<<< Date Index >>>     <<< Thread Index >>>

Bypass personal firewall application protection . Again.



Bypass personal firewall  application protection . Again. 
(c)oded by offtopic (offtopic@xxxxxxx) 2004
Special thank to 3APA3A for links to the debuggers for Windows. 

<quote src=  http://www.security.nnov.ru/advisories/bypassing.asp?l=EN >
Personal  firewall  usually restricts access to network to the list of   
allowed  application.  In addition, integrity of these applications is 
controlled to prevent code insertion into executable file. It makes it 
impossible to install trojan application with direct network access.
</qoute>

Modern personal firewalls hook such  unsafe  API calls like WriteProcessMemory 
CreateRemoteThread, and controls modification of trusted application code. Some 
personal firewalls even catch CAT+ sometimes.  
So we got protected  high-privileged  application, which can communicate with 
network,  low-privileged  application   trojan, and personal firewall as access 
control system.  
The best way for bypass any accesses control in windows is a SHATTER attacks.  
Because most if not all of  high-privileged  applications use GUI trojan can 
use window messages to modify application memory and execute code in the 
context of trusted application. 

<quote src=  http://security.tombom.co.uk/shatter.html >
Any application on a given desktop can send a message to any window on the same 
desktop, regardless of whether or not that window is owned by the sending 
application, and regardless of whether the target application wants to receive 
those messages. There is no mechanism for authenticating the source of a 
message; a message sent from a malicious application is indistinguishable from 
a message sent by the Windows kernel. It is this lack of authentication that we 
will be exploiting, taking into consideration that these messages can be used 
to manipulate windows and the processes that own them.
</qoute>


So, attack is very simple:
1. Trojan finds trusted application and appropriate.
2. Trojan inserts shellcode in selected window 

<quote src= http://www.google.com/search?q= input+-+if+crafted '>
+This is generally a very easy thing to do, as any user-supplied input   if 
crafted
correctly   can be interpreted as a sequence of valid CPU instructions+
</quote>

3. Afterward trojan founds shellcode address, and transfer control to the 
shellcode. 

It s not a problem, because 

<quote src= 
http://www.securityassessment.com/Papers/Shattering_By_Example-V1_03102003.pdf >
+even the most obscure of messages can be used to make a process execute code 
that it was not intended to run. 
</quote>

I don t experiment on this too much but several of widely used personal 
firewalls are tested and vulnerable. If any vendors need addition details, they 
can contact me.

Thanks for your attention and sorry for my English.  

(c)oded by offtopic@xxxxxxx