Full Disclosure mailing list archives
RE: Re: Bypassing Personal Firewall (ZoneAlarmPro)Using DDE-IPC
From: "Debasis Mohanty" <mail () hackingspirits com>
Date: Sun, 2 Oct 2005 01:03:24 +0530
Hey TZ,
I am not sure we are speaking about the same attack. When I was speaking
about SendMessage()
I was refering to the presentation at CCC2003, i.e shelling IE simulating
a user through SendMessage() Api. As this wasn't clear in your previous reply so I got it wrong. Anyway thanks for clarifying ... :)
AFAIK, it does not, the Shatter Attack doesn't necessarely rely on
SendMessage(),
not to mention a driver shouldn't open a window at all
Very true .. The shatter attack & DDE problem is partially resolved by ZA current version as long the attack takes place at ring-3. I haven't checked it for ring-0 so can't comment on it. - D -----Original Message----- From: full-disclosure-bounces () lists grok org uk [mailto:full-disclosure-bounces () lists grok org uk] On Behalf Of Thierry Zoller Sent: Saturday, October 01, 2005 9:03 PM To: full-disclosure () lists grok org uk Subject: Re: [Full-disclosure] Re: Bypassing Personal Firewall (ZoneAlarmPro)Using DDE-IPC Dear Debasis, DM> I tested this earlier, SendMessage() / SetDlgItem() / DM> SetWindowText() doesn't work for the current version of ZA Products DM> (ZA Pro / Internet Sec Suit). I am not sure we are speaking about the same attack. When I was speaking about SendMessage() I was refering to the presentation at CCC2003, i.e shelling IE simulating a user through SendMessage() Api. DM> This helps preventing the most wellknown windows local attack - DM> Shatter Attack. AFAIK, it does not, the Shatter Attack doesn't necessarely rely on SendMessage(), not to mention a driver shouldn't open a window at all (not react to F1 messages either) <- if you read this and are a vendor check for this.. gives SYSTEM rights occasionaly. (through browse -> cmd.exe) DM> However, I still can see a way out for their latest product... Will DM> be updated soon. Looking forward to it :) -- Regards, Thierry Zoller mailto:Thierry () sniff-em com _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/ _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- Re: Re: Bypassing Personal Firewall (Zone Alarm Pro)Using DDE-IPC Thierry Zoller (Oct 01)
- RE: Re: Bypassing Personal Firewall (Zone AlarmPro)Using DDE-IPC Debasis Mohanty (Oct 01)
- Re: Re: Bypassing Personal Firewall (Zone AlarmPro)Using DDE-IPC Florian Weimer (Oct 01)
- Re: Re: Bypassing Personal Firewall (Zone AlarmPro)Using DDE-IPC Thierry Zoller (Oct 01)
- RE: Re: Bypassing Personal Firewall (ZoneAlarmPro)Using DDE-IPC Debasis Mohanty (Oct 01)
- Re: Re: Bypassing Personal Firewall (ZoneAlarmPro)Using DDE-IPC Thierry Zoller (Oct 01)
- RE: Re: Bypassing Personal Firewall (ZoneAlarmPro)Using DDE-IPC Debasis Mohanty (Oct 01)
- Re: Re: Bypassing Personal Firewall (Zone AlarmPro)Using DDE-IPC Florian Weimer (Oct 01)
- RE: Re: Bypassing Personal Firewall (Zone AlarmPro)Using DDE-IPC Debasis Mohanty (Oct 01)
- RE: Re: Bypassing Personal Firewall (Zone AlarmPro)Using DDE-IPC Debasis Mohanty (Oct 01)
- Re: Re: Bypassing Personal Firewall (Zone AlarmPro)Using DDE-IPC Thierry Zoller (Oct 01)
- RE: Re: Bypassing Personal Firewall (ZoneAlarmPro)Using DDE-IPC Debasis Mohanty (Oct 01)