Writing Trojans that Bypass Windows XP Service Pack 2 Firewall
13 Oct. 2004
Windows XP Service Pack 2 incorporates many enhancements to try to better protect systems from malware and other forms of attacks. One of those layers of protection is the Windows XP SP2 Firewall. One of the features of this Firewall is the ability to allow users to decide what applications can listen on the network. By allowing users to control what applications can communicate on the network, Microsoft believes that systems will be protected against threats such as Trojans. Like so many things Microsoft says, this is inaccurate and in fact it is very easy for locally executing code to bypass the Windows Firewall. So don't worry you aspiring Trojan developers, your still going to be able to Trojan consumer and corporate systems to your hearts content.
Attached to this advisory is proof of concept code that demonstrates how a Trojan could bind to a port and accept connections by piggybacking on the inherent trust of sessmgr.exe. Simply compile this program and run it as any local user. To test if the Firewall has been bypassed (it is!) telnet from another machine to the target machine on port 333 and if your connected, then you've successfully bypassed the Windows XP Service Pack 2 Firewall.