Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: Windows Firewall Has A Backdoor

from [Thor Larholm] Network Security [Permanent Link]
Subject: RE: Windows Firewall Has A Backdoor
Date: Mon, 21 Feb 2005 11:35:05 -0800 
XPSP2 has a software firewall which like any other firewall has a list
of exceptions, being that it is host based these exceptions are process
based. Having an exceptions list is not a backdoor.

There's no vulnerability or backdoor here, just intended functionality.
You can't add keys to this registry location remotely without first
compromising the machine and gaining Administrator privileges or
convincing the user to infect themselves while they are Administrator.

If you can get malicious code to run on a machine with Administrator
privileges then naturally you can disable the XPSP2 firewall - just like
you can disable, cripple or just plain out uninstall Norton, TrendMicro,
ZoneAlarm, Qwik-Fix, CSA, Entercept or any other application that is
running on the same host. 

If you attended the Blackhat 2004 Briefings in Las Vegas you will
remember that Eugene Tsyrklevich had a presentation called "Attacking
Host Intrusion Prevention Systems" in which he demonstrated on-stage how
to completely circumvent McAfee Entercept, a behavioral host based
protection product which tries to limit the actions of malicious code
once it is already running on the machine.

It will always be an uphill battle when you try to cleanup or protect
post-compromise; the only sane thing is to try and prevent the
compromise from happening in the first place.

I don't like to quote Microsoft but they deserve kudos when they are
right:

http://www.microsoft.com/technet/archive/community/columns/security/essa
ys/10imlaws.mspx
10 Immutable Laws of Security
Law #1: If a bad guy can persuade you to run his program on your
computer, it's not your computer anymore


Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
23 Corporate Plaza #280
Newport Beach, CA 92660
http://www.pivx.com
thor@pivx.com
Stock symbol: (PIVX.OB)
Phone: +1 (949) 231-8496
PGP: 0x4207AEE9
B5AB D1A4 D4FD 5731 89D6  20CD 5BDB 3D99 4207 AEE9

PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation. 
<http://www.pivx.com/qwikfix>   

-----Original Message-----
From: Jay Calvert [mailto:jcalvert@habaneronetworks.com] 
Sent: Saturday, February 19, 2005 9:53 PM
To: bugtraq@securityfocus.com
Subject: Windows Firewall Has A Backdoor



By adding a new key to the registry in
HKEY_LOCAL_MACHINE/SYSTEM/Services/SharedAccess/Parameters/FirewallPolic
y/StandardProfile/AuthorizedApplications/List you can circumvent the
whole purpose of the firewall with out the users interaction or
knowledge.  Spyware / Adware manufacturer's are already do this.

More information and a little rant at:
http://habaneronetworks.com/viewArticle.php?ID=144


--
Jay Calvert
HabaneroNetworks.com
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: Windows Firewall Has A Backdoor, Thor (Hammer of God)
Next by Date:  Re: Combining Hashes, Joel Maslak
Previous by Thread:  Re: Windows Firewall Has A Backdoor, Thor (Hammer of God)
Next by Thread:  [Full-Disclosure] SD Server 4.0.70 Directory Traversal Bug, CorryL
Indexes:  [Date] [Thread] [Top] [All Lists]