PDA

Bekijk Volledige Versie : Windows Firewall Has A Backdoor



Jay Calvert
21/02/05, 20:45
By adding a new key to the registry in HKEY_LOCAL_MACHINE/SYSTEM/Services/SharedAccess/Parameters/FirewallPolicy/StandardProfile/AuthorizedApplications/List you can circumvent the whole purpose of the firewall with out the users interaction or knowledge.
Spyware / Adware manufacturer's are already do this.

More information and a little rant at:
http://habaneronetworks.com/viewArticle.php?ID=144


--
Jay Calvert
HabaneroNetworks.com

Chris Wysopal
21/02/05, 23:15
On Sat, 19 Feb 2005, Jay Calvert wrote:

>
>
> By adding a new key to the registry in
> HKEY_LOCAL_MACHINE/SYSTEM/Services/SharedAccess/Parameters/FirewallPolicy/StandardProfile/AuthorizedApplications/List
> you can circumvent the whole purpose of the firewall with out the users
> interaction or knowledge. Spyware / Adware manufacturer's are already
> do this.

This is not a backdoor or vulnerability. The default permissions on this
key are Full Control for SYSTEM and Administrators and Read for Users.
The Administrator should be able to configure the firewall to allow
programs to connect outbound.

The security problem that has created the spyware malaise on Windows is
the default Windows installation for home users, which creates the user's
named account in the Administrators group. When this account is used to
browse the internet there is no protection to prevent spyware/malware from
bypassing security mechanisms, such as the XP SP2 firewall, by exploiting
vulnerabilities or tricking the user.

The advent of spyware/malware using NT rootkit technology to hide from AV
and Anti-spyware programs will force Microsoft to change to an
installation where there are 2 accounts, one for administration and a
low permission one for browsing the internet. This has been the standard
for Linux and OS X for years.

-Chris

Thor
22/02/05, 23:15
You say (or the article does) that "If you are currently using Window's own
firewall to protect you, either ensure that there are no unknown exceptions
or find a better firewall."

Finding a better firewall does absolutely nothing when, as the article
states, "As long as the person currently logged into the computer has
Administrative privileges, an application can easily add an entry into the
HKEY_LOCAL_MACHINE/SYSTEM/Services/.../FirewallPolicy/StandardProfile/AuthorizedApplications/List/
key that will allow any application full rights to and from the computer
without the user's interaction or knowledge."

I've said it a million times-- any text following the words "as long as
you're an admin" might as well be "blah, blah, blah."

Don't run as admin. Oh, I know, here come the "some applications require
admin" responses, but the reality is that most applications can be made to
work perfectly well under a normal user account with the right permission
configurations. Those that can't can easily use "RunAs."

Yes, some users have never heard of "RunAs." Why? Because articles like
this end with "find a better firewall" when they should end with something
that helps educate the reader that running as Admin is dangerous, and that
other methods exist to easily obviate exceptions.

I have over 130 users at my company that run all manner of software, and not
one of them has administrative permissions. Not one. And they don't even
know it.

That's the skinny on that.
t





----- Original Message -----
From: "Jay Calvert" <jcalvert@habaneronetworks.com>
To: <bugtraq@securityfocus.com>
Sent: Saturday, February 19, 2005 12:52 PM
Subject: Windows Firewall Has A Backdoor


>
>
> By adding a new key to the registry in
> HKEY_LOCAL_MACHINE/SYSTEM/Services/SharedAccess/Parameters/FirewallPolicy/StandardProfile/AuthorizedApplications/List
> you can circumvent the whole purpose of the firewall with out the users
> interaction or knowledge. Spyware / Adware manufacturer's are already do
> this.
>
> More information and a little rant at:
> http://habaneronetworks.com/viewArticle.php?ID=144
>
>
> --
> Jay Calvert
> HabaneroNetworks.com
>
>

Thor Larholm
22/02/05, 23:25
XPSP2 has a software firewall which like any other firewall has a list
of exceptions, being that it is host based these exceptions are process
based. Having an exceptions list is not a backdoor.

There's no vulnerability or backdoor here, just intended functionality.
You can't add keys to this registry location remotely without first
compromising the machine and gaining Administrator privileges or
convincing the user to infect themselves while they are Administrator.

If you can get malicious code to run on a machine with Administrator
privileges then naturally you can disable the XPSP2 firewall - just like
you can disable, cripple or just plain out uninstall Norton, TrendMicro,
ZoneAlarm, Qwik-Fix, CSA, Entercept or any other application that is
running on the same host.=20

If you attended the Blackhat 2004 Briefings in Las Vegas you will
remember that Eugene Tsyrklevich had a presentation called "Attacking
Host Intrusion Prevention Systems" in which he demonstrated on-stage how
to completely circumvent McAfee Entercept, a behavioral host based
protection product which tries to limit the actions of malicious code
once it is already running on the machine.

It will always be an uphill battle when you try to cleanup or protect
post-compromise; the only sane thing is to try and prevent the
compromise from happening in the first place.

I don't like to quote Microsoft but they deserve kudos when they are
right:

http://www.microsoft.com/technet/archive/community/columns/security/essa
ys/10imlaws.mspx
10 Immutable Laws of Security
Law #1: If a bad guy can persuade you to run his program on your
computer, it's not your computer anymore


Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
23 Corporate Plaza #280
Newport Beach, CA 92660
http://www.pivx.com
thor@pivx.com
Stock symbol: (PIVX.OB)
Phone: +1 (949) 231-8496
PGP: 0x4207AEE9
B5AB D1A4 D4FD 5731 89D6 20CD 5BDB 3D99 4207 AEE9

PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation.=20
<http://www.pivx.com/qwikfix> =20

-----Original Message-----
From: Jay Calvert [mailto:jcalvert@habaneronetworks.com]=20
Sent: Saturday, February 19, 2005 9:53 PM
To: bugtraq@securityfocus.com
Subject: Windows Firewall Has A Backdoor



By adding a new key to the registry in
HKEY_LOCAL_MACHINE/SYSTEM/Services/SharedAccess/Parameters/FirewallPolic
y/StandardProfile/AuthorizedApplications/List you can circumvent the
whole purpose of the firewall with out the users interaction or
knowledge. Spyware / Adware manufacturer's are already do this.

More information and a little rant at:
http://habaneronetworks.com/viewArticle.php?ID=3D144


--
Jay Calvert
HabaneroNetworks.com