Online Armor Firewall?
in [Firewalls]
|
From: alex_s on 9 Jan 2008 09:13 Sebastian G.;3357508 Wrote: > bassbag wrote: > > [color=green] > > What are these known vulnerabilities that the vendor is unwilling to > > fix? > > > - buffer overflows in the kernel-mode driver due to lacking parameter > validation > - runs a privileged service with 6 invisible windows, making it > vulnerable > to shatter attacks > Buffer overflow in the kernel mode driver is fixed long ago, you can check it with bsodhook utility from Matousec. Though, the fact of a buffer overflow doens't prove vulnerability, it proves just insufficient parameters validation. In any case it is fixed which can be easily checked by anybody. As for the shatter attack. The fact there are invisible windows doesn't mean vulnerability either. A program should be able to send the messages to those windows, which is impossible in OA case. So there is not any known vulnerability actually. I have found that exploit utility and tested OA. Exploit failed. Low level debugging showed "access denied" responce to the messages exploit tried to send to OA. I'm OA beta teamer and I'm concerned about security, that is why I test everything by myself. === -- alex_s ------------------------------------------------------------------------ alex_s's Profile: http://forums.techarena.in/member.php?userid=39234 View this thread: http://forums.techarena.in/showthread.php?t=864775 http://forums.techarena.in
From: Sebastian G. on 9 Jan 2008 10:52 alex_s wrote: > Buffer overflow in the kernel mode driver is fixed long ago, you can > check it with bsodhook utility from Matousec. I fail to see how 'bsodhook' shall compete with the Driver Path Exerciser tool from the Windows Driver Kit. The problem problem is within buffer size vs. reported size, and a quick checkout clearly shows me that the most recent version of "Online Armor Firewall" is still vulnerable. > Though, the fact of a buffer overflow doens't prove vulnerability, Of course it does, at least leading to a Denial of Service. However, this specific instance is clearly exploitable. > As for the shatter attack. The fact there are invisible windows doesn't > mean vulnerability either. A program should be able to send the messages > to those windows, which is impossible in OA case. According to my analysis, it does work very well with WM_SETTEXT and WM_TIMER. > I have found that exploit utility and tested OA. Exploit failed. That's why serious people write their own exploits.
From: alex_s on 9 Jan 2008 11:38 Sebastian G.;3443166 Wrote: > alex_s wrote: > > > > Buffer overflow in the kernel mode driver is fixed long ago, you can > > check it with bsodhook utility from Matousec. > > > I fail to see how 'bsodhook' shall compete with the Driver Path > Exerciser > tool from the Windows Driver Kit.This is great utility, actually. Many-many long-existing vendors were defeated by this simple tool. This tool tests all the kernel hooks in all the possible ways, including faked and compeltely wrong parameters. Sebastian G.;3443166 Wrote: > > The problem problem is within buffer size > vs. reported size, and a quick checkout clearly shows me that the most > recent version of "Online Armor Firewall" is still vulnerable. > OK. This is well may be, but this is something new, so in no case may be called "known vulnerability". I'll check it, though. Sebastian G.;3443166 Wrote: > > > > Though, the fact of a buffer overflow doens't prove vulnerability, > > Of course it does, at least leading to a Denial of Service. However, > this > specific instance is clearly exploitable. > Have you ever reported this to the vendor ? And what was an answer ? Sebastian G.;3443166 Wrote: > > > > > As for the shatter attack. The fact there are invisible windows > doesn't > > mean vulnerability either. A program should be able to send the > messages > > to those windows, which is impossible in OA case. > > > According to my analysis, it does work very well with WM_SETTEXT and > WM_TIMER. > > > I have found that exploit utility and tested OA. Exploit failed. > > > That's why serious people write their own exploits. Can you publish your own exploit that anybody could use it ? I just doubt your words, sorry. -- alex_s ------------------------------------------------------------------------ alex_s's Profile: http://forums.techarena.in/member.php?userid=39234 View this thread: http://forums.techarena.in/showthread.php?t=864775 http://forums.techarena.in
From: Volker Birk on 11 Jan 2008 03:36 alex_s <alex_s.32xa7e(a)donotspam.com> wrote: > Sebastian G.;3357508 Wrote: >> - runs a privileged service with 6 invisible windows, making it >> vulnerable >> to shatter attacks [...] > As for the shatter attack. The fact there are invisible windows doesn't > mean vulnerability either. If a privileged system service opens windows at all, then this is a security breach. Please have a look at: http://support.microsoft.com/?scid=kb%3Ben-us%3B327618 Shatter attacks are only one of many threats here. Yours, VB. -- The file name of an indirect node file is the string "iNode" immediately followed by the link reference converted to decimal text, with no leading zeroes. For example, an indirect node file with link reference 123 would have the name "iNode123". - HFS Plus Volume Format, MacOS X
From: alex_s on 11 Jan 2008 07:20
Volker Birk;3448494 Wrote: > > If a privileged system service opens windows at all, then this is a > security breach.This is completely true when applies to _REGULAR_ service. But when it comes to _SPECIAL_ service which _MUST_ protect other applications and services, do you think it cannot protect itself in the first place ? Let me explain. The problem with WM_SETTEXT and WM_TIMER messages was discovered long ago and is well known as Shatter attack. Once specially formatted message was sent to the target service and was processed by _DEFAULT_ wndproc, YES, there is a way to inject your code in hte services's context. But. If only service is developed with knowing of the nature of this attack it can handle those messages in special way. For one it can detect (using regular windows API) the source of a message and depending on this either process it or not. This can be done by ANY regular service. And when it comes to SPECIAL service, which controls system resources at the lowest possible level (RING 0 is meant here) there is not a problem to just laugh at this poor attempt to compromise security which OA succesfully does and which was proved by people who understand what do they do. I can bet, nobody can sucessfully run Shatter attack against OA. I have read much of the attack and I have tried to run it myself against OA. There is just no way to send to OA service unauthorized message, because OA fully and globally controls windows message queue. -- alex_s ------------------------------------------------------------------------ alex_s's Profile: http://forums.techarena.in/member.php?userid=39234 View this thread: http://forums.techarena.in/showthread.php?t=864775 http://forums.techarena.in |