[28996] in bugtraq
Re: Bypassing Personal Firewalls
daemon@ATHENA.MIT.EDU (Shaun Clowes)
Sun Feb 23 13:11:53 2003
Message-Id: <5.2.0.9.0.20030222125953.00acd338@mail.securereality.com.au>
Date: Sat, 22 Feb 2003 13:14:04 +1100
To: xenophi1e <oliver.lavery@sympatico.ca>, bugtraq@securityfocus.com
From: Shaun Clowes <shaun@securereality.com.au>
In-Reply-To: <20030221213402.9932.qmail@www.securityfocus.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; format=flowed
Hi xenophi1e,
>Here's a code snippet that injects code directly into a running process
>without the need for a DLL etc. I believe that it demonstrates that
>process boundaries under NT mean very little within the context of a
>given UID.
While I can see your point here, from the OS's perspective a user doesn't
need to be protected from themselves.
>Having attempted to discuss this with PFW vendors, it doesn't appear to
>be much of a concern to them; after almost two business weeks, Symantec
>is the only company to have responded with any concern. To be fair, this
>isn't remotely exploitable, and is fundamentally an issue with how OSs
>are designed, not how PFWs work (although one might wonder if some of the
>claims made by PFW vendors are really ethical).
I'm not convinced that it is an 'issue' at all, the OS goes to great
lengths to restrict the ability of one user to hurt another.
>I think it illustrates
>that OpenProcess, ptrace, and the like should really enforce filesystem
>priviledges on the processes they can modify. I think that this is
>something that needs to be done proactively.
I don't really understand what you mean by enforce filesystem privileges?
Personal Firewalls exist to try and enforce order upon chaos, I can't see
any reason why they couldn't disable OpenProcess for any user other than
users with the SeDebug privilege (though this will stop some non-malicious
applications from functioning).
>The implication of allowing processes to modify each other this way is
>that PFWs can not be easily made secure, but also that malicious code has
>nice support from windows for doing some very bad things. For instance it
>would be a simple addition to intercept syscalls made by any process into
>which code can be injected, and in so doing hide the presence of
>malicious activity from all local processes a user runs.
Why do you believe that the responsibility of protecting users from
themselves should be bourne by the operating system? People who are using
Personal Firewall systems may indeed want to be protected in this fashion
but I suspect that for most people this is a non issue.
When all is said and done, if malicious code can run under your user ID
then everything you do is compromised, I can't see much point in giving
ourselves a false sense of security.
Cheers,
Shaun
