Firewall security risks-vulnerability warning-the black bar safety net

ID MYHACK58:62200714714
Type myhack58
Reporter 佚名
Modified 2007-03-25T00:00:00


By Kenshin[B. C. T] [Published in the manual hacker 0 6. 6] Reproduced please indicate:http://www. loveshell. net Potatoes Amnesty let me out of here,we respect the lower! Thank you!

Himself for the firewall always nothing good, in invasion, they're rather nasty stumbling block is. They not only put the system vulnerabilities cover very fully, let some of the commonly used system-based overflow no utility, make the intruder very annoyed. But the Raiders absolutely won't give in, the now popular intrusion tactics is never be the firewall intercepts of 8 0 port the invasion, and then based on the webshell to elevate privileges, the entire process is completely legitimate, the firewall does not issue the alarm. However in the US from the webshell into the internal system after a certain the reason of the intruder will require from the inside to the outside connection. This is for the server invasion, and for some stallion hung it to the people, a firewall is a nightmare. Went to great lengths just because a firewall ruined by success, of course, can kill the firewall, but you can't always let him not to start it, others will not suspect? We like the reverse of the Trojan horse is often the case killed, like Skynet is very BT.

But this kind of firewall software there is a safety hazard. Maybe not a security risk, because Windows based operating system all software has this bug, including Microsoft's own stuff. Windows for the running program is allowed to be changed, including some of the service level procedures. Maybe everyone on this is not strange, everyone with more alternative service elevation of Privilege this is a typical application. But I occasionally found day network also have this problem!

Let's do an experiment!

First we put the nc9. exe into the system32, in the cmd under the Run command nc9-vv 8 0

The pop-up dialog box asking whether to allow access to the network, we choose to allow as shown in Figure 1 ! Then execute the command rename nc9.exe nc8.exe 将 nc9.exe 改名 为 nc8.exe the. Now a days network rules in allows c:\winnt\system32\nc9. exe to access the network such a record. We continue to experiment, we will telnet. exe is set to prohibit access to the network, as shown in Figure 2 ! the. Now telnet. exe to access the network will timeout. copy telnet.exe .\ nc9. exe the telnet. exe renamed nc9. exe and then telnet to look at. As shown in Figure 3 ! On the connection!

It seems that Skynet is really only follow the program name to decide his time to through the network, did not identify the current whether the program is Original the app. Well, since the firewall the presence of such vulnerabilities, only test-day network, but trust a Windows-based firewall has this problem, and how are we supposed to use? My method is to find Skynet certainly allowed to access the network program, and then replace him, or directly to yourself with the app bundle. The key to our success is to look for access to the network of the program and we have the permission to write folder, the default is to run the program was renamed, 李代桃僵. For the former, I watched the next-day network rules under several. dat file Notepad opening a mass of garbled, the coupling does not analyze, or simply to add a record, some of the program is certainly allowed to access the network, such as IE, individual users of the QQ, there are a server of some service is certainly allowed! Should be able to download. dat database file down the research study, due to time rush I did not have the conditions of the experiment. The back is also very easy to meet, Serveru with the Windows of some local overflowing, hung it using the permissions of the current user......

Maybe this simply can't be firewall problems, because the whole Windows are allowed to the existing program changed its name, to say, can only be a Windows Bug! I also can only is fur to say here. Why is the firewall not the security settings in the program to do md5 check?, found not the original program is still asking...... But too stay in the application layer something want to do security well difficult......