Writing Trojans that bypass Windows XP Service Pack 2 Firewall Windows XP Service Pack 2 incorporates many enhancements to try to better protect systems from malware and other forms of attacks. One of those layers of protection is the Windows XP SP2 Firewall. One of the features of this firewall is the ability to allow users to decide what applications can listen on the network. By allowing users to control what applications can communicate on the network, Microsoft believes that systems will be protected against threats such as trojans. Like so many things Microsoft says, this is inaccurate and in fact it is very easy for locally executing code to bypass the Windows firewall. So don't worry you aspiring Trojan developers, your still going to be able to Trojan consumer and corporate systems to your hearts content. Attached to this email is proof of concept code that demonstrates how a Trojan could bind to a port and accept connections by piggybacking on the inherent trust of sessmgr.exe. Simply compile this program and run it as any local user. To test if the firewall has been bypassed (it is!) telnet from another machine to the target machine on port 333 and if your connected, then you've successfuly bypassed the Windows XP Service Pack 2 Firewall. It is amazing to watch how the release of Windows XP Service Pack 2 has affected the computing industry. It is as if people are yearning for a cure so badly that they will happily drink the Kool-Aid and believe Microsoft's mantra. If for no other reason than the hope of security. In this belief though few are left standing to question the motivations and misguided nature of Windows XP Service Pack 2 and security in general from Microsoft. The security enhancements of Service Pack 2 are not targeted at helping corporations solve their Microsoft related security problems. Even in the case of security for home users Microsoft has failed to provide any real value. Instead they have provided confusion, and misguided trust. One of the first security enhancements of Service Pack 2 is the fact that Microsoft conducted a large scale source code audit to flush out any outstanding bugs that might exist within the XP and 2003 codebase. Through the use of source code analysis tools (PREfast and PREfix) and outside consultants, Microsoft has hoped to fix the majority of buffer overflows, and other commonly discovered vulnerabilities. This is probably the only valid security effort on Microsoft's part for Service Pack 2. Indeed many bugs have been identified and silently fixed within Service Pack 2. In fact so many security bugs have been fixed by Microsoft's source code audit that if you're running a Windows XP system without SP2 then you're leaving yourself at great risk to being compromised. It is easy to understand why some people would want to pat Microsoft on the back for this effort. But for those of you who have invested millions of dollars in Windows 2000, it is easy to understand why you might feel that Microsoft has wronged you. In fact you might feel more than wronged when Microsoft tells you that their answer for better security is to buy their new operating system. You might feel like Microsoft is the company selling you their sickness, and the next year, their cure. You also have to understand that there is a lot of shared code between Windows 2000 and Windows XP. What is the significance you ask? Microsoft has found and fixed numerous vulnerabilities in Windows XP with the release of Windows XP SP2. These vulnerabilities also exist within Windows 2000. However, there is no current plan for Microsoft to release a Security Service Pack for Windows 2000, nor do anything to fix the now known vulnerabilities (hundreds of them) that exist in Windows 2000. Again you are left with a choice, upgrade for a price, or be vulnerable. Is this not gross negligence and extortion? This goes beyond any analogies of car tires exploding and the liability of car manufacturers. It is a fact that right now Microsoft knows of insecurities within the Windows 2000 operating system and they have no plan to do anything about it. The United States government, Department of Homeland Security, foreign governments, large financial institutions, you are at the mercy of a company drunk on ego. You ask for security but like Microsoft, it is not a real priority to you. If it was then you would not let yourselves be so easily bullied by a software company who is powerless against you, if you chose to take a stand and not only demand better by your words, but by your actions. Another security enhancement of Service Pack 2 is better protection around executable code, to help prevent the propagation of virus and malware programs. One of the ways that Microsoft has tried to help fight off malware and virus programs is by adding an extra layer into the decision making process of a user trying to run a virus or malware program. This added layer uses code signing to attempt to verify trusted content. If a program is not signed by a trusted source then a user is notified of this and that user can allow or deny the program. This is another short sighted feature on Microsoft's part as it does not add any real benefit to corporations or home users. The way that this is going to work in the real world is that now instead of a user running a program, or saying yes to an ActiveX control, they are going to be prompted a second time and told "This code has not been signed, are you sure you want to execute it?" or in more realistic terms "Hello, this is your computer speaking. Are you sure you want to perform the action that you already told me you want to perform?" You can not expect a home user or your average corporate user to understand what code signing is or to know if executable content is coming from a trusted source or not. This is another exercise on Microsoft's part in creating the illusion of safety, much like airport guards carrying M-16 rifles. There is no real security value in this, and if there was, then why not provide this "needed" security functionality to older operating systems which Microsoft still "supports". Even in the case of web browser security enhancements, such as the Internet Explorer enhancements that Microsoft has added to XP SP2, Microsoft will not provide those security enhancements for the Windows 2000 platform.... You can always pay to upgrade your corporate user desktop licenses to this supposedly more secure operating system. If Microsoft really believed these security enhancements were beneficial and needed then why not provide them to their users of other "supported" operating systems? The single most misunderstood security enhancement of Windows XP Service Pack 2 is the new and improved firewalling capabilities. It is amazing to see people talking about the Windows XP SP2 firewall as if it actually adds protection to corporations/organizations using Microsoft Windows. In truth the Service Pack 2 firewall does more harm than good because too many people have fallen under the mistaken idea that the firewall is going to protect them from attack. This false belief will cause companies to depend too much on a technology that cannot live up to their expectations. This notion of the Service Pack 2 firewall protecting you from attack is not something that IT people have dreamed up themselves, this is something that Microsoft reinforces in all of their messaging about XP SP2. In reality the XP SP2 firewall does nothing in the way of helping corporations stay protected against the latest worm threat. The way in which this firewall attempts to keep a system secure is by filtering/firewalling the various protocols and ports which are potentially vulnerable to worms. For example if you were to block ports: 135,137,139,445, etc... You would have been "safe" against two of the biggest worms this year, Sasser and Blaster. In this example the Windows XP Service Pack 2 firewall would have protected your system against infection. The only problem is that this scenario does not work "in the real world". The reason being that these ports are the same ports that Microsoft Windows uses for File Sharing, System and Domain management, and various other functionality that is required by IT professionals to manage Windows based systems. So in an effort to protect your organization you would in turn create a denial of service and cripple your ability to manage your environment. Microsoft does make recommendations to only allow things like File Sharing and Windows Management available to other systems on your local subnet however for a lot of organizations your domain controller, file servers, IT management systems, are not going to exist on the same 255 host subnet. Therefore you have to open these ports open to the rest of your network, which means you are now back to square one and wide open to attack. Beyond all of these usability and false sense of security problems the Windows XP SP2 firewall is simply flawed as a program as illustrated in the beginning of this email by the bypass attack. When all the dust has settled around Windows XP SP2 people will see that there has continued to be vulnerabilities discovered, systems compromised, and worms released. The only difference is that you will have the appearance of security because Microsoft will be able to show pretty graphs and charts about how Windows XP SP2 and Windows 2003 have had less vulnerabilities than other OS's like Windows 2000. This is also largely in part because of monthly patching schedules and bundling of multiple vulnerabilities within a single patch, all to show downward trends in vulnerabilities. It is like they are trying to rub in the fact that they have so much power over you that they can knowingly leave you vulnerable, force you to pay them money to upgrade to security, and then tell the whole world they made you do it, and if the rest of you don?t, then your systems are going to be compromised next. Compound that with the fact that the systems they are forcing you to upgrade to are not that much more secure, and ask yourselves how you have let such a monopoly gain so much control over HOW YOU DO BUSINESS, HOW YOU MANAGE YOUR LIFE. We can all do better, this is not how technology has to be.
Attachment:
sessmgr.c
Description: Binary data