- ------------------------------------------------------------ itcp advisory 13 advisories@it-checkpoint.net http://www.it-checkpoint.net/advisory/12.html April 29th, 2002 - ------------------------------------------------------------ ITCP Advisory 13: Bypassing of ATGuard Firewall possible - ------------------------- Affected programs: ATGuard Personal Firewall (At least Version 3.2, probably others) URL: Not existant any more, the software is still wide spread Vendor: The ATGuard-Technology was bought by Norton and included in it's Norton Personal Firewall Vulnerability-Class: Bypassing of a personal Firewall (Desktop Firewall) OS specific: Windows Problem-Type: local and remote SUMMARY ATGuard is a very good personal desktop firewall, which comes with a wide range of possibilities: - Firewall functions - Webfilter functions - Privacy protection functions It is also possible, to allow specific connections bound to applications (for example, you can allow all connections to Port 80 on any host for Internet Explorer). Futher, it is possible to protect the firewall configuration (and start & stop of it) with a password. This could be a great possibility, to control the activities of children and youths in the internet. DETAILS As mentioned before, it is possible to allow for specific applications specific connections. For example, most users use Internet Explorer to browse the internet. It is a logical assumption, that people using the Internet Explorer to browse the WWW allow outbound connections to all hosts at least to the destination port 80. Sadly ATGuard doesn't save the file paths / doesn't use checksums (would be much better), to determine wether the executed program is real the one, that is allowed to connect to all hosts on port 80. It just uses the filename (in this case "IEXPLORE.EXE"). IMPACT ATGuard can be fooled to think that a disallowed program is allowed to connect to the internet. Trojan horses which use outbound connections or using HTTP-Tunneling-Software to tunnel unwanted connections (like ICQ) are not blocked. EXPLOIT There are many different possibilities to exploit this. This is a sample how to get ICQ working on a computer, on which only Internet Explorer is allowed to connect to port 80. All other outbound connections are blocked by ATGuard. Download the HTTP-Tunnel-Client from www.HTTP-Tunnel.com. Install it to your computer. When you try to configure it, it will tell you, that it can't find the HTTP-Tunnel-Server. Now, just rename / copy the File "HTTP-Tunnel Client.exe" to "IEXPLORE.EXE". Fire it up again using the IEXPLORE.EXE-Filename. After short time it should tell you, that it is working correctly. As said before, it is possible to use trojan horses to fool bad configured firewalls, etc... SOLUTION There doesn't exist an solution, since ATGuard is not developped anymore. We were not able to test the Norton Personal Firewall for this problem, since no one of us owns it. We are contacting Norton directly with this Advisory. ADDITIONAL INFORMATION Vendor has not been contacted. (since he doesn't exist anymore). Since there exist more personal firewalls like ATGuard, we will have a look at the free ones and try the same. Bugs discovered and published by Florian "BlueScreen" Hobelsberger BlueScreen@IT-Checkpoint.net ) from www.IT-Checkpoint.net ----------------------- DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.
This archive was generated by hypermail 2b30 : Mon Apr 29 2002 - 16:58:09 PDT