[25440] in bugtraq
Re: Flaw caused by default rulesets in many desktop firewalls
daemon@ATHENA.MIT.EDU (Christian decoder Holler)
Sat May 11 19:21:29 2002
Date: 11 May 2002 14:43:23 -0000
Message-ID: <20020511144323.23537.qmail@mail.securityfocus.com>
Content-Type: text/plain
Content-Disposition: inline
Content-Transfer-Encoding: binary
MIME-Version: 1.0
From: Christian decoder Holler <christian_holler@web.de>
To: bugtraq@securityfocus.com
In-Reply-To: <20020510184415.6881.qmail@mail.securityfocus.com>
Only as an addition:
Tiny personal firewall for example allows ANY communication
on port 53 UDP outbound, it does not even check if that is
really a DNS request. This is a big security hole that
should be fixed immediatly.
Note: I also saw that some default settings of ZoneAlarm
have DNS requests enabled or they enable them while using
ZA. I have not tested my trojan with ZA yet, so I dont know
if ZA checks if those requests are valid DNS requests, but
there is a possibility that the hole also affects this
firewall. If anyone finds out if other firewalls are
vulnerable, I would be happy to hear about that.
To test that, simply write a program that connects to
another computer in your network on UDP 53 where you listen
with netcat for example and send a string. If the firewall
doesnt alert this connection, then it is vulnerable.
cu
Chris (decoder)
