Re: Microsoft Windows XP SP2 Firewall issue

To: <edubp2002@xxxxxxxxxxx>, Bugtraq <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Re: Microsoft Windows XP SP2 Firewall issue
From: "Thor (Hammer of God)" <thor@xxxxxxxxxxxxxxx>
Date: Mon, 27 Mar 2006 14:39:49 -0800
In-reply-to: <20060324103446.23933.qmail@xxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Thread-index: AcZR71rbmSssbL3iEdqIGgAWy6MfyA==
Thread-topic: Microsoft Windows XP SP2 Firewall issue
User-agent: Microsoft-Entourage/11.2.3.060209

If you're going to get someone to run the mytrojan.exe file, why not just
have it add itself to the exception list for you?  I've said it a million
times, and here is a million-and-one: When a statement starts off with "If I
get someone to run X on their their system, I can," then it doesn't matter
how it ends. 

t


On 3/24/06 2:34 AM, "edubp2002@xxxxxxxxxxx" <edubp2002@xxxxxxxxxxx> wrote:

> Windows XP firewall had improvements after SP2 and it display alerts about
> programs trying to listen on a port (acting as a 'server') to the users. It
> doesnt display the path for the file nor the last extension, instead, it only
> displays its description or name without the final extension.
> 
> if u place a trojan with 'no name' in some dir, windows firewall will
> mistakenly alert about a 'folder name\', this can be misused to trick people
> into giving access to a malicious application thinking it is a legitim one.
> example below will make people think Internet Explorer is asking for access,
> when actually,it is not! :
> 
> ==============example============================
> in a cmd prompt:
> copy mytrojan.exe "\program files\Internet Explorer\.exe"
> cd \program files\internet explorer
> start .exe 
> =================================================
> An alert will show up saying 'Internet Explorer\' has been blocked and will
> ask if you want unblock it when it should alert about '.exe'.This could trick
> most people into thinking the firewall alerted about a well known legitim
> application.
> 
> another issue with the firewall is using NTFS alternate data streams. if u
> execute a file that is 'forked' to another one, no alerts will show up, not at
> all, but I dont think this is a security issue since on the computers I tested
> I wasnt able to direct connect.
> example:
> 
> ===============================================
> in a cmd prompt:
> type c:\mytrojan c:\windows\notepad.exe:mytrojan.exe
> start c:\windows\notepad.exe:mytrojan.exe
> ===============================================
> no alerts ;)
> 
> ps: every exploit code or details about a vulnerability here in Securityfocus
> are not found.
> when you click in the exploit menu of any vulnerability and there is some kind
> of exploit code attached it will return an error such as 'the document you are
> looking for cannot be found' ... just like a broken link. and this issue is
> happening for some weeks. is this an error ?... waiting feedback on this
> issue.
> cheers,
> Edu
> 
> 
> 
> 
> 
> 
> 
> 
> 
> 
>

References:
- Microsoft Windows XP SP2 Firewall issue
  - From: edubp2002

Prev by Date: Re: SendGate: Sendmail Multiple Vulnerabilities (Race Condition DoS, Memory Jumps, Integer Overflow)
Next by Date: ArabPortal 2.0 Stable CrossSiteScripting
Previous by thread: Microsoft Windows XP SP2 Firewall issue
Next by thread: [DDSi-SA] XSS in Raindance Communications Web Conferencing Pro
Index(es):
- Date
- Thread