Windows XP SP2 Firewall: a great (un)security tool by MicroSoft®
Windows XP SP2 Firewall: a great (un)security tool by Microsoft.
With the latest version of Service Pack 2 for Windows XP, Microsoft thought it was a good idea to
include a system firewall.
At first sight it seems to be a silent, trusted tool that protects our privacy, with a nice user-friendly graphical interface that lists all allowed softwares:
after a closer look…
firewall has a list of allowed programs to access the network.
now you’re probably thinking: “nothing new, any other firewall has one!”
true… true… but…
to access and edit this list bypassing the graphical interface and ordinary
procedures, WinXpFirewall is even better!
If no Domain is configured on the machine, simply running the registry editor (regedit.exe) and moving to keys :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\
Parameters\FirewallPolicy\StandardProfile\
AuthorizedApplications\List
and
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\
Parameters\FirewallPolicy\StandardProfile\
AuthorizedApplications\List
we can find the allowed programs list in this format :
VALUE NAME : C:\Full\Path\s4ver.exe
VALUE TYPE : REG_SZ
VALUE DATA : C:\Full\Path\s4ver.exe:*:Enabled:S4verHacked
allow a new program to access the network is easier than talking about it.
for example, to add telnet.exe (full path = c:\windows\system32\telnet.exe) to the authorized program’s list, create in one of the two reg keys shown above (no matter which one) a new string value with this options :
Value Name: c:\windows\system32\telnet.exe
Value Data: c:\windows\system32\telnet.exe:*:Enabled:TelnetAuthorizedByUncleBill
Done?
GREAT!
now: open your fireall GUI and you’ll see something like this:
:)
if a Domain is set,instead, you can also find an allowed list in:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\
Parameters\FirewallPolicy\DomainProfile\
AuthorizedApplications\List
and
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\
Parameters\FirewallPolicy\DomainProfile\
AuthorizedApplications\List
and now… HAVE FUN!
by s4ver
PS:you can find a c++ code (console) to automatize FwBypass procedure with no domain configured on the network at url :
http://shinji.homeunix.com/~coding/
Popularity: 1% [?]
2 Comments
Purplet
May 29, 2005Actually this is not a security issue.
In fact for the exploit to work, the attacker code should run with an administrator account. If the attacker code can run with administrator priviledges, the machine is compromised, whatever the firewall you’ve installed, the antivirus you are using, whatever anything.
A program running with those priviledges could do anything including replacing the TCP/IP stack with it’s own implementation [thus bypassing the firewall entirely].
Really the exposed firewall rules are the least of your problems.
Note : the same applies for any other OS. How can you trust your ipchains rules after you’ve run an attacker’s program under the root account ?
saver
May 31, 2005Hi, Purplet.
You’re right, but I want to make clear that my intention was to talk about the new Windows firewall,
not about how to get full access as a restricted user (in the future, probably…).
I agree with you that the firewall is the last of my problems but, on a Windows OS, which one is the first?
Besides, WinXp is mainly installed on home computers and offices’ LANs.
In the first case it’s (more than) rare to find a restricted user account.
In the second one, instead, I suppose firewall is off.