Menüyü Gizle

Multiple Firewall Products Bypass Vulnerability

Etiketler no_tag, 03.01.2005

Online URL : http://ferruh.mavituna.com/article/?769

This is a generic problem of common Personal Firewall products which are accept shortcuts or provide an interface that enables to click without require a password for controlled actions (acting as server -listening ports-, executing another program, connecting to another computer etc.).

Download Advisory & Proof of Concept Files

Download firewallbypass.zip (10Kb)
MD5 : C900DF152A42A214A17F2D8251AC380D

  1. bypassSendKey.vbs, 7C9CA4E80540545D1EF4045943CCFE85
  2. mousecontrol.txt, 6895FE919B2A41AA50C544596B15F552
  3. Multiple Firewall Bypass Vuln.txt, FDDB25C7EB54AE672B700BB50D86EC5C
  4. testFirewall.vbs, 41EA4A56C61A8419433696AC6A11C62B
  5. anti-hacker.vbs, 71B7428241F3863A0AFCD4DDE9F87EB7
  6. Kerio.vbs, 945B199C4E3EC8EE99AFD84B613A12DE
  7. norton.vbs, 5E1FB3678A6E83ED22E601F20B2C0AD3
  8. outpost.vbs, 6B3C76D4B0810510FF2C5CAF0D7BC666
  9. ZoneAlarm.vbs, A2B9213D8DE6F176342AF7BFDB5B724A

Windows Md5 Cheksum Tool

Problem;

Most of personal firewalls allow shortcuts or interface for controlling traffic. It's simple to bypass these firewalls by a multithreaded program and sending keys or by contolling mouse.

This flaw enables that any Trojan or similar programs can easily bypass firewall and act as a server or access to another computer. Also most of these firewalls have a "remember" option so if you bypass firewall and successfully exploit it, firewall will never ask again.

This is a similar threat with shattering attacks, but different method and impact.

Vulnerable Products (Sending Key Method and Mouse Control);
These products are vulnerable to both of "Sending Key Method" and "Mouse Control Method"

Test Platforms;
Fully Patched Windows XP Professional and Windows 2003 Enterprise Edition (May 19, 2004 - 01.01.2005)

  1. ZoneAlarm / ZoneAlarm Pro (www.zonelabs.com) | Fixed
    1. 4.5.530.000 - Tested
    2. 4.5.538.001 - Tested
    3. 5 and newer versions are not vulnerable...
  2. Kerio (www.kerio.com)
    1. 4.0.14 - Tested
    2. All Versions
  3. Agnitium Outpost Firewall (www.agnitium.com)
    1. 2.1.303.4009 (314) - Tested
    2. 2.5.369.4608 (369) - Tested
    3. All Versions
  4. Kaspersky Anti-Hacker (www.kaspersky.com)
    1. 1.5.119.0 - Tested
    2. All Versions
  5. Look 'n' Stop (www.looknstop.com)
    1. 2.04p2 - Tested
    2. All Versions
  6. Symantec's Norton Personal Firewall (www.norton.com)
    1. 2004 - Tested
    2. All Versions

Vulnerable Products (Mouse Control);

These products are only vulnerable to "Mouse Control Method", because they don't accept shortcuts but still vulnerable to "Mouse Control" attacks.

  1. Panda Platinum Internet Securiy
    1. 8.03 (tested)
    2. All Versions
  2. Omniquad Personal Firewall
    1. 1.1 (tested)
    2. All Versions


Proof of Concept;

2 Proof of Concepts attached to advisory (also some other POCs for some firewalls)

First POC (bypassSendKey.vbs) written in VBScript (.vbs), This POC include required samples for ZoneAlarm, Kerio, Agnitium, Kaspersky Anti-Hacker, Look 'n' Stop and Symantec's Norton Personal Firewall. This script is executing an instance of itself for multithreading and send shortcuts to firewall while first instance trying to connect internet. I didn't write an auto determine firewall function (but it's so easy), so you need to set it by yourself.

Second (bypassMouseControl.txt) simulates an example of bypassing Zone Alarm Firewall by with mouse control, code in VB.NET. Program is not using a real multithread because some firewalls interrupt executing of program directly. So program is executing another instance of itself with an argument.

Both of them add themselves to secure app list of firewalls and then bypass active firewall.

Also I attached testFirewall.vbs for testing your firewall for application control.

Solution;

All firewalls should ask password for all kind of "Allow" actions. In fact passwords can be fooled because of its nature but it is the best user friendly / secure solution for protection.

As a user of these firewalls, if your firewall supports to "deny all default" option, enable it, so your firewall deny all connections by default. After that you may can manually select programs for allow them.

Final Words;

This is a methodology for bypassing interacted firewalls so it's possible that this advisory affects other firewalls in market. Also it's possible that future firewalls will be affected too. I think for now this is a serious problem for firewalls, until they imply password/random human need text method for "Allow/Deny" actions.

History;

Discovered: 03.05.2004
Vendors Informed: 28.08.2004
Published: 03.01.2005

Vendors Status;

Special thanks to ZoneLabs Team.


Ferruh Mavituna

Web Application Security Specialist

http://ferruh.mavituna.com

ferruh{at}mavituna.com

Yorum Ekle Yorumunu Ekle - Yazıcı Versiyonu Yazıcı Versiyonu - Yorumlar için RSS Yorumlar için RSS
anahtar kelimeler : no_tag

watchguard firewall - 03.12.2005

is ther any other flaws in watch guard firewall (software along with hardware arrangement) ? If so wat r they?In what ways the firewall is bypassed and how to fix the vulnerabilities ?

re: Multiple Firewall Products Bypass Vulnerabilit - 05.01.2005

Hi,

can you please tell me, how ZoneAlarm fixed the problem? Does it now _always_ require password authentication? Or is it another method?

Thank you!

Regards,
anvil

Yorum Yazın


Tüm yorumlar onaydan geçmektedir, bu işlem en uzun 30 dk. sürecektir. E-mail adresleri yeni yorumları bildirme harici hiç bir başka amaçla kullanılmamaktadır ve sitede gözükmemektedir.

Yeni yorumlardan haberdar et

Captcha Kodu