Re: Bypass personal firewall application protection . Again.
Hi,
I actually presented on exactly this topic at the Black Hat Briefings
in Vegas 2003; check out
http://www.blackhat.com/html/bh-media-archives/bh-archives-2003.html#USA-2003
At the time, I even released code to automate a shatter attack into
Internet Explorer via the file->open dialog; there's a lot of content
in both the source code and the powerpoint comments that you'd
probably find rather useful.
Since then, I've seen no indication from any of the personal firewall
vendors that they're actually making any efforts to solve this
problem. Anyone care to step forward and offer (even a partial)
solution?
Cheers,
Chris
--
Chris Paget
ivegotta@xxxxxxxxxxxx
On Tue, 07 Dec 2004 17:50:21 +0300, you wrote:
>Bypass personal firewall application protection . Again.
>(c)oded by offtopic (offtopic@xxxxxxx) 2004
>Special thank to 3APA3A for links to the debuggers for Windows.
>
><quote src= http://www.security.nnov.ru/advisories/bypassing.asp?l=EN >
>Personal firewall usually restricts access to network to the list of
>allowed application. In addition, integrity of these applications is
>controlled to prevent code insertion into executable file. It makes it
>impossible to install trojan application with direct network access.
></qoute>
>
>Modern personal firewalls hook such unsafe API calls like WriteProcessMemory
>CreateRemoteThread, and controls modification of trusted application code.
>Some personal firewalls even catch CAT+ sometimes.
>So we got protected high-privileged application, which can communicate with
>network, low-privileged application trojan, and personal firewall as
>access control system.
>The best way for bypass any accesses control in windows is a SHATTER attacks.
>Because most if not all of high-privileged applications use GUI trojan can
>use window messages to modify application memory and execute code in the
>context of trusted application.
>
><quote src= http://security.tombom.co.uk/shatter.html >
>Any application on a given desktop can send a message to any window on the
>same desktop, regardless of whether or not that window is owned by the sending
>application, and regardless of whether the target application wants to receive
>those messages. There is no mechanism for authenticating the source of a
>message; a message sent from a malicious application is indistinguishable from
>a message sent by the Windows kernel. It is this lack of authentication that
>we will be exploiting, taking into consideration that these messages can be
>used to manipulate windows and the processes that own them.
></qoute>
>
>
>So, attack is very simple:
>1. Trojan finds trusted application and appropriate.
>2. Trojan inserts shellcode in selected window
>
><quote src= http://www.google.com/search?q= input+-+if+crafted '>
>+This is generally a very easy thing to do, as any user-supplied input if
>crafted
>correctly can be interpreted as a sequence of valid CPU instructions+
></quote>
>
>3. Afterward trojan founds shellcode address, and transfer control to the
>shellcode.
>
>It s not a problem, because
>
><quote src=
>http://www.securityassessment.com/Papers/Shattering_By_Example-V1_03102003.pdf
>>
>+even the most obscure of messages can be used to make a process execute code
>that it was not intended to run.
></quote>
>
>I don t experiment on this too much but several of widely used personal
>firewalls are tested and vulnerable. If any vendors need addition details,
>they can contact me.
>
>Thanks for your attention and sorry for my English.
>
>(c)oded by offtopic@xxxxxxx