New ways to bypass firewalls

Hi Guys,

Please feel free to brainstorm on how to bypass a firewalls protection machanism under this thread. This includes bypassing CPF as well.

Here is an example:

A buffer overflow attack can esily bypass any firewall which does not detect Stack/Heap based code injections.

A real life scenario:

1 - IE has a bug which leads a successfull buffer overflow attack,
2 - Alice surfs the internet, with this faulty IE, and visits www.devilsite.com
3 - www.devilsite.com is maintained by Bob the cracker, who is aware of this bug and have a 0-day exploit to use
4 - www.devilsite.com overflows IE and executes the shellcode which make IE to download devil file,

5 - While Alice continues surfing, Bob’s site uploads devil.dll/.exe to her PC and do whatever it wants.

Here since IE is a trusted application, the BO attack, without any CreateProcess, memory injection, or known DLL injection technique, executes code in the victim’s PC without being detected.

Although as difficult as it seems, this is a very common scenario when you visit some black listed sites. Have you ever noticed a utility is installed on your computer while surfing?

In Japan, Winny P2P program, has such a flow causing everyone to be infected.

Egemen

Question: Wouldn’t the above scenario be taken care of by a HIPS application (if you have one running). My hips (on-line armor) would propmpt me and ask me if I wanted to allow an unknown executeable to run.

Nope they cant. Because this is the only case where an execution occurs without an executable loaded. When the attacker overflows the buffer, he runs "the shell code", which is just a binary sequence of assembler instructions. No exe, no dll or something. The attacker injects his code remotely.

nope.

that’s why BO is nasty!

with BO attacks the code gets executed within already running executable. So HIPS won’t realise that there is a new app, cos there isn’t! Just a new piece of code inside already trusted app.

Melih

Why not implement a mechanism to prevent buffer overflows from happening?
(Or at least dramatically reduce the occurance of most BO related issues and raise the bar for the cracker).

The infamous open-source project known as PaX does this for Linux. There is a slight performance hit, but nothing a desktop user will notice…I’d be impressed with anyone who notices their PC is 5% slower!
=> Executable-space protection - Wikipedia

Some of its features have even been accepted by Microsoft! (Which some of you know, have been publically smearing open-source for the last five years!..I guess open-source is only good when THEY use it). : The concept/feature that MS is “borrowing”, is Address Space Layout Randomization (ASLR). This will be in Windows Vista. (It is already implemented from Beta 2 release and newer)…

But as with any security solution coming from Microsoft, I’m very suspicious as to how effective their implementation of ASLR really is. (They tend to push out alot of marketing fluff to compensate for the deficiencies in their products).

For Windows 2k/XP/2k3 users, you can consider products like Wehnus, BufferShield, and StackGuard to do the same job…I suspect these do a better job than Vista’s implementation. (All of them are based on PaX, but ported to Windows).

The problem is, none of these are truely free. (Yes, I’ve tried them all)

• Wehnus’s WehnTrust has limitations in its “free for home users” version (I think the project has ceased development as no one is responding to my bug reports, and there hasn’t been a new version in quite a while).

• BufferShield’s ASLR only works with Win2k3 SP1, and its only available as a trial version.

• StackDefender is only available as trial version.

If Comodo is able to implement such technology into their Personal Firewall (maybe their AV?) or even as another Free product, you’d have a pretty competitive solution. (No company can really compete with FREE).

At least, one will then be able to stand a chance against the majority/common BO-based threats.

As I said PaX is open-source, so Comodo can download the source code, see what makes it tick, and implement their own version on Windows.

OT: By the way, you folks should take a look at this.
http://www.tuxedo-es.org/blog/2006/06/15/vista-probe-01-released/
http://www.tuxedo-es.org/blog/2006/07/06/vista-probe-02-release/

The original source code was written by Joanna Rutkowska. If you didn’t know, she was the first “security researcher” (hacker) to publically demonstrate how to compromise Windows Vista. (This was in a Black Hat Conference back in August)…Effectively, she squashed Microsoft’s marketing hoopla on Vista’s security.

aussiebear, I can see you will like our next release v 2.4

Melih

Yes BO is nasty, thank goodness for soap and deoderant What about something attaching to OLE attempts if allowed? Is this possible?

Paul

I see. I look forward to 2.4 (:CLP)

OT: A future “wishlist” I have for Comodo Firewall, is to incorporate access control features as found in Core Force.
=> http://force.coresecurity.com/index.php?module=articles&func=display&catid=39&aid=16
(allowing you to control what applications/executables can or cannot do…Registry Protection and File System Protection…Say downloads from Emule can only be made to a certain directory in which the file cannot be executed…Suggest the user to run AV to scan before executing the file).

Granted, I know its hard to develop an “easy to use” solution from a complex issue like Windows security, so I’m hoping that this will be a ver 3.0 or 4.0 feature. Put it in the roadmap. (:WIN) …A strong intrusion protection system. (I guess you could take a leaf out of Microsft’s “User Access Control” in Vista…But make it ALOT less annoying and have an “Advanced” option for those who need more control)…

If you can do all that, I’ll gladly dump Zone Alarm (free) for Comodo Firewall.

I know this all sounds a bit demanding, but as a Win2k user, Microsoft has left us “high and dry” when it comes to security features and new versions of IE.

You think current CPF is not stronger than ZA free? (:AGY)

We are building one step at a time

but still you really think ZA Free is stronger security than CPF? (:AGY)

(:LGH)

Melih

Hi Melih, you bring up a good issue here. Are there any charts to show what CPF passes compared to other firewalls? Perhaps this would show users that it is in fact better? We already know it kicks umm…donkey… when it comes to leak tests among others. Some may need visual proof. Just a thought.

Paul

you can create one if you like. you are good with graphics/charts/drawing

here is the pdf document that thoroughly explains what we pass.

http://www.personalfirewall.comodo.com/Comodo_Firewall_2.3_vs_The_Leaktests.pdf

Melih

LOL. I just thought to myself, guess what i’ll be creating now.lol. No problem at all, perhaps by the end of the night And i’ll get those firewall news topics to you as well.

Paul

Nope. I think one product is more mature than the other. Comodo is still young, and features are still being added on. Whereas ZA Free has matured such that the only thing they add to the product nowadays are bugfixes. The only reason I keep ZA Free on some Windows machines, is because my family prefers clicking on ticks and crosses to open and close access to apps. (So for simplicity reasons). It’ll be the same reasons why my other machine use Subelt-Kerio Personal Firewall…Only have two Windows boxes, but many Linux and BSD boxes.

Its like comparing Windows to Linux on the desktop. Windows is about 10yrs ahead, while Linux has started to make its mark on the desktop in the last three years. Most people who try Linux out will still feel its not polished enough or they experience some problems due to a hardware configuration.

Since Linux came from enthusiasts, geeks, volunteers, they’re still improving themselves to make things easier for the desktop user. (The open-source model is a very aggressive way to develop software such that the progress made has been pretty impressive…Well compared to MS’s efforts with Vista it is! 5 yrs and Billions of $$$ spent, and the best they can do is not all that impressive! And they want people to pay for that?!)

As to which is stronger? I’m not sure, as I haven’t tested. I guess one way is to set up two Windows boxes. One with ZA Free and the other with Comodo, and attack them. See if you can find ways to bypass each. Maybe find ways to break them.

Deep down, I’m a Core Force fan. (But the complexity of it will put most people off). It combines filesystem/registry access control, firewall and sandboxing in one package.

2 cents.   You bring up some good points. However Linux code was developed by Linus Torvalds and released free for people to build from and is one thing that kept Windows from complete world domination.  ;) Windows is not "ahead" really, just very different and  more user friendly. Bill got the Windows code handed to him, and he did build an Empire with it, no doubt. And actually Linux has been making it's mark for far longer on the desktop but I believe your point is, it's becoming more user friendly and hitting more desktops. As far as experiencing hardware problems, I have found linux to be quite hardware freindly in "some" areas and perhaps not support as many hardware items as Windows does. And Vista? Created in "actually before"  2001, and older than the XP system, thinking began I believe in the 95 era.  This bothers me that this old of an OS is being put in place as our future OS. I can do without it. There are many open source OS's taking shape and I feel one will hit strongly in the not too distant future, fingers crossed. Core Force? Not so much turn people off would be a worry. Have you seen the mutilation of some easy to use firewalls? I shutter to think what some may do to this.  :o  I was a ZA user for over 6 years, I don't feel it's stronger. CPF's lacking is in the OLE department and I keep hounding poor Melih with it. One day he's going to hit the SMITE button on his keyboard. I find CPF to be stronger in many areas that matter. ZA I found simply slow and the last version wouldn't allow me to use DSL at all, so by definition, it's strong, cutting off all access to my pc, lol.  CPF will become even greater. I do admit, I was such a CPF fan that I failed to see some shortcomings of the Firewall but now I do and I know they will be fixed as well. OLE OLE OLE OLE OLE OLE OLE ..... (:AGY)

Paul

The answer to this particular problem would be twofold in my humble opinion:

1/ Run a SECURE browser in the first place such as Opera or Mozilla,these exploits are almost exclusively designed to compromise IE.
2/ Dynamic Security Agent would presumably flag this BO up,since it would trigger the anomoly detection monitor if configured correctly.Also PrevX would surely spot this with it’s inbuilt heap/stack BO monitoring,or if not then,when the malware itself tried to execute?

Of course once the wonderful CAVS is finally released I fully expect all such threats to be a thing of the past (:WIN)

Hi

It has been announced that the CPF beta 2.4, due next week, will have BO protection.

To be honest, I don’t know. But, I guess not… unless Comodo really do love me & are releasing it just for me (I’m on W2k).

PS I’m sure someone will post a sensible answer.

BO protection? Are you SURE? Is this the RIGHT GUARD for our computers? What DEGREE of BO protection is this? Will it allow our SPEED to STICK or will it slow down our connection? I say let it ROLL ON. How will it effect DIAL up or is it fairly SUAVE? This is obviously no SECRET and if you are wrong, I don’t want to have to BAN you. ;D

Paul

Yes, I’m sure. No idea to all your other questions. I could have sworn I typed “sensible answer”.

It is a good defense. But it lacks behavioral analysis, flexibility, compatibility and it sometimes fails to detect the attack appropriately.

In our tests, we have successfully exploited many BOs although DEP is enabled(It sometimes detected sometimes failed).

Also CFW operates quite differently in BO detection. It patrols in critical points as a guardian with the help of behavior analysis so that if in the future some sort of unknown threat is present, the vulnerability window will still be very very small.

Egemen