Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Windows Attack Can Disable Firewall

Posted by ryuzaki0 on from the he-shoots-he-scores dept.

BobB writes to tell us NetworkWorld is reporting that new code released on Sunday could allow a fully patched Windows XP PC's personal firewall to be disabled via a malicious data packet. The exploit depends on the use of Microsoft's Internet Connection Service. From the article: "The attacker could send a malicious data packet to another PC using ICS that would cause the service to terminate. Because this service is connected to the Windows firewall, this packet would also cause the firewall to stop working, said Tyler Reguly, a research engineer at nCircle Network Security Inc."

26 of 273 comments (clear)

  1. Not that big a deal, but still. by Grendel+Drago · · Score: 5, Insightful

    Sure, it requires that you be on the internal LAN already, and that you be running ICS, and who runs ICS anyway? But what kind of shit design is this that lets you take down the firewall if you piss off the IP-masquerading software? Did someone cut their fuzz-testing budget? What's their excuse for having this kind of vulnerability?

    --
    Laws do not persuade just because they threaten. --Seneca
  2. What can you trust? by RLiegh · · Score: 3, Insightful

    If the graphics applications you use require windows, and all of the major firewall vendors are bloated (symantec), worthless (keiro) or both (macaffee) then what can you do?

    1. Re:What can you trust? by oGMo · · Score: 4, Insightful

      A few things:

      • Keep all your broken (Windows) boxes in a heavily-firewalled subnet (and make sure the firewall is something secure, i.e., not Windows)
      • Don't put the broken box on the network at all
      • Run your app in a VM
      • Find a new app
      --

      Don't think of it as a flame---it's more like an argument that does 3d6 fire damage

    2. Re:What can you trust? by orpheus_okt · · Score: 3, Interesting
      worthless (keiro)

      Uh... Is there something I missed in the last weeks/months? No, I'm not implying that I heard exactly the opposite, but it sounds like there are serious security holes in the old Kerio firewall although I was always convinved it's still one of the better free ones out there. And I really must have missed the news then...

      Up to now, I was sticking to Kerio on Windows. Especially because of its rather powerful options to filter single applications, addresses, ports and plenty of other manually configurable stuff instead of a placebo firewall which provides a "Yes, I'll save you from all Evil"- and a "Take care of yourself"-Button (at maximum with a Beginner-Amateur-BetterAmateur switch). Those are worthless.

      Come on, tell me people! Why is Kerio considered bad these days? (
      --
      Axes high!
    3. Re:What can you trust? by gbobeck · · Score: 4, Funny
      You use an IPS/IDS appliance that goes up to level 7.

      For extra effectiveness, make sure your level 7 IPS/IDS appliance is armed with nothing less than a +3 Sword of Packet Smiting.
      --
      Navicula hydraulica plena anguilarum est. Omnes castelli tuus nostri sunt. Ed elli avea del cul fatto trombetta.
    4. Re:What can you trust? by pedestrian+crossing · · Score: 5, Funny

      You use an IPS/IDS appliance that goes up to level 7.

      Mine goes up to 11.

      --
      A house divided against itself cannot stand.
  3. Please explain me... by Anonymous Coward · · Score: 2, Funny

    What those engineers were thinking? A data package, the thing a firewall is filtering to some point, can disable the firewall? Who thought it would be a nice feature to have that?

    "We need a firewall of our own!"
    "Why?"
    "To keep our monopoly; those firewall and antivirus companies are making money that should be in our pockets."
    "But antitrust..?"
    "We say it's because we want to have a secure system, it should've been in the first place. Those companies have no case! >:D"
    "But even we cannot access their systems anymore without logging our activity on our massive 'slave-farm'."
    "We'll add a backdoor, so we can remotely disable it. Noone will ever find it >:)"
    "Excellent..."
  4. Not as bad as it sounds by DavidD_CA · · Score: 5, Informative

    So for this attack to work, according to the article...

    1) The attacker has to be on the LAN already, or executing code from a PC on the LAN

    2) The LAN has to be connected to the internet through a PC using ICS, and

    3) There can be no external firewall device such as a router sitting between the LAN and the internet

    While this is certainly a valid attack... so are a lot of other attacks once you're already in the LAN. This one just happens to nuke a software-based firewall from the inside. Big deal.

    --
    -David
  5. Internet Connection Service? by Red_Deth · · Score: 2, Informative
    The exploit depends on the use of Microsoft's Internet Connection Service.
    Is ICS not Internet Connection Sharing?
  6. Microsoft change the definitions to suit by Centurix · · Score: 3, Funny

    When they advertise that XP installations come with a firewall, they in fact mean that XP installations come installed with a wall of fire. The EULA clearly states that, somewhere near the bottom next to the pictures of cats and the sudoku puzzles, because no-one ever reads that far...

    --
    Task Mangler
  7. MS Cluster Service = ICS by terminal.dk · · Score: 2

    Please see here:
    http://isc.sans.org/diary.php?storyid=1809

    MS Cluster Service will not work without ICS running, it is used for internal NAT handling.

    So the problem is much more widespread than small LANs using ICS.

  8. Re:How do you know you've never gotten a virus? by jimicus · · Score: 2, Informative

    In theory, yes. But you'd need to reboot the OS into some kind of diagnostics otherwise you're asking the OS to attest to itself - and if it's been trojaned, you can't trust the OS because the first thing any sensible trojan will do is cover its own tracks.

    In practise, if you want a 100% guarantee that any malware has been eradicated, the only solution is a rebuild.

  9. Re:Obvious by ajs318 · · Score: 2, Interesting

    You've most probably been been buying crap routers. D-link, Belkin, Linksys, Netgear - for chuff's sake, they might as well be branded "Barbie (or Action Man) My First Router". Treat yourself to a nice ZyXel router, and you might forget you even have a router in your network.

    --
    Je fume. Tu fumes. Nous fûmes!
  10. Re:Is Telstra not one of the biggest? by Mike89 · · Score: 2, Funny

    Why did that annoy you?

  11. Why Does Windows Get All the Press? by RAMMS+EIN · · Score: 3, Funny

    Why does Windows get all the press? It's not fair! I want to see some coverage of stupid holes in Linux and the free BSDs!

    --
    Please correct me if I got my facts wrong.
  12. Re:Obvious by toadlife · · Score: 2, Informative

    Yep.

    My old gateway with two 3com 3c905 and FreeBSD laughs at the measly bit torrent connections I throw at it. Before I set that up a few years ago, I had similar experiences with consumer grade networking gear.

    --
    I don't always use unix-like operating systems; but when I do, I prefer FreeBSD.
  13. Re:Obvious by Anonymous Coward · · Score: 2, Interesting

    What makes you believe that a (home) router, which is a small microcontroller with some dedicated firmware running on it, will outperform a modern PC that has 10-20 times more CPU power available?

  14. Re:Obvious by Propaganda13 · · Score: 2, Insightful

    Actually, he's probably partly referring to the routers flooding their wireless connection which happens with Zyxel routers too.
    http://www.tomsnetworking.com/lans_routers/charts/ index.html?chart=124
    You set up a p2p like bittorrent that is willing to use a lot of simulataneous connections and it floods your router and your connection drops.
    Of course, it does sound like a lot of routers(1 a month?) to go through so if he's returning a lot of dead routers, a possible power problem in the home is possible.

  15. outside! by leuk_he · · Score: 2

    according to this sans article the DOS attacks comes from outside.

    If i understand it is with a corrupted DNS reply packet.

  16. Re:Is Telstra not one of the biggest? by Linker3000 · · Score: 3, Funny

    Eliza? That you?

    --
    AT&ROFLMAO
  17. Suddenly noone is using wireless? by db32 · · Score: 2, Insightful

    So I see dozens of comments about "Its no big deal, you have to be on the lan". Am I the only one that hasn't forgotten how common wireless networks are and how trivial it is to gain access to most of them?

    --
    The only change I can believe in is what I find in my couch cushions.
  18. OT by hummassa · · Score: 2, Funny
    Eliza? That you?
    Do you want to talk about Eliza?
    --
    It's better to be the foot on the boot than the face on the pavement. ~~ tkx Kadin2048
  19. WRT65GL by coder111 · · Score: 2, Informative

    I have a Linksys WRT54GL router (http://en.wikipedia.org/wiki/WRT54GL). It uplinks via 36-54mbit (depending on conditions) wireless connection, and acts as a router for a network of ~10 computers with quite heavy p2p traffic. It is stable and rarely slows down. Of course, I run a custom linux firmware on top of it (HyperWRT Thibor, original firmware sucks quite bad).

    Oh, and it cost me ~70 USD.

    --Coder

  20. Re:Obvious by KDR_11k · · Score: 2, Informative

    Because you can't meaningfully implement NAT on a single-machine "network"?

    --
    Justice is the sheep getting arrested while an impartial judge declares the vote void.
  21. Re:Obvious by ajs318 · · Score: 2, Interesting

    The smaller ZyXel routers use a traditional transformer power pack with 12V AC output. Judging by the temperature rise, the on-board regulator is most probably a switched-mode type. I'd guess this would be quite tolerant of power surges, just with the presence of a mains transformer (hefty inductance; doesn't like rapidly-changing current). The "surge suppressor coils" found in cheap, switched-mode power packs are laughable. A well-designed power supply should fail safely and protect the connected equipment, but cheap ones often aren't well-designed.

    As for the wireless stuff, well, that's too bad. But your computer already needs one connection to the wall to get its power. Will one more for data kill you?

    --
    Je fume. Tu fumes. Nous fûmes!
  22. Re:Obvious by Tim+C · · Score: 2, Insightful

    As for the wireless stuff, well, that's too bad. But your computer already needs one connection to the wall to get its power. Will one more for data kill you?

    No, but my girlfriend nearly did when I started laying bright yellow cat5 cable in the house...

    --
    It's official. Most of you are morons.