Re: Software Firewall Vulnerabilitie
From: bowgus (bowgus_at_rogers.com)
Date: 12/28/04
- Next message: email_at_info-on-topic.com: "Can I get on a spam list here?"
- Previous message: SteveB: "Re: Software Firewall Vulnerabilitie"
- In reply to: donnie: "Software Firewall Vulnerabilitie"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Tue, 28 Dec 2004 11:44:09 -0500
Hiya ... yer use of trusted process. For me a trusted process is a (kernel)
process running in a trusted OS. And that (in a nutshell) is an OS that
implements mandatory (system managed) vs discretionary (user managed) access
contol (e.g. SE Linux on top of whatever with users, domains, types etc).
Anything less (i.e. M$) is ... futile :-).
"donnie" <donnie@queyosepa.net> wrote in message
news:6kf1t0tv4k6ja3urm829fvclfrbacuvbfc@4ax.com...
> Below is an excerpt from phrack.com. In the lastest phrack issue
> there are a few articles on bypassing firewalls by accessing memory
> space on a remote machine or injecting code into a trusted process.
> Note the result of the tested software firewalls. There is more to a
> softrware firewall then blocking ports.
>
>
> http://www.phrack.org/show.php?p=62&a=13
>
> To sum everything up: We will create a binary executable that
> carries the injection code as well as the code that has to be
> injected in order to bypass the software firewall. Or, speaking
> in high-level programming terms: We will create an exe file that
> holds two functions, one to inject code to a trusted process
> and one function to be injected.
>
>
> The sample code presented in this little paper will give you a
> tiny executable that runs in RING3. I am certain that most
> software firewalls contain kernel mode drivers with the ability
> to perform more powerful tasks than this injector executable.
> Therefore, the capabilities of the bypass code are obviously
> limited. I have tested the bypass against several software
> firewalls and got the following results:
>
> Zone Alarm 4 vulnerable
> Zone Alarm Pro 4 vulnerable
> Sygate Pro 5.5 vulnerable
> BlackIce 3.6 vulnerable
> Tiny 5.0 immune
>
> Tiny alerts the user that the injector executable spawns the
> browser process, trying to access the network this way. It looks
> like Tiny simply acts exactly like all the other software
> firewalls do, but it is just more careful. Tiny also hooks API
> calls like CreateProcess() and CreateRemoteThread() - thus, it
> can protect its users from this kind of bypass.
> ##########################
>
>
- Next message: email_at_info-on-topic.com: "Can I get on a spam list here?"
- Previous message: SteveB: "Re: Software Firewall Vulnerabilitie"
- In reply to: donnie: "Software Firewall Vulnerabilitie"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
