Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Bugtraq
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

Re: Microsoft Windows XP SP2 Firewall issue

from [Thor (Hammer of God)] Network Security [Permanent Link]
Subject: Re: Microsoft Windows XP SP2 Firewall issue
Date: Mon, 27 Mar 2006 14:39:49 -0800 
If you're going to get someone to run the mytrojan.exe file, why not just
have it add itself to the exception list for you?  I've said it a million
times, and here is a million-and-one: When a statement starts off with "If I
get someone to run X on their their system, I can," then it doesn't matter
how it ends. 

t


On 3/24/06 2:34 AM, "edubp2002@hotmail.com" <edubp2002@hotmail.com> wrote:


Windows XP firewall had improvements after SP2 and it display alerts about
programs trying to listen on a port (acting as a 'server') to the users. It
doesnt display the path for the file nor the last extension, instead, it only
displays its description or name without the final extension.

if u place a trojan with 'no name' in some dir, windows firewall will
mistakenly alert about a 'folder name\', this can be misused to trick people
into giving access to a malicious application thinking it is a legitim one.
example below will make people think Internet Explorer is asking for access,
when actually,it is not! :

==============example============================
in a cmd prompt:
copy mytrojan.exe "\program files\Internet Explorer\.exe"
cd \program files\internet explorer
start .exe 
=================================================
An alert will show up saying 'Internet Explorer\' has been blocked and will
ask if you want unblock it when it should alert about '.exe'.This could trick
most people into thinking the firewall alerted about a well known legitim
application.

another issue with the firewall is using NTFS alternate data streams. if u
execute a file that is 'forked' to another one, no alerts will show up, not at
all, but I dont think this is a security issue since on the computers I tested
I wasnt able to direct connect.
example:

===============================================
in a cmd prompt:
type c:\mytrojan c:\windows\notepad.exe:mytrojan.exe
start c:\windows\notepad.exe:mytrojan.exe
===============================================
no alerts ;)

ps: every exploit code or details about a vulnerability here in Securityfocus
are not found.
when you click in the exploit menu of any vulnerability and there is some kind
of exploit code attached it will return an error such as 'the document you are
looking for cannot be found' ... just like a broken link. and this issue is
happening for some weeks. is this an error ?... waiting feedback on this
issue.
cheers,
Edu
[More messages with this same subject...]




<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow), Casper . Dik
Next by Date:  [Full-disclosure] Re: Critical PHP bug - act ASAP if you are runningweb with sensitive data, FuntKlakow
Previous by Thread:  Microsoft Windows XP SP2 Firewall issue, edubp2002
Next by Thread:  XSS & SQL Injection in Music Box v2.3, xx_hack_xx_2004
Indexes:  [Date] [Thread] [Top] [All Lists]