Уязвимые версии: большинство персональных файрволов
Вредоносное программное обеспечение может реализовать атаку типа shatter на
разрешенное файрволом GUI приложение и выполнить произвольный код в его
контексте. После этого вредоносное программе обеспечение получает возможность
взаимодействовать с внешними сетями в обход политик безопасности файрвола.
Решение: решение не существует на данный момент.
Bypass personal firewall "application protection". Again.
(c)oded by offtopic (email@example.com) 2004 Special thank to 3APA3A for links to
the debuggers for Windows.
Personal firewall usually restricts access to network to the list of allowed
application. In addition, integrity of these applications is controlled to
prevent code insertion into executable file. It makes it impossible to install
trojan application with direct network access.
Modern personal firewalls hook such "unsafe" API calls like WriteProcessMemory
CreateRemoteThread, and controls modification of trusted application code. Some
personal firewalls even catch CAT... sometimes.
So we got protected "high-privileged" application, which can communicate with
network, "low-privileged" application - trojan, and personal firewall as access
The best way for bypass any accesses control in windows is a SHATTER attacks.
Because most if not all of "high-privileged" applications use GUI trojan can use
window messages to modify application memory and execute code in the context of
Any application on a given desktop can send a message to any window on the same
desktop, regardless of whether or not that window is owned by the sending
application, and regardless of whether the target application wants to receive
those messages. There is no mechanism for authenticating the source of a
message; a message sent from a malicious application is indistinguishable from a
message sent by the Windows kernel. It is this lack of authentication that we
will be exploiting, taking into consideration that these messages can be used to
manipulate windows and the processes that own them.
So, attack is very simple:
1. Trojan finds trusted application and appropriate.
2. Trojan inserts shellcode in selected window
...This is generally a very easy thing to do, as any user-supplied input - if
crafted correctly - can be interpreted as a sequence of valid CPU
3. Afterward trojan founds shellcode address, and transfer control to the
It's not a problem, because
...even the most obscure of messages can be used to make a process execute code
that it was not intended to run.
I don't experiment on this too much but several of widely used personal
firewalls are tested and vulnerable. If any vendors need addition details, they
can contact me.
Thanks for your attention and sorry for my English.