Re: Bypassing Personal Firewalls

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi xenophi1e,


Here's a code snippet that injects code directly into a running process
without the need for a DLL etc. I believe that it demonstrates that
process boundaries under NT mean very little within the context of a
given UID.
While I can see your point here, from the OS's perspective a user doesn't need to be protected from themselves.

Having attempted to discuss this with PFW vendors, it doesn't appear to
be much of a concern to them; after almost two business weeks, Symantec
is the only company to have responded with any concern. To be fair, this
isn't remotely exploitable, and is fundamentally an issue with how OSs
are designed, not how PFWs work (although one might wonder if some of the
claims made by PFW vendors are really ethical).
I'm not convinced that it is an 'issue' at all, the OS goes to great lengths to restrict the ability of one user to hurt another.

I think it illustrates
that OpenProcess, ptrace, and the like should really enforce filesystem
priviledges on the processes they can modify. I think that this is
something that needs to be done proactively.
I don't really understand what you mean by enforce filesystem privileges?

Personal Firewalls exist to try and enforce order upon chaos, I can't see any reason why they couldn't disable OpenProcess for any user other than users with the SeDebug privilege (though this will stop some non-malicious applications from functioning).

The implication of allowing processes to modify each other this way is
that PFWs can not be easily made secure, but also that malicious code has
nice support from windows for doing some very bad things. For instance it
would be a simple addition to intercept syscalls made by any process into
which code can be injected, and in so doing hide the presence of
malicious activity from all local processes a user runs.
Why do you believe that the responsibility of protecting users from themselves should be bourne by the operating system? People who are using Personal Firewall systems may indeed want to be protected in this fashion but I suspect that for most people this is a non issue.

When all is said and done, if malicious code can run under your user ID then everything you do is compromised, I can't see much point in giving ourselves a false sense of security.

Cheers,
Shaun
[Index of Archives]     [Linux Security]     [Netfilter]     [PHP]     [Yosemite News]     [Linux Kernel]

  Powered by Linux