Bugtraq mailing list archives
Re: Flaw caused by default rulesets in many desktop firewalls under windows
From: Frank Knobbe <fknobbe () knobbeits com>
Date: 10 May 2002 22:34:45 -0500
On Fri, 2002-05-10 at 13:44, Christian decoder Holler wrote:
Several Desktop-Firewalls for Windows, such as Tiny Personal Firewall 2.0 or ATGuard, maybe also others, allow DNS resolving by default. That allows reversed trojans to connect to a server on port 53 and send/receive commands and informations without the user knowing it. The firewall permits any communication to any server on port 53 UDP. I wrote a small trojan in VB and tested it with Tiny Personal Firewall 2.0 and it worked. Solution: Change the default rules for DNS to a fixed host, for example to the DNS server of the ISP or the DNS server in the local network.
Unfortunately that does not prevent tunnels through DNS. Sophisticated tunnels slip data through DNS requests (typically for a domain where a rogue DNs server is answering, as a tunnel endpoint). Data is piggybacked on the queries/responses. These tunnels don't care through which DNS server you send the request, ISP or local. In either case the request queries the root server for the gtld server, which refers to the rogue authoratative DNS server when finally the packet hits the pocket in the socket on the port... Only DNS query scrubbing through some kind of smart DNS content proxy can prevent DNS tunnels. Are there any available yet? Let me know if you find a decent one... Regards, Frank
Attachment:
signature.asc
Description: This is a digitally signed message part
Current thread:
- Flaw caused by default rulesets in many desktop firewalls under windows Christian decoder Holler (May 10)
- Re: Flaw caused by default rulesets in many desktop firewalls under windows Frank Knobbe (May 11)