Hi, Ye Olde Disclaimer: The information contained in this email is believed to be true. However, exhaustive regression testing has not been performed. No guarantees or warranties are implicitly or explicitly granted. Use the information within at your own risk. Tested AtGuard version: 3.21.05 Tested OS's: NT4 SP6a, Win95 (don't hit me, I'm cheap) BlueScreen wrote: > > - ------------------------------------------------------------ > itcp advisory 13 advisories@it-checkpoint.net > http://www.it-checkpoint.net/advisory/12.html > April 29th, 2002 > - ------------------------------------------------------------ > > ITCP Advisory 13: Bypassing of ATGuard Firewall possible > - ------------------------- *snip* > DETAILS *snip* > Sadly ATGuard doesn't save the file paths / doesn't use checksums (would be > much better), to > determine wether the executed program is real the one, that is allowed to > connect to all hosts on port 80. > It just uses the filename (in this case "IEXPLORE.EXE"). Only if you've created your rule in interactive learning mode. See discussion below. *snip* > SOLUTION > > There doesn't exist an solution, since ATGuard is not developped anymore. We > were not able to test the Norton Personal Firewall > for this problem, since no one of us owns it. We are contacting Norton > directly with this Advisory. Not quite correct. The bug reported in BlueScreen's advisory does exist. However, either the method of testing was incomplete, or the report was incomplete. Also, there is a workaround. AtGuard has the ability to create firewall rules on the fly (in it's "interactive learning mode"). When a connection is attempted and AtGuard cannot find a matching rule, in "interactive learning mode" the user is presented with a window containing four options. Two of those options allow the user to specify whether the connection should be allowed or blocked, this one time only. The other two of those options allow the user to create a rule for particular connections (that may either block or allow the connections). This works on either incoming or outgoing connections. When a rule is created in interactive learning mode, *only the application executable name* is stored in the rulebase. This is the bug that BlueScreen pointed out. Without a path to the application file in the rulebase, any application with a similar name can make use of the firewall rule (block or allow, as the case may be). However, AtGuard also allows the user to create their own firewall rules manually. Click on the dashboard or tray icon, and launch the "Settings" menu item. Click the "Add" button, create a rule, and make sure you specify an application that the rule applies to (on the Application tab, click "Application Shown Above", click the Browse button, and specify the proper application with the File Dialog box). You will find the full path to the file specified in the rule. Shut down your machine, and start it up again, and you'll find the full path still there. You can verify the full path in the registry under the key: HKEY_LOCAL_MACHINE\SOFTWARE\WRQ\IAM\FirewallObjects\Applications Workaround: Manually create firewall rules instead of using interactive learning mode to create rules. If you do use interactive learning mode, you should reopen the "Settings" menu, and manually adjust the "Application Shown Above" so it shows the full path to the application that the rule applies to (you apparently don't have to trash all your current rules). This *appears* to resolve the issue (from my brief testing, YMMV). Of course, this still wouldn't prevent someone from replacing the specified file with malware. However, if you're machine has been compromised to that level, it seems to me you've got more to worry about than a few firewall rules :/ It should be noted that AtGuard rules may be created that allow or block access to *all* applications. Such rules appear to not be affected by this bug. > ADDITIONAL INFORMATION > Vendor has not been contacted. (since he doesn't exist anymore). Actually, the original vendor does exist: http://www.wrq.com. They simply don't sell the product any more. From what I can tell, the original firewall has been sufficiently morphed by Symantec so that it no longer has much resemblance to AtGuard. Thus, I don't think comparisons between products from these two vendors are fair or valid. -UMus B. KidN
This archive was generated by hypermail 2b30 : Tue Apr 30 2002 - 16:32:18 PDT