From: m.barış demiray (barisdemiray@yahoo.com)
Date: Sat 16 Oct 2004 - 01:59:31 EEST
Merhaba,
ekteki iletiyi biraz önce aldım. Uzun olduğunun ve
GNU/Linux ile ilgisi olmadığının farkındayım (ayrıca
ingilizce olduğu için de özür dilerim, çevirmeye
zamanım yok). Ancak baştan sona okunması gerektiğini
düşünüyorum. Genel olarak windows sp2 ile gelen ateş
duvarının nasıl aşılabildiğini (ekte bir
`proof-of-concept' kod var), microsoft'un kullanıcı
güvenliği üzerinden nasıl ticaret yaptığını ve
kullandığı bir çok güvenlik yönetiminin aslında ne
kadar saçma olduğunu anlatıyor. En azından,
`dual-boot' çulara duyurulur ;-)
İyi geceler, iyi çalışmalar.
NOT: İleti aşağıdaki adresten de erişilebilir:
http://www.securityfocus.com/archive/1/378508/2004-10-12/2004-10-18/0
--- americanidiot@hushmail.com wrote:
> Date: Mon, 11 Oct 2004 22:10:38 -0700
> To: bugtraq@securityfocus.com
> CC: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM,
> full-disclosure@lists.netsys.com
> Subject: Writing Trojans that bypass Windows XP
> Service Pack 2 Firewall
> From: <americanidiot@hushmail.com>
>
> Writing Trojans that bypass Windows XP Service Pack
> 2 Firewall
>
> Windows XP Service Pack 2 incorporates many
> enhancements to try to better
> protect systems from malware and other forms of
> attacks. One of those
> layers of protection is the Windows XP SP2 Firewall.
> One of the features
> of this firewall is the ability to allow users to
> decide what applications
> can listen on the network. By allowing users to
> control what applications
> can communicate on the network, Microsoft believes
> that systems will
> be protected against threats such as trojans. Like
> so many things Microsoft
> says, this is inaccurate and in fact it is very easy
> for locally executing
> code to bypass the Windows firewall. So don't worry
> you aspiring Trojan
> developers, your still going to be able to Trojan
> consumer and corporate
> systems to your hearts content.
>
> Attached to this email is proof of concept code that
> demonstrates how
> a Trojan could bind to a port and accept connections
> by piggybacking
> on the inherent trust of sessmgr.exe. Simply compile
> this program and
> run it as any local user. To test if the firewall
> has been bypassed (it
> is!) telnet from another machine to the target
> machine on port 333 and
> if your connected, then you've successfuly bypassed
> the Windows XP Service
> Pack 2 Firewall.
>
> It is amazing to watch how the release of Windows XP
> Service Pack 2 has
> affected the computing industry. It is as if people
> are yearning for
> a cure so badly that they will happily drink the
> Kool-Aid and believe
> Microsoft's mantra. If for no other reason than the
> hope of security.
> In this belief though few are left standing to
> question the motivations
> and misguided nature of Windows XP Service Pack 2
> and security in general
> from Microsoft.
>
> The security enhancements of Service Pack 2 are not
> targeted at helping
> corporations solve their Microsoft related security
> problems. Even in
> the case of security for home users Microsoft has
> failed to provide any
> real value. Instead they have provided confusion,
> and misguided trust.
>
> One of the first security enhancements of Service
> Pack 2 is the fact
> that Microsoft conducted a large scale source code
> audit to flush out
> any outstanding bugs that might exist within the XP
> and 2003 codebase.
> Through the use of source code analysis tools
> (PREfast and PREfix) and
> outside consultants, Microsoft has hoped to fix the
> majority of buffer
> overflows, and other commonly discovered
> vulnerabilities. This is probably
> the only valid security effort on Microsoft's part
> for Service Pack 2.
> Indeed many bugs have been identified and silently
> fixed within Service
> Pack 2. In fact so many security bugs have been
> fixed by Microsoft's
> source code audit that if you're running a Windows
> XP system without
> SP2 then you're leaving yourself at great risk to
> being compromised.
> It is easy to understand why some people would want
> to pat Microsoft
> on the back for this effort. But for those of you
> who have invested millions
> of dollars in Windows 2000, it is easy to understand
> why you might feel
> that Microsoft has wronged you. In fact you might
> feel more than wronged
> when Microsoft tells you that their answer for
> better security is to
> buy their new operating system. You might feel like
> Microsoft is the
> company selling you their sickness, and the next
> year, their cure.
>
> You also have to understand that there is a lot of
> shared code between
> Windows 2000 and Windows XP. What is the
> significance you ask? Microsoft
> has found and fixed numerous vulnerabilities in
> Windows XP with the release
> of Windows XP SP2. These vulnerabilities also exist
> within Windows 2000.
> However, there is no current plan for Microsoft to
> release a Security
> Service Pack for Windows 2000, nor do anything to
> fix the now known vulnerabilities
> (hundreds of them) that exist in Windows 2000. Again
> you are left with
> a choice, upgrade for a price, or be vulnerable. Is
> this not gross negligence
> and extortion? This goes beyond any analogies of car
> tires exploding
> and the liability of car manufacturers. It is a fact
> that right now Microsoft
> knows of insecurities within the Windows 2000
> operating system and they
> have no plan to do anything about it. The United
> States government, Department
> of Homeland Security, foreign governments, large
> financial institutions,
> you are at the mercy of a company drunk on ego. You
> ask for security
> but like Microsoft, it is not a real priority to
> you. If it was then
> you would not let yourselves be so easily bullied by
> a software company
> who is powerless against you, if you chose to take a
> stand and not only
> demand better by your words, but by your actions.
>
> Another security enhancement of Service Pack 2 is
> better protection around
> executable code, to help prevent the propagation of
> virus and malware
> programs. One of the ways that Microsoft has tried
> to help fight off
> malware and virus programs is by adding an extra
> layer into the decision
> making process of a user trying to run a virus or
> malware program. This
> added layer uses code signing to attempt to verify
> trusted content. If
> a program is not signed by a trusted source then a
> user is notified of
> this and that user can allow or deny the program.
> This is another short
> sighted feature on Microsoft's part as it does not
> add any real benefit
> to corporations or home users. The way that this is
> going to work in
> the real world is that now instead of a user running
> a program, or saying
> yes to an ActiveX control, they are going to be
> prompted a second time
> and told "This code has not been signed, are you
> sure you want to execute
> it?" or in more realistic terms "Hello, this is your
> computer speaking.
> Are you sure you want to perform the action that you
> already told me
> you want to perform?" You can not expect a home user
> or your average
> corporate user to understand what code signing is or
> to know if executable
> content is coming from a trusted source or not. This
> is another exercise
> on Microsoft's part in creating the illusion of
> safety, much like airport
> guards carrying M-16 rifles. There is no real
> security value in this,
> and if there was, then why not provide this
> "needed" security functionality
> to older operating systems which Microsoft still
> "supports". Even in
> the case of web browser security enhancements, such
> as the Internet Explorer
> enhancements that Microsoft has added to XP SP2,
> Microsoft will not provide
> those security enhancements for the Windows 2000
> platform.... You can
> always pay to upgrade your corporate user desktop
> licenses to this supposedly
> more secure operating system. If Microsoft really
> believed these security
> enhancements were beneficial and needed then why not
> provide them to
> their users of other "supported" operating systems?
>
> The single most misunderstood security enhancement
> of Windows XP Service
> Pack 2 is the new and improved firewalling
> capabilities. It is amazing
> to see people talking about the Windows XP SP2
> firewall as if it actually
> adds protection to corporations/organizations using
> Microsoft Windows.
> In truth the Service Pack 2 firewall does more harm
> than good because
> too many people have fallen under the mistaken idea
> that the firewall
> is going to protect them from attack. This false
> belief will cause companies
> to depend too much on a technology that cannot live
> up to their expectations.
> This notion of the Service Pack 2 firewall
> protecting you from attack
> is not something that IT people have dreamed up
> themselves, this is something
> that Microsoft reinforces in all of their messaging
> about XP SP2. In
> reality the XP SP2 firewall does nothing in the way
> of helping corporations
> stay protected against the latest worm threat. The
> way in which this
> firewall attempts to keep a system secure is by
> filtering/firewalling
> the various protocols and ports which are
> potentially vulnerable to worms.
> For example if you were to block ports:
> 135,137,139,445, etc... You would
> have been "safe" against two of the biggest worms
> this year, Sasser and
> Blaster. In this example the Windows XP Service Pack
> 2 firewall would
> have protected your system against infection. The
> only problem is that
> this scenario does not work "in the real world". The
> reason being that
> these ports are the same ports that Microsoft
> Windows uses for File Sharing,
> System and Domain management, and various other
> functionality that is
> required by IT professionals to manage Windows based
> systems. So in an
> effort to protect your organization you would in
> turn create a denial
> of service and cripple your ability to manage your
> environment. Microsoft
> does make recommendations to only allow things like
> File Sharing and
> Windows Management available to other systems on
> your local subnet however
> for a lot of organizations your domain controller,
> file servers, IT management
> systems, are not going to exist on the same 255 host
> subnet. Therefore
> you have to open these ports open to the rest of
> your network, which
> means you are now back to square one and wide open
> to attack. Beyond
> all of these usability and false sense of security
> problems the Windows
> XP SP2 firewall is simply flawed as a program as
> illustrated in the beginning
> of this email by the bypass attack.
>
> When all the dust has settled around Windows XP SP2
> people will see that
> there has continued to be vulnerabilities
> discovered, systems compromised,
> and worms released. The only difference is that you
> will have the appearance
> of security because Microsoft will be able to show
> pretty graphs and
> charts about how Windows XP SP2 and Windows 2003
> have had less vulnerabilities
> than other OS's like Windows 2000. This is also
> largely in part because
> of monthly patching schedules and bundling of
> multiple vulnerabilities
> within a single patch, all to show downward trends
> in vulnerabilities.
> It is like they are trying to rub in the fact that
> they have so much
> power over you that they can knowingly leave you
> vulnerable, force you
> to pay them money to upgrade to security, and then
> tell the whole world
> they made you do it, and if the rest of you don't,
> then your systems
> are going to be compromised next. Compound that with
> the fact that the
> systems they are forcing you to upgrade to are not
> that much more secure,
> and ask yourselves how you have let such a monopoly
> gain so much control
> over HOW YOU DO BUSINESS, HOW YOU MANAGE YOUR LIFE.
>
> We can all do better, this is not how technology has
> to be.
>
> ATTACHMENT part 2 application/octet-stream name=sessmgr.c
=====
M.Barış Demiray
DOS: n., A small annoying boot virus that causes random
spontaneous system crashes, usually just before saving a massive project. Easily cured by UNIX. See also MS-DOS, IBM-DOS, DR-DOS.
_______________________________
Do you Yahoo!?
Declare Yourself - Register online to vote today!
http://vote.yahoo.com
_______________________________________________
Linux-guvenlik mailing list
Linux-guvenlik@liste.linux.org.tr
http://liste.linux.org.tr/mailman/listinfo/linux-guvenlik