RE: Bug in Norton FireWall 2003

> I suppose a simple defense for "personal firewall" vendors against this sort

Hello,

This simple defense may not be enough, as there are ways to find out the names of all "child" windows belonging to specific process.

Regards,
Andrzej

                                                                
 Internet Mail Message                                          
 Received from host:      [205.206.231.26]                      
                                                                


From: Michael Wojcik  on 08/11/2003 07:24 PM GMT
                                                                                      
                  Michael Wojcik           To:   vuln-dev@securityfocus.com           
            Cc:    (bcc: Andrzej Nowak-A/PGI)          
                                   Subject:      RE: Bug in Norton FireWall 2003      
                                                                                      
             08/11/2003 03:24 PM                                                      
                                                                                      
                                                                                      

> From: Boy Bear [mailto:eyal067@walla.co.il]

Ah, machine translation.

A cursory glance through the VB source [see original message] suggests that the proposed exploit is to have a trojan recognize the firewall pop-up asking if the trojan should be permitted network access, and spoofing the user input to grant it. Simple enough.

Do you need help?

In addition to our free technical library, Pantek provides professional IT services to companies who utilize Open Source software: Learn more about Pantek's Technical Support offerings Place an order for 24/7/365 Technical Support here Learn more about Pantek, who we are, and what we do Chat with a Live Operator Related securityfocus.com Links bugtraq certification focus-bsd focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics incidents libnet linux-secnews ms-secnews pen-test secpapers secprog sectools secureshell security-basics securityjobs sf-news vuln-dev webappsec Request more information about Pantek

There appears to be a bug in the included source:

> Private Sub wHideShow(HideShow As Boolean)

Presumably one of "SW_SHOW" should be "SW_HIDE". Since wHideShow is never used by the program, and "HideShow" is not exactly a meaningful parameter name, it's hard to guess which. Then again, since wHideShow is never used, it doesn't really matter.

I suppose a simple defense for "personal firewall" vendors against this sort of thing would be to use hard-to-guess window titles for their popups...

--
Michael Wojcik
Principal Software Systems Developer, Micro Focus