6 Dec 2001 17:26:58

According to eEye, anything 'outside the normal loop' can defeat ZoneAlarm.

     From: Ryan Permeh
       To: Tom Liston
  Subject: Re: Flawed outbound packet filtering in various personal firewalls
Date sent: Thu, 6 Dec 2001 17:26:58

this is likely also vulnerable(i haven't tested, so i can't say for 
positive) in winnt versions.  This is a design time decision on what 
types of technologies they use in  their products, and what type of 
driver you yourself is implementing.  Kernel subversion attacks like 
this can easily bypass any in place 'filter', either by filtering 
before, or, like in your case, appearing 'outside the normal loop'.

using a newer technique called NDIS hooking, or psuedo intermediate 
mode, an attacker that could load a driver(like your packet driver), 
could easily just 'hide' itself in there, regardless of the in place 
kernel protections like za or tiny.

www.rootkit.com is a project that is designed to demonstrate some of 
the techniques that you talk about, but in a nt environment.  They 
use a sniffer/injector driver to communicate without touching the 
regular ip stack, using a completely 'phantom' one.  kinda a neat 
idea that goes along with the problems you are seeing.  i mean even 
if a firewall knew to stop packets coming to your ip, it probably 
doesn't have any clue about stopping packets destined for a 
'phantom' ip.

Just thought you would like to know some more about some of these 
techniques.  Also, how is your labrea porting efforts?  are you 
using the winpcap driver, or did you chose to start on your own?  
either way,  good luck, and keep up the research!

Signed,
Ryan Permeh
eEye Digital Security Team
http://www.eEye.com/Retina -Network Security Scanner
http://www.eEye.com/Iris -Network Traffic Analyzer
http://www.eEye.com/SecureIIS -Stop Known and Unknown IIS Vulnerabilities

Prev | TOC | Next