<<< Date Index >>>     <<< Thread Index >>>

Writing Trojans that bypass Windows XP Service Pack 2 Firewall



Writing Trojans that bypass Windows XP Service Pack 2 Firewall

Windows XP Service Pack 2 incorporates many enhancements to try to better
protect systems from malware and other forms of attacks. One of those
layers of protection is the Windows XP SP2 Firewall. One of the features
of this firewall is the ability to allow users to decide what applications
can listen on the network. By allowing users to control what applications
can communicate on the network, Microsoft believes that systems will
be protected against threats such as trojans. Like so many things Microsoft
says, this is inaccurate and in fact it is very easy for locally executing
code to bypass the Windows firewall. So don't worry you aspiring Trojan
developers, your still going to be able to Trojan consumer and corporate
systems to your hearts content.

Attached to this email is proof of concept code that demonstrates how
a Trojan could bind to a port and accept connections by piggybacking
on the inherent trust of sessmgr.exe. Simply compile this program and
run it as any local user. To test if the firewall has been bypassed (it
is!) telnet from another machine to the target machine on port 333 and
if your connected, then you've successfuly bypassed the Windows XP Service
Pack 2 Firewall.

It is amazing to watch how the release of Windows XP Service Pack 2 has
affected the computing industry. It is as if people are yearning for
a cure so badly that they will happily drink the Kool-Aid and believe
Microsoft's mantra. If for no other reason than the hope of security.
In this belief though few are left standing to question the motivations
and misguided nature of Windows XP Service Pack 2 and security in general
from Microsoft.

The security enhancements of Service Pack 2 are not targeted at helping
corporations solve their Microsoft related security problems. Even in
the case of security for home users Microsoft has failed to provide any
real value. Instead they have provided confusion, and misguided trust.

One of the first security enhancements of Service Pack 2 is the fact
that Microsoft conducted a large scale source code audit to flush out
any outstanding bugs that might exist within the XP and 2003 codebase.
Through the use of source code analysis tools (PREfast and PREfix) and
outside consultants, Microsoft has hoped to fix the majority of buffer
overflows, and other commonly discovered vulnerabilities. This is probably
the only valid security effort on Microsoft's part for Service Pack 2.
Indeed many bugs have been identified and silently fixed within Service
Pack 2. In fact so many security bugs have been fixed by Microsoft's
source code audit that if you're running a Windows XP system without
SP2 then you're leaving yourself at great risk to being compromised.
It is easy to understand why some people would want to pat Microsoft
on the back for this effort. But for those of you who have invested millions
of dollars in Windows 2000, it is easy to understand why you might feel
that Microsoft has wronged you. In fact you might feel more than wronged
when Microsoft tells you that their answer for better security is to
buy their new operating system. You might feel like Microsoft is the
company selling you their sickness, and the next year, their cure. 

You also have to understand that there is a lot of shared code between
Windows 2000 and Windows XP. What is the significance you ask? Microsoft
has found and fixed numerous vulnerabilities in Windows XP with the release
of Windows XP SP2. These vulnerabilities also exist within Windows 2000.
However, there is no current plan for Microsoft to release a Security
Service Pack for Windows 2000, nor do anything to fix the now known 
vulnerabilities
(hundreds of them) that exist in Windows 2000. Again you are left with
a choice, upgrade for a price, or be vulnerable. Is this not gross negligence
and extortion? This goes beyond any analogies of car tires exploding
and the liability of car manufacturers. It is a fact that right now Microsoft
knows of insecurities within the Windows 2000 operating system and they
have no plan to do anything about it. The United States government, Department
of Homeland Security, foreign governments, large financial institutions,
 you are at the mercy of a company drunk on ego. You ask for security
but like Microsoft, it is not a real priority to you. If it was then
you would not let yourselves be so easily bullied by a software company
who is powerless against you, if you chose to take a stand and not only
demand better by your words, but by your actions.

Another security enhancement of Service Pack 2 is better protection around
executable code, to help prevent the propagation of virus and malware
programs. One of the ways that Microsoft has tried to help fight off
malware and virus programs is by adding an extra layer into the decision
making process of a user trying to run a virus or malware program. This
added layer uses code signing to attempt to verify trusted content. If
a program is not signed by a trusted source then a user is notified of
this and that user can allow or deny the program. This is another short
sighted feature on Microsoft's part as it does not add any real benefit
to corporations or home users. The way that this is going to work in
the real world is that now instead of a user running a program, or saying
yes to an ActiveX control, they are going to be prompted a second time
and told "This code has not been signed, are you sure you want to execute
it?" or in more realistic terms "Hello, this is your computer speaking.
Are you sure you want to perform the action that you already told me
you want to perform?" You can not expect a home user or your average
corporate user to understand what code signing is or to know if executable
content is coming from a trusted source or not. This is another exercise
on Microsoft's part in creating the illusion of safety, much like airport
guards carrying M-16 rifles. There is no real security value in this,
 and if there was, then why not provide this "needed" security functionality
to older operating systems which Microsoft still "supports". Even in
the case of web browser security enhancements, such as the Internet Explorer
enhancements that Microsoft has added to XP SP2, Microsoft will not provide
those security enhancements for the Windows 2000 platform.... You can
always pay to upgrade your corporate user desktop licenses to this supposedly
more secure operating system. If Microsoft really believed these security
enhancements were beneficial and needed then why not provide them to
their users of other "supported" operating systems?

The single most misunderstood security enhancement of Windows XP Service
Pack 2 is the new and improved firewalling capabilities. It is amazing
to see people talking about the Windows XP SP2 firewall as if it actually
adds protection to corporations/organizations using Microsoft Windows.
In truth the Service Pack 2 firewall does more harm than good because
too many people have fallen under the mistaken idea that the firewall
is going to protect them from attack. This false belief will cause companies
to depend too much on a technology that cannot live up to their expectations.
This notion of the Service Pack 2 firewall protecting you from attack
is not something that IT people have dreamed up themselves, this is something
that Microsoft reinforces in all of their messaging about XP SP2. In
reality the XP SP2 firewall does nothing in the way of helping corporations
stay protected against the latest worm threat. The way in which this
firewall attempts to keep a system secure is by filtering/firewalling
the various protocols and ports which are potentially vulnerable to worms.
For example if you were to block ports: 135,137,139,445, etc... You would
have been "safe" against two of the biggest worms this year, Sasser and
Blaster. In this example the Windows XP Service Pack 2 firewall would
have protected your system against infection. The only problem is that
this scenario does not work "in the real world". The reason being that
these ports are the same ports that Microsoft Windows uses for File Sharing,
 System and Domain management, and various other functionality that is
required by IT professionals to manage Windows based systems. So in an
effort to protect your organization you would in turn create a denial
of service and cripple your ability to manage your environment. Microsoft
does make recommendations to only allow things like File Sharing and
Windows Management available to other systems on your local subnet however
for a lot of organizations your domain controller, file servers, IT management
systems, are not going to exist on the same 255 host subnet. Therefore
you have to open these ports open to the rest of your network, which
means you are now back to square one and wide open to attack. Beyond
all of these usability and false sense of security problems the Windows
XP SP2 firewall is simply flawed as a program as illustrated in the beginning
of this email by the bypass attack.

When all the dust has settled around Windows XP SP2 people will see that
there has continued to be vulnerabilities discovered, systems compromised,
 and worms released. The only difference is that you will have the appearance
of security because Microsoft will be able to show pretty graphs and
charts about how Windows XP SP2 and Windows 2003 have had less vulnerabilities
than other OS's like Windows 2000. This is also largely in part because
of monthly patching schedules and bundling of multiple vulnerabilities
within a single patch, all to show downward trends in vulnerabilities.
It is like they are trying to rub in the fact that they have so much
power over you that they can knowingly leave you vulnerable, force you
to pay them money to upgrade to security, and then tell the whole world
they made you do it, and if the rest of you don?t, then your systems
are going to be compromised next. Compound that with the fact that the
systems they are forcing you to upgrade to are not that much more secure,
 and ask yourselves how you have let such a monopoly gain so much control
over HOW YOU DO BUSINESS, HOW YOU MANAGE YOUR LIFE.

We can all do better, this is not how technology has to be.

Attachment: sessmgr.c
Description: Binary data