ITCP Advisory 13: Bypassing of ATGuard Firewall possible

["BlueScreen" <BlueScreen () IT-Checkpoint net>]

- ------------------------------------------------------------
itcp advisory 13 advisories () it-checkpoint net
http://www.it-checkpoint.net/advisory/12.html
April 29th, 2002
- ------------------------------------------------------------



ITCP Advisory 13: Bypassing of ATGuard Firewall possible
- -------------------------

Affected programs:  ATGuard Personal Firewall (At least Version 3.2,
probably others)
URL: Not existant any more, the software is still wide spread
Vendor: The ATGuard-Technology was bought by Norton and included in it's
Norton Personal Firewall
Vulnerability-Class: Bypassing of a personal Firewall (Desktop Firewall)
OS specific: Windows
Problem-Type: local and remote


SUMMARY

ATGuard is a very good personal desktop firewall, which comes with a wide
range of possibilities:

- Firewall functions
- Webfilter functions
- Privacy protection functions

It is also possible, to allow specific connections bound to applications
(for example, you can allow all connections
to Port 80 on any host for Internet Explorer).

Futher, it is possible to protect the firewall configuration (and start &
stop of it) with a password. This could be a great
possibility, to control the activities of children and youths in the
internet.


DETAILS

As mentioned before, it is possible to allow for specific applications
specific connections.
For example, most users use Internet Explorer to browse the internet.
It is a logical assumption, that people using the Internet Explorer to
browse the WWW allow
outbound connections to all hosts at least to the destination port 80.
Sadly ATGuard doesn't save the file paths / doesn't use checksums (would be
much better), to
determine wether the executed program is real the one, that is allowed to
connect to all hosts on port 80.
It just uses the filename (in this case "IEXPLORE.EXE").


IMPACT

ATGuard can be fooled to think that a disallowed program is allowed to
connect to the internet.
Trojan horses which use outbound connections or using
HTTP-Tunneling-Software to tunnel unwanted
connections (like ICQ) are not blocked.

EXPLOIT

There are many different possibilities to exploit this. This is a sample how
to get ICQ working on a computer,
on which only Internet Explorer is allowed to connect to port 80. All other
outbound connections are blocked by ATGuard.

Download the HTTP-Tunnel-Client from www.HTTP-Tunnel.com. Install it to your
computer.
When you try to configure it, it will tell you, that it can't find the
HTTP-Tunnel-Server.

Now, just rename / copy the File "HTTP-Tunnel Client.exe" to "IEXPLORE.EXE".
Fire it up again using the IEXPLORE.EXE-Filename. After short time it should
tell you, that it is working correctly.

As said before, it is possible to use trojan horses to fool bad configured
firewalls, etc...

SOLUTION

There doesn't exist an solution, since ATGuard is not developped anymore. We
were not able to test the Norton Personal Firewall
for this problem, since no one of us owns it. We are contacting Norton
directly with this Advisory.


ADDITIONAL INFORMATION
Vendor has not been contacted. (since he doesn't exist anymore).

Since there exist more personal firewalls like ATGuard, we will have a look
at the free ones and try the same.



Bugs discovered and published by Florian "BlueScreen"  Hobelsberger
 BlueScreen () IT-Checkpoint net ) from
www.IT-Checkpoint.net



-----------------------
DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.