Re: Recurrent question
- From: Volker Birk <bumens@xxxxxxxxxxx>
- Date: 17 Dec 2005 19:00:45 +0100
Ric <me@xxxxxxxxxxx> wrote:
> >And no Adobe Reader updates any more, and the next Adobe Reader hole leads
> >to thousands of extra 0wned boxes. And it's the fault of the "Personal
> >Firewalls", all these thousands of extra 0wned boxes are there, because
> >the concept of asking the user is b0rken.
> I was referring to installed trojans not PDF reading software. That
> would be the fault of the user not the PFW.
No. This is what I'm criticizing: it is a braindead & b0rken concept
to ask the only person who has no clue of what's going on with such
questions: the home user.
Because of this, of course it's the fault of the "Personal Firewall"
providers to implement such ridiculous and dumb concepts in software
for home users.
It's not home user's fault not to know what's going on - it's her/his
FSM-dammed *RIGHT* not to know, what's going on technically, but just
_use_ their computer, isn't it? Especially, if she/he buys _security_
software for being _protected_.
> >Your AV solution outclasses itself here, because to classify POC code
> >as "Virus / Trojan horse" is so ridiculous, that I'm happy to see the
> >providers of "security" software are capitulating ;-)
> I suspect AVG is programmed to recognize the breakout file itself
> rather than evaluating the code as malicious.
AVG has a virus signature for breakout-en.exe. And this is ridiculous.
> >> As I use Firefox or Opera on this computer I have denied IE
> >> all access using Outpost Pro (which I've been trying for a couple of
> >> weeks now).
> >No problem. This works with any browser. It's POC code. If you don't
> >understand the idea of a proof-of-concept, you're testing is useless.
> I understand. It's a few minutes work, simple code to prove a point.
> It could be adapted to open the default browser, connect out, then
> visit a remote site and download and run some code (which could have
> been included in breakout anyway). Breakout as it stands would be
> useful for "the user has to be tricked into visiting a malicious
> website" type vulnerabilities, but can be adapted in many ways.
No.
This is not the point. The point is, that with arbitrary URLs you can
send arbitrary data, you can "phone home". If you want to have a remote
control software for example (sometimes called a "Trojan"), you can
have a look on Alexander Bernauer's wwwsh. He used my POC code to
demonstrate, that it's easy to write such a software with it. No "Personal
Firewall" in our test managed to detect this communication.
> >Outpost did not.
> Yes it did. I had to change my firewall rules twice before Breakout/IE
> got any packets out.
Outpost did NOT, because you have used the _WRONG_ POC code for the
situation on your PC. The POC code we're talking about is written for
the situation having Internet Explorer as the default browser. And all
what Outpost detected was, that you're using Internet Explorer now.
Please try the code for Mozilla Firefox, if this is your default browser.
If it doesn't work, let us work out the correct code for your testing
environment.
This is POC code, not a working malware. For a working malware, I'd hack
code for any widespread browser into the program (ca. 20 lines per browser),
and would use the right code for the default browser, of course.
> > and you didn't try out the POC code
> >for your browser: http://www.dingens.org/breakout-mozilla-firefox.c
> I did try breakout-mozilla-firefox.exe but nothing happens when I
> double-click it or run it from the command line. Nothing in the
> sandbox, no traffic in ethereal and cpu stays 100% idle. So I had to
> use breakout-en.exe and IE.
OK. Then maybe this code is not compatible with your Firefox version.
I only tested on a German version of Mozilla Firefox, and it's some
days ago.
> >> AVG has been able to detect it but when breakout was written it
> >> probably went undetected by anti-virus programs. So this seems to me
> >> like a browser vulnerability that exploits the fact that a browser is
> >> allowed through the firewall, rather than an actual firewall exploit.
> >No. It has nothing to do with a browser vulnerability. Please read the
> >source code.
> I did. Like you said the coder needs know nothing about firewalls,
> just send the url to the browser window. If it's not a browser
> vulnerability why is a different version required for each browser,
> yet both versions will bypass any firewall?
It's not a vulnerability, because the browsers are just doing what they're
designed for. They're working perfectly in this case. Please read:
http://support.microsoft.com/default.aspx?scid=kb;en-us;327618
> >And it's the declaration of bankruptcy for AVG to detect this completely
> >harmless binary as "Virus / Trojan". There is no code at all, which could
> >do harm in it, maybe with the exception of doing harm to the sales figures
> >of "Personal Firewall" software, when people are realizing, that they were
> >fooled of such manufacturers.
> I'd guess that if you added a useless function and recompiled it, AVG
> would not recognize it. Developers don't like to be seen to be
> vulnerable to POC stuff.
This is nonsense.
> >> More than that it is a user exploit because I forgot to use my brain
> >> and ran untrusted code.
> >*sigh* - we're _talking_ here about running untrusted code, aren't we?
> >"What is if malware already is running" is the _topic_.
> Then who ran it if not me? If it comes in through the usual
> malware/spyware channels then things like AdAware and Spybot can help.
> Process Explorer will show you what's running and HijackThis will
> allow you to control what runs at startup.
So we agree, that you can remove your "Personal Firewall" and enable
the Windows-Firewall, and nothing will change (with the exception, that
you'll not have the problems of your "Personal Firewall" any more)? ;-)
> >It is not inferior. Windows-Firewall cannot block this communication.
> >Outpost cannot do so. No "Personal Firewall" can block such communication.
> They can. Mine did until I changed the rules.
*sigh* - I will not comment this any more. If you cannot understand
the idea behind "proof of concept" and why this has nothing to do with
a real attack, then this discussion will not lead into something sensible.
> This only works with
> programs that already have access.
Yes. Of course. With your _default_ _webbrowser_, because this program
_does_ have access.
> What Breakout does do is pose the
> question, what good is application control if programs can be so
> easily manipulated? But it doesn't bypass packet filter rules.
Yes. Exactly. You will understand at last?
It's not _necessary_ to even _obey_ application filtering, you just can
_go_ _around_ this ridiculous door, because there is no wall around it!
Congratulations! You got the point!
[svchost.exe and port 53]
> >And, please tell me: how many of the _home_ _users_ know such things?
> >I'd guess the number to 0% of the home users, rounded to .1%.
> I don't know.
Please be honest. We both know, that nearly nobody of the home users
have a clue of such things, don't we?
> If I had said I don't use any microsoft networking protocols someone
> would have said "what about TCP/IP?" :)
Someone knowing nothing about network protocols. The TCP/IP network
protocol family is not from Microsoft. Not at all.
Yours,
VB.
--
Ein vision statement ist in aller Regel planfreies Gelalle einer Horde
realitätsferner Spinner.
Dietz Pröpper in d.a.s.r
.
- Follow-Ups:
- Re: Recurrent question
- From: Ric
- Re: Recurrent question
- References:
- Recurrent question
- From: GRL
- Re: Recurrent question
- From: Volker Birk
- Re: Recurrent question
- From: Sla#s
- Re: Recurrent question
- From: Volker Birk
- Re: Recurrent question
- From: Ric
- Re: Recurrent question
- From: Volker Birk
- Re: Recurrent question
- From: Ric
- Re: Recurrent question
- From: Volker Birk
- Re: Recurrent question
- From: Ric
- Re: Recurrent question
- From: Volker Birk
- Re: Recurrent question
- From: Ric
- Recurrent question
- Prev by Date: Re: External DHCP server and Linksys wireless routers
- Next by Date: Re: Recurrent question
- Previous by thread: Re: Recurrent question
- Next by thread: Re: Recurrent question
- Index(es):
Relevant Pages
|
