|
|
|
|
| |
Outbound filtering in personal firewalls does not block packets that are generated by protocol stacks other than the default Microsoft stack.
This enables Trojans that generate packets using non standard protocol adaptors to send outbound information bypassing the firewall rules. |
| |
Credit:
The information has been provided by Tom Liston and Te Smith.
|
| |
Known vulnerable firewalls:
ZoneAlarm and ZoneAlarm Pro as of their current revisions
Tiny Personal Firewall
A security flaw has been found in at least two personal firewalls causing them to not "see" the TCP packets that are generated using a "non-standard" protocol adapter.
Furthermore, the "Lock" or "Block All" settings of those firewalls are also ineffective against TCP packets from non-standard protocol adapters.
Vendor responses:
ZoneLabs:
1. We are working on fixing this issue and have supplied test software to Tom Liston (as well as other beta testers). I don't have an ETA for final release of the fix.
2. The original issue stems from a flaw in the Microsoft NDIS layer which we have reported to Microsoft. They have acknowledged receipt of the info.
(I am not trying to put the blame on Microsoft, rather I am trying to make it clear that this is an OS issue, and as such, is non-trivial.)
3. We're all trying to reduce security vulnerabilities - both in software and by educating users.
Condemning an entire category of software for an edge case situation when a vendor is working on a fix does nothing to increase security.
Tiny software:
Tiny was contacted in mid-November, but no reply was received. They were recently re-contacted, and they have now acknowledged that the problem exists, and have stated that they intend to block "non-standard" protocol access to NDIS, but have yet to reply about how this will be accomplished.
Note:
Other personal firewalls might very well be susceptible to this same problem.
Also troubling is the fact that, in both cases, specially crafted packets can be sent to a machine which an application can sniff off the wire. These packets are ignored by the personal firewalls and there is no warning to the end user. This makes two-way communication possible with a machine, even when its firewall is set to "Lock" or "Block All" network traffic.
Exploit:
An application, demonstrating this vulnerability is available at:
http://www.hackbusters.net/ob.html
|
|
|
|
|
|
|
|
|
|
