RE: Query

From: Eric D. Williams (ericat_private)
Date: Tue Jul 16 2002 - 12:38:18 PDT

Next message: John Scimone: "Re: Assembler/C References"

Previous message: John Morris: "RE: Assembler/C References"
Maybe in reply to: TLR@portcullis-security.com: "Query"
Next in thread: Roland Postle: "Re: Query"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Liam,

I would say it depends on the trust relationship between the URN/URL
of the script and the personal firewall application.  If the firewall
does not trust [or can't be spoofed into believing] the configuration
URN/URL that is used to configure it remotely (i.e.. turn it off,
load profiles, etc.) without some in-band verifier for example a
shared (and confidential, non-replayable) secret than it's a
"feature."

If on the other-hand the firewall trusts implicitly the JavaScript:
from any URN/URL purported to be appropriate (e.g. configured) or
from arbitrary locations (e.g. XSS, MITM or spoofed IP addresses)
than its a vulnerability.

That's my $.02

InfoBro
- -----
Information Brokers, Inc.    Phone: +1 202.889.4395
http://www.infobro.com/        Fax: +1 202.889.4396
               mailto:ericat_private
                    PGP Public Key
   http://new.infobro.com/KeyServ/EricDWilliams.asc
Finger Print: 1055 8AED 9783 2378 73EF  7B19 0544 A590 FF65 B789
- ----------------------------------------------------------------
The information in this message is confidential.  It is intended
solely for addressee(s).  Access to this message by anyone else
is unauthorized.  If you are not the intended recipient, any
disclosure, copying, distribution or any action taken or omitted
to be taken in reliance on it, is prohibited and may be unlawful.

On Tuesday, July 16, 2002 10:51 AM, TLR@portcullis-security.com
[SMTP:TLR@portcullis-security.com] wrote:
> I think I know the answer to this but I just wanted to get a straw
> Poll type opinion from you guys.
> 
> Recently, whilst performing a Penetration Test I developed a Java
> script which, with the use of some tools, disables a well known
> personal firewall. This personal firewall was designed as is used
> so that the company can centrally control what Hosts and Networks a
> user can access via the use of profiles. Can you see what it is
> yet? Anyway, would you guys consider the ability to disable the
> firewall remotely a vulnerability or does it fall simply in the
> arena of technique in the use of already existing tools and
> vulnerabilities?
> 
Cheers,Liam.

-----BEGIN PGP SIGNATURE-----
Version: PGP 6.5.8

iQA/AwUBPTR2KgVEpZD/ZbeJEQI+eACgnLgq05BJQQQ1XaXvAVZ6zAku4T0An1If
rg1XZv6KZlx4FOU+1z4OV3jL
=zKaY
-----END PGP SIGNATURE-----

Next message: John Scimone: "Re: Assembler/C References"
Previous message: John Morris: "RE: Assembler/C References"
Maybe in reply to: TLR@portcullis-security.com: "Query"
Next in thread: Roland Postle: "Re: Query"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Tue Jul 16 2002 - 12:55:59 PDT