Norton's Personal Firewall and Zonelabs' Zone Alarm Firewall exploits

[silver]

there's a fix - from http://www.silicon.com/p49001

Two personal firewall application aimed have been found to pose a serious security threat for home users.

Security experts are warning users of Norton's Personal Firewall and Zonelabs' Zone Alarm Firewall products that a rogue program could steal private user data without being detected by the software.

However, Zonelabs told US wires the security flaw was down to Microsoft. The company claimed hackers can exploit a well-known security flaw in Windows called SetWindowHookEx which allows malicious code to be inserted inside another program.
Authors of firewall-testing software such as FireHole, TooLeaky and YALTA have posted their findings online and advised users to find an alternative security method to protect their personal data.

Both companies have issued patches to fix the flaws and are available on the companies' websites.

will try to find out more, would be interested in any more info

Sil

[silver]

some links (not looked at)

http://tooleaky.zensoft.com/
http://keir.net/firehole.html
http://www.fefe.de/pffaq/

Sil

[silver]

ok - from tooleaky src code

TooLeaky: Trivial Firewall Leak Checker (http://tooleaky.zensoft.com/)
Bob Sundling (tooleaky@zensoft.com)
11/05/2001

This program will penetrate every firewall currently on the market that
claims to offer "outbound" protection, because it does not send or receive
data itself. Instead, it uses a hidden Internet Explorer window to do it.
And, of course, everybody allows Internet Explorer to send and receive data,
otherwise using the Internet would be a big pain in the you-know-what.

This program does two things:

(1) Transmits the string "PersonalInfoGoesHere" to Steve Gibson's web site.
(2) Retrieves a string back from Steve Gibson's web site, stored in the
<TITLE></TITLE> section of a web page.

For a programmer to use this method generically in their application, they
would simply need to replace the URL in this program with a URL from their
own site, change the outputString from "PersonalInfoGoesHere" to any
information they would like to transmit, and then set up their web server to
return the information they would like to retreive in the <TITLE></TITLE>
block of their page (the first few characters of the title are used as a
unique identifier so this program can find the window, since it doesn't
bother to keep track of the hidden IE window when it's first created). And of
course a programmer could repeat this process to transmit or receive as much
data as they'd like, or use the methods outlined in the code to send or
receive LARGE blocks of data in one fell swoop.

So why did I write this? Because I was starting to get sick of the whole
firewall debate, especially the ongoing feud between Steve Gibson and Network
Ice. Initially Steve said that Network Ice's "Black Ice Defender" product was
no good, and demonstrated that statement by showing that his LeakTest program
could send and receive data through their "firewall" but not through anyone
else's (at least, after they patched their firewalls up a bit). Based on
that, he made the claim that other firewalls like "Zone Alarm" are better.
Network Ice responded by saying that outbound filtering is not important, but
eventually (actually, very recently) they put in a ridiculous block
specifically to prevent Black Ice Defender from allowing Steve's LeakTest
program to work. Steve then countered by correcting his LeakTest program by
making it retrieve data from a different site (his main server), on a
different port (80).

Indeed, once again with this new version, "LeakTest" does get through Black
Ice Defender, but not through other "firewalls" like Zone Alarm, McAfee
Firewall, Sygate Personal Firewall, Norton Firewall, or Tiny Personal
Firewall.

But I believe that real problem here is that Steve is (perhaps quite
unintentionally) simply writing to get around Black Ice Defender
specifically. "LeakTest" does not think "outside the box," and that's why all
those firewalls can "block" Steve's program. If you want to get around a
firewall, and you know that the firewalls check which programs are sending
data, then you shouldn't do it the way Steve has been! :-)

Now, it is true that Steve has been rather busy, and he has been talking
about things like adding "DLL hooking" to LeakTest lately, so I will cut him
some slack here. :-)

So, in an attempt to better educate users about how useless ALL of these
firewall programs really are, I did Steve's LeakTest one better. Like
everyone else, I've seen the LeakTest pages that claim that all these other
firewalls are better than Black Ice Defender. But, in fact all of those
firewalls share one very large problem: their design is inherently flawed by
the operating system they are running on. Basically: If a firewall is going
to allow some program (such as Internet Explorer) to transmit and receive
data over the Internet, and that program allows other programs to control its
actions, then there's no point in blocking anything at all.

Now, of course, this example program is intentionally simple. It could do far
more, such as transmit longer strings, retrieve complete files, etc. I kept
it short and to the point to demonstrate one thing: It doesn't take much to
get around today's so-called "firewalls."

(I was also getting sick of all of Steve Gibson's *GIGANTIC* programs, often
16KB or more, written in massively expansive assembly language. So I wrote
this in C++. The executable file is under 4KB.) ;-) (Sorry Steve, I couldn't
resist.) :-)

Enjoy!

Bob Sundling
tooleaky@zensoft.com
http://toleaky.zensoft.com/

how do u patch against that - I dont think you can, perhaps theres another 'flaw' that they patched against?

I disagree with the proposal that outbound blocking is a waste of time, I think it wards off many types of 'internet trojan' that non-outbound app checking would never see,. that said use of a local proxy with logging would be able to log this activity (theres other ways of logging it as well) so it might well be discovered, tho not blocked (not w/o user intervention).

Another possible remote control app might be something like mIRC with plugins, I think its been done, with things like mIRC worms. Checksumming mIRC wont tell you about it.

A virus checker can also help as most 'well known' exploits of this type will get added to the virus dat files..

Sil

[silver]

'firehole' is another way of using a trusted app to gain more permissions..

the bit

Both companies have issued patches to fix the flaws and are available on the companies' websites.

Still puzzles me as I can't think of a 'fix' offhand to defend against these types of 'exploits' ?

I still disagree outbound app checksumming is a waste of time (especially as its easy to find a 'personal firewall' that does it) as it makes a 'hackers' job harder, I don't think its possible to be 100% safe, but thats not a good reason to throw something away. Virus checkers arnt guarenteed to find all virus's but 'well known' ones at least will generally be picked up, no one uses that as a justification to not use a virus checker?

Sil

[silver]

yalda is at http://www.soft4ever.com/security_test/En/

yalda is a different 'exploit' that relies on making use of parts of the tcp stack that the f/w might not be monitoring (ie it slips under the firewall).. apparently tiny f/w might be vunerible, but I cant find definate word on this an haven't tried yalda myself.

Ive found something about how ppl are proposing to 'patch' the holes exposed by the 'tooleaky' and 'firehole' 'exploits' (one f/w maker gives some clues) it envolves checking the allowed app each time and see what its 'parent' is, ie what started the app thats currently trying to connect out. While not a windoz programmer (at all) I have some doubts that its really feasible in the long run to continue with this type of solution, more ways of starting apps an controlling them are probably possible? I have a feeling ppl are 'patching' the wrong thing, just doesn't seem right.. but then..

I found most of the info out at becky user forums,

http://www.morelerbe.com/cgi-bin/ubb-cgi/ultimatebb.cgi

in the 'look an stop' forum - the guy that writes 'look an stop' is a moderator there, look an stop is a firewall but I don't know much more about it

http://www.looknstop.com/En/index2.htm

Sil

[silver]

ran yalda on tpfw 2.0.14 an it does indeed leak on the 'extended test' (the one that attempts to bypass most of the tcp stack using its own vxd file) it might be fixed it 2.0.15 (but probably not?) perhaps 'yalda' is the one most f/w vendors are patching against, since this I think is more important (and Id have thought more keeping in line with what a firewall should be doing!).

Sil

[squidgy]

Surely this problem could be solved by using a better browser, no?

Mind you, maybe it's not that simple, I guess that any browser can be made to do stuff by another program or virus without the user knowing about it. The more cumbersome solution (which isn't actually a solution at all, but merely an attempt at damage limitation) is to set your firewall so that it always asks you before IE is allowed to connect to the internet. I might try that with Zonealarm, actually, and see how it goes.

[squidgy]

Hmmm, that's easier said than done. Each time you start internet explorer, that's an instance of it. Even if you right click a link and select "open in a new window", it will still be the same instance of internet explorer. When ZA asks you if you want to allow IE to connect, it remembers that decision for that particular instance of IE. So if you want to connect again, you have to open a separate instance, or use another instance that's already running that you have already allowed to connect.

Mind you, maybe that's not all that bad, if a program is able to start a new instance of IE, but isn't able to take control of one which is already running. Question is, are programs able to do this?

For example, I think that if you do START then a URL or name of an HTML file from the MSDOS prompt, then it will open the location in Internet Explorer. If an instance of Internet Explorer is already running, it will use it. If not, it will open a new one. Or at least I think, anyway. Not sure .... anyone able to shed any more light on this? Thanks.

[Ian]

Probably the only ways to stop programs like these are:

a) Dont run programs like these
b) Set your firewall to have a whitelist and a blacklist, so any application can access a whitelisted site, no applications could access a blacklisted site, and any sites not in either would pop up a request.

This would be very tedious at first, then as you added your most accessed sites, it would get less tedious.

And of course it wont stop nefarious apps talking to sites in your whitelist...

[squidgy]

I was beginning to think that I'd missed the point. A far scarier thought is that any spyware or trojan is able to terminate any software firewall application. Mind you, that does kind of assume that you're dozey enough to install the nasty program in the first place .... but I think chances are, many of us are that dozey, knowing what browser scripting vulnerabilities there are out there, I reckon I'm probably that dozey.

So .... erm .... isn't this issue rather more important than whether a program manages to pass itself off as internet explorer or something?