Re: Bypassing Personal Firewalls

From: Shaun Clowes (shaunat_private)
Date: Fri Feb 21 2003 - 18:14:04 PST

Next message: Daniel Ahlberg: "GLSA: (200302-12)"

Previous message: evilcowat_private: "exploit for Cpanel 5 remote command execution."
In reply to: xenophi1e: "Bypassing Personal Firewalls"
Next in thread: Torbjörn Hovmark: "Re: Bypassing Personal Firewalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

Hi xenophi1e,

>Here's a code snippet that injects code directly into a running process
>without the need for a DLL etc. I believe that it demonstrates that
>process boundaries under NT mean very little within the context of a
>given UID.

While I can see your point here, from the OS's perspective a user doesn't 
need to be protected from themselves.

>Having attempted to discuss this with PFW vendors, it doesn't appear to
>be much of a concern to them; after almost two business weeks, Symantec
>is the only company to have responded with any concern. To be fair, this
>isn't remotely exploitable, and is fundamentally an issue with how OSs
>are designed, not how PFWs work (although one might wonder if some of the
>claims made by PFW vendors are really ethical).

I'm not convinced that it is an 'issue' at all, the OS goes to great 
lengths to restrict the ability of one user to hurt another.

>I think it illustrates
>that OpenProcess, ptrace, and the like should really enforce filesystem
>priviledges on the processes they can modify. I think that this is
>something that needs to be done proactively.

I don't really understand what you mean by enforce filesystem privileges?

Personal Firewalls exist to try and enforce order upon chaos, I can't see 
any reason why they couldn't disable OpenProcess for any user other than 
users with the SeDebug privilege (though this will stop some non-malicious 
applications from functioning).

>The implication of allowing processes to modify each other this way is
>that PFWs can not be easily made secure, but also that malicious code has
>nice support from windows for doing some very bad things. For instance it
>would be a simple addition to intercept syscalls made by any process into
>which code can be injected, and in so doing hide the presence of
>malicious activity from all local processes a user runs.

Why do you believe that the responsibility of protecting users from 
themselves should be bourne by the operating system? People who are using 
Personal Firewall systems may indeed want to be protected in this fashion 
but I suspect that for most people this is a non issue.

When all is said and done, if malicious code can run under your user ID 
then everything you do is compromised, I can't see much point in giving 
ourselves a false sense of security.

Cheers,
Shaun

Next message: Daniel Ahlberg: "GLSA: (200302-12)"
Previous message: evilcowat_private: "exploit for Cpanel 5 remote command execution."
In reply to: xenophi1e: "Bypassing Personal Firewalls"
Next in thread: Torbjörn Hovmark: "Re: Bypassing Personal Firewalls"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Sun Feb 23 2003 - 10:11:41 PST