outpostPwn.txt

`Hi,  
  
all current available "Outpost Firewall" versions do have severe   
vulnerabilities, every local user is able to run programs under the very   
high privileged LocalSystem account.  
  
Steps to reproduce:  
  
1.) create an empty text file (e.g. "empty.txt")  
2.) create a batch file which will open a command shell.  
sth. like:  
cmd.exe  
3.) open the Outpost Firewall GUI  
4.) call one of the open or save file dialogs  
e.g. "File - Load Configuration"  
change the file type to "All Files *.*"  
5.) drag the "empty.txt" and drop it over the created batch file  
6.) a command shell opens running under the LocalSystem account  
(you can check this with "whoami.exe" from the windows resource kit   
tools)  
  
  
There're of course a lot other drag&drop possibilites ... you could e.g.   
drop the text file over "notepad.exe" which will open a notepad with   
system privileges.  
  
Even if Agnitum disables the Drag&Drop functionality: the open/save   
dialog will always be able to read and write files with the rights of   
the LocalSystem account. Thus every user could severely damage the system.  
  
  
This vulnerability is by design, there're dozens of other possibilities   
to gain system privileges with Outpost. The problem is that the GUI is   
part of the windows service and is running with SYSTEM privileges. Even   
MS says that the so called "Interactive Services" shouldn't be used -->   
MSDN Library, topic "Interactive Services" - "Security Considerations   
for Interactive Services".  
  
  
--   
  
H. WIEDEMANN  
  
`