XPSP2 has a software firewall which like any other firewall has a list of exceptions, being that it is host based these exceptions are process based. Having an exceptions list is not a backdoor. There's no vulnerability or backdoor here, just intended functionality. You can't add keys to this registry location remotely without first compromising the machine and gaining Administrator privileges or convincing the user to infect themselves while they are Administrator. If you can get malicious code to run on a machine with Administrator privileges then naturally you can disable the XPSP2 firewall - just like you can disable, cripple or just plain out uninstall Norton, TrendMicro, ZoneAlarm, Qwik-Fix, CSA, Entercept or any other application that is running on the same host. If you attended the Blackhat 2004 Briefings in Las Vegas you will remember that Eugene Tsyrklevich had a presentation called "Attacking Host Intrusion Prevention Systems" in which he demonstrated on-stage how to completely circumvent McAfee Entercept, a behavioral host based protection product which tries to limit the actions of malicious code once it is already running on the machine. It will always be an uphill battle when you try to cleanup or protect post-compromise; the only sane thing is to try and prevent the compromise from happening in the first place. I don't like to quote Microsoft but they deserve kudos when they are right: http://www.microsoft.com/technet/archive/community/columns/security/essa ys/10imlaws.mspx 10 Immutable Laws of Security Law #1: If a bad guy can persuade you to run his program on your computer, it's not your computer anymore Regards Thor Larholm Senior Security Researcher PivX Solutions 23 Corporate Plaza #280 Newport Beach, CA 92660 http://www.pivx.com thor@xxxxxxxx Stock symbol: (PIVX.OB) Phone: +1 (949) 231-8496 PGP: 0x4207AEE9 B5AB D1A4 D4FD 5731 89D6 20CD 5BDB 3D99 4207 AEE9 PivX defines a new genre in Desktop Security: Proactive Threat Mitigation. <http://www.pivx.com/qwikfix> -----Original Message----- From: Jay Calvert [mailto:jcalvert@xxxxxxxxxxxxxxxxxxxx] Sent: Saturday, February 19, 2005 9:53 PM To: bugtraq@xxxxxxxxxxxxxxxxx Subject: Windows Firewall Has A Backdoor By adding a new key to the registry in HKEY_LOCAL_MACHINE/SYSTEM/Services/SharedAccess/Parameters/FirewallPolic y/StandardProfile/AuthorizedApplications/List you can circumvent the whole purpose of the firewall with out the users interaction or knowledge. Spyware / Adware manufacturer's are already do this. More information and a little rant at: http://habaneronetworks.com/viewArticle.php?ID=144 -- Jay Calvert HabaneroNetworks.com
