Vulnerability Development mailing list archives
Re: Bypassing Personal Firewalls
From: H C <keydet89 () yahoo com>
Date: Fri, 21 Feb 2003 08:38:07 -0800 (PST)
Oliver,
Here's a code snippet that injects code directly into a running process without the need for a DLL etc.
Just for clarification...I'm trying to understand what you mean...you say "without the need for a DLL", but the code relys on three DLLs.
Demonstrates that process boundaries under NT mean very little within the context of a given UID. This allows PFWs to be bypassed, as well as making it very easy to hide running malicious code on a system. The example is a 'sploit that makes a connection from within IE, and slips under the radar of all PFWs I've tested.
How does this code conceptually and significantly differ from similar code that accesses IE as a COM server, and makes the same request?
Having briefly discussed this with PFW vendors, it doesn't appear to be much of a concern to them. I think it illustrates that OpenProcess, ptrace, and the like should really enforce filesystem priviledges on the processes they can modify.
I think we're back to the old adage of running code on a system. For this to execute, thermite.exe will have to execute on the system...so once you get the code on the system, in many cases, it's all over with at that point. Perhaps that's the larger issue here. __________________________________________________ Do you Yahoo!? Yahoo! Tax Center - forms, calculators, tips, more http://taxes.yahoo.com/
Current thread:
- Bypassing Personal Firewalls xenophi1e (Feb 21)
- Re: Bypassing Personal Firewalls H C (Feb 21)
- RE: Bypassing Personal Firewalls Oliver Lavery (Feb 21)
- <Possible follow-ups>
- RE: Bypassing Personal Firewalls xenophi1e (Feb 21)
- Re: Bypassing Personal Firewalls Seth Knox (Feb 24)
- Re: Bypassing Personal Firewalls H C (Feb 21)