namespace for that dll to have the API available to you. ...
      (microsoft.public.vsnet.vstools.office)