RE: Bug in Norton FireWall 2003

From: nowak.aat_private
Date: Mon Aug 11 2003 - 14:15:21 PDT

Next message: Gerardo Richarte: "Re: Analyze binary for holes"

Previous message: Michael Wojcik: "RE: Bug in Norton FireWall 2003"
Maybe in reply to: Boy Bear: "Bug in Norton FireWall 2003"
Next in thread: Michael Wojcik: "RE: Bug in Norton FireWall 2003"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

> I suppose a simple defense for "personal firewall" vendors against this sort
> of thing would be to use hard-to-guess window titles for their popups...

Hello,

This simple defense may not be enough, as there are ways to find out the names
of all "child" windows belonging to specific process.

Regards,
Andrzej



                                                                
 Internet Mail Message                                          
 Received from host:      [205.206.231.26]                      
                                                                


From: Michael Wojcik <Michael.Wojcikat_private> on 08/11/2003 07:24 PM GMT
                                                                                      
                  Michael Wojcik           To:   vuln-devat_private           
 <Michael.Wojcikat_private>           Cc:    (bcc: Andrzej Nowak-A/PGI)          
                                   Subject:      RE: Bug in Norton FireWall 2003      
                                                                                      
             08/11/2003 03:24 PM                                                      
                                                                                      
                                                                                      





> From: Boy Bear [mailto:eyal067at_private]
> Sent: Saturday, August 09, 2003 4:12 AM
>
>
> The Bug factor so lamb Firewall "ignored" from Trojan.
>
> The Trojan than himself in Firewall and so the actually Trojan worker
> without disturbance the of Firewall.

Ah, machine translation.

A cursory glance through the VB source [see original message] suggests that
the proposed exploit is to have a trojan recognize the firewall pop-up
asking if the trojan should be permitted network access, and spoofing the
user input to grant it.  Simple enough.

There appears to be a bug in the included source:

> Private Sub wHideShow(HideShow As Boolean)
>
> Dim hwnd As Long
> hwnd = FindWindow(vbNullString, "Norton Personal Firewall")
> 'if not found then..
> If hwnd = 0 Then
> Exit Sub
> End If
> 'if not hidden - hide, else - show
> If HideShow Then
> ShowWindow hwnd, SW_SHOW
> Else
> ShowWindow hwnd, SW_SHOW
> End If
>
> End Sub

Presumably one of "SW_SHOW" should be "SW_HIDE".  Since wHideShow is never
used by the program, and "HideShow" is not exactly a meaningful parameter
name, it's hard to guess which.  Then again, since wHideShow is never used,
it doesn't really matter.

I suppose a simple defense for "personal firewall" vendors against this sort
of thing would be to use hard-to-guess window titles for their popups...

--
Michael Wojcik
Principal Software Systems Developer, Micro Focus

Next message: Gerardo Richarte: "Re: Analyze binary for holes"
Previous message: Michael Wojcik: "RE: Bug in Norton FireWall 2003"
Maybe in reply to: Boy Bear: "Bug in Norton FireWall 2003"
Next in thread: Michael Wojcik: "RE: Bug in Norton FireWall 2003"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Aug 11 2003 - 15:08:38 PDT