Vuln Dev
Bypassing Personal Firewalls Feb 21 2003 12:35AM
xenophi1e (oliver lavery sympatico ca) (1 replies)
Re: Bypassing Personal Firewalls Feb 21 2003 04:38PM
H C (keydet89 yahoo com) (1 replies)

> Here's a code snippet that injects code directly
> into a running process
> without the need for a DLL etc.

Just for clarification...I'm trying to understand what
you say "without the need for a DLL", but
the code relys on three DLLs.

> Demonstrates that process boundaries
> under NT mean very little within the context of a
> given UID.
> This allows PFWs to be bypassed, as well as making
> it very easy to hide
> running malicious code on a system. The example is a
> 'sploit that makes a
> connection from within IE, and slips under the radar
> of all PFWs I've tested.

How does this code conceptually and significantly
differ from similar code that accesses IE as a COM
server, and makes the same request?

> Having briefly discussed this with PFW vendors, it
> doesn't appear to be
> much of a concern to them. I think it illustrates
> that OpenProcess,
> ptrace, and the like should really enforce
> filesystem priviledges on the
> processes they can modify.

I think we're back to the old adage of running code on
a system. For this to execute, thermite.exe will have
to execute on the once you get the code on
the system, in many cases, it's all over with at that
point. Perhaps that's the larger issue here.

Do you Yahoo!?
Yahoo! Tax Center - forms, calculators, tips, more

[ reply ]
RE: Bypassing Personal Firewalls Feb 21 2003 05:01PM
Oliver Lavery (oliver lavery sympatico ca)


Privacy Statement
Copyright 2010, SecurityFocus