/ Forside / Teknologi / Internet / Sikkerhed / Nyhedsindlæg
Login
Glemt dit kodeord?
Brugernavn

Kodeord


Reklame
Top 10 brugere
Sikkerhed
#NavnPoint
stl_s 37026
arlet 26827
miritdk 20260
o.v.n. 12167
als 8951
refi 8694
tedd 8272
BjarneD 7338
Klaudi 7257
10  molokyle 6481
hvorfor personlige 'firewalls' er noget lo~
Fra : supermand


Dato : 07-12-01 09:38

[lusket fra bugtraq]

Issue: Outbound filtering in personal firewalls does not block
packets that are generated by protocol stacks other than the
default Microsoft stack.

Description: While working to port LaBrea to the Win9x platform, I
was faced with the task of creating packets with specific flags,
window sizes, etc... In order to accomplish this, I was forced to
"roll my own" protocol adapter that would allow me to send TCP
packets formatted in specific ways. As a side effect of this, I found
that at least two personal firewalls don't "see" the TCP packets
that this "non-standard" protocol adapter generates.

In experimenting further, it was found that the "Lock" or "Block All"
settings of those firewalls was also ineffective against TCP packets
from non-standard protocol adapters.

Known vulnerable firewalls: ZoneAlarm and ZoneAlarm Pro as of
their current revisions and Tiny Personal Firewall. Although I
cannot test it, I believe all versions prior to the current ones are
also vulnerable.

Vendor responses: ZoneLabs was initially contacted regarding this
issue on November 9th. Since that time, I've received sporadic
updates on their progress in fixing this issue. As of the present
time, I have tested at least one ZoneLabs supplied "fix." The
method of "fixing" this issue, as demonstrated by this "beta" was
to silently drop all TCP packets not originating from the standard
Windows TCP protocol adapter. I have explained to Zone Labs that
I don't believe this is a valid approach.

They have, in my estimation, taken this route because they cannot
trace the source of packets back through a protocol adapter that
they know nothing about. Any other approach would require that
they issue a warning to the user, saying essentially "Some
application on your machine has attempted to send a TCP packet.
We don't know what that application is... we can't know.... So! Do
you want to let it communicate?" That would tend to tarnish the
carefully crafted ZoneAlarm image.

I fully expect to take heat from ZoneLabs for publishing this
vulnerability. However, I will say this: ZoneLabs has, from the
outset, done nothing but attempt to duck, mislead and obfuscate
the issue. It has been over three weeks, and I have seen nothing
from them but a buggy beta "fix" that essentially breaks NDIS
functionality without any warning to the user. I have asked them to
confirm for me in writing their intention to "fix" this issue by silently
dropping valid packets.

Tiny Software: Tiny was also contacted in mid-November, but did
not reply. I have recently re-contacted Tiny, and they have now
acknowledged that the problem exists, and have stated that they
intend to block "non-standard" protocol access to NDIS, but have
yet to reply about how (ie. silent drop, warn the user, etc...) this
will be accomplished.

Note: Other personal firewalls might very well be susceptible to this
same problem. I haven't the time or the resources available to test
them.

Also troubling is the fact that, in both cases, specially crafted
packets can be sent *to* a machine which an application can sniff
off the wire. These packets are ignored by the personal firewalls
and there is no warning to the end user. This makes two-way
communication possible with a machine, even when its firewall is
set to "Lock" or "Block All" network traffic.

Please forgive me for jumping on my soap box: I believe that the
real issue at hand has little to do with vulnerabilities and protocol
adapters. The real issue here is marketing. The entire personal
firewall industry has been driven to make claims that it cannot
deliver on. There is a vicious "me too" cycle that drives personal
firewall vendors. Now, there are testing labs and "certifications."
(Both TinyPFW and ZoneAlarmPro are certified by ICSA Labs.)
This is just insane. When I look at the concept of "outbound
filtering", I see a distinct parallel to "copy protection." Both
concepts suffer from the same, basic flaws. The problem is in the
claims that personal firewall vendors are making and the fact that
they're allowed to get away with it.

An application, demonstrating this vulnerability is available at:

http://www.hackbusters.net/ob.html

-TL


Tom Liston, GSEC
Network Administrator
Prem Magnetics, Inc.
tliston@premmag.com
tliston@hackbusters.net

 
 
Alex Holst (07-12-2001)
Kommentar
Fra : Alex Holst


Dato : 07-12-01 09:52

supermand <kal-el@metropol.is.invalid> wrote:
> [lusket fra bugtraq]
[..]

Det er et langt indlaeg som maaske ikke alle er klar til at laese igennem,
saa jeg tillader mig lige at citere det absolut vigtigste afsnit:

> Please forgive me for jumping on my soap box: I believe that the real
> issue at hand has little to do with vulnerabilities and protocol adapters.
> The real issue here is marketing. The entire personal firewall industry
> has been driven to make claims that it cannot deliver on.

Nemlig.

--
I prefer the dark of the night, after midnight and before four-thirty,
when it's more bare, more hollow. http://a.area51.dk/


Daniel Blankensteine~ (07-12-2001)
Kommentar
Fra : Daniel Blankensteine~


Dato : 07-12-01 10:46

"Alex Holst" <a@area51.dk> wrote in message
news:slrna110pn.2h48.a@C-Tower.Area51.DK...
> Det er et langt indlaeg som maaske ikke alle er klar til at laese igennem,
> saa jeg tillader mig lige at citere det absolut vigtigste afsnit:
>
> > Please forgive me for jumping on my soap box: I believe that the real
> > issue at hand has little to do with vulnerabilities and protocol
adapters.
> > The real issue here is marketing. The entire personal firewall industry
> > has been driven to make claims that it cannot deliver on.
>
> Nemlig.
Ja. At sige til folk at de er "sikker", bare de køber sikkerhedspakken fra
Teledanmark er direkte løgn. Det giver en falsk sikkerhedsfornemmelse, se fx
posten "Skjult IP. Ja sikkert" (som du også skrev til).

mvh
db



Søg
Reklame
Statistik
Spørgsmål : 177552
Tips : 31968
Nyheder : 719565
Indlæg : 6408849
Brugere : 218887

Månedens bedste
Årets bedste
Sidste års bedste