 jvmorrisI Am The Man Who Was Not There.Premium,MVM
join:2001-04-03
Reston, VA | reply to Steve
Re: Analysis of Backstealth technology said by Steve:
said by KING:
I wonder what the author of Backstealth has to say now about leaving ZA and ZAP out?
Nothing sinister or foolish about it: because BackStealth wouldn't work on ZoneAlarm. The fact that ZA prompted for internet access meant that the whole concept - stealth - didn't apply.
The idea of proof-of-concept is to prove your concept, and it didn't with ZA.
Steve,
It appears (based on GT7697's reported results to date) that it doesn't work with NIS either -- as long as NIS is run in High Security mode and without Automatic Firewall Rule Creation persistently enabled. Inasmuch as about two dozen of us have been advising people to make these configuration changes for almost two years now, what we are really talking about may well be little more than the issue of the most appropriate way to configure some of these PSFs. (And there are currently something on the order of thirty basic configuration variables in NIS/NPF.)
Unfortunately, the distinction between what happens in NIS/NPF and TPF/KPF probably needs a bit of elaboration, also.
First, NIS/NPF (and Atguard, I believe) do NOT have an embedded function to authenticate the application itself or to check for updates; they use external programs (which do require PERMIT privileges). It appears that many of the other PSFs have authentication/update as built-in components of the basic application.
Second, if NIS/NPF is run in Medium Security settings or with Automatic Firewall Rule Creation enabled, it will succumb to the BackStealth demonstration software. That's because NIS/NPF does not consider itself as a 'hostile' or 'unknown' application. (Surprise, surprise!). Consequently, any 'requested' communication will be allowed. Solution is simple: Run in High Security mode and disable Automatic Firewall Rule Creation after your basic Internet-enabled applications have been registered (which can be done during Install).
Third, the basic NIS/NPF/AG applications require no known internet access capability whatsoever. Consequently, if you see the pop-up (referenced above with respect to ZA/ZAP), you should DENY/BLOCK the access. (And start looking real fast for what precipitated it.)
But, I have to caveat the above statement in order to be responsible. There are some indications that NIS/NPF also may have undocumented vendor-defined PERMIT rules for the firewall application itself that effectively bypass the basic firewall safeguards (such as gwion found in TPF/KPF). (This comment is based on a much earlier posting by GT7697, who found that when running both NIS and Sygate concurrently, both had to be allowed Internet Access by the other.)
I have a message for all of the various PSF vendors: We don't want no steenkin' undocumented, vendor-defined rules that allow your product to bypass the basic firewall safeguards. If you've got 'em in your products, get 'em out! NOW.
--
Regards, Joseph V. Morris |
|
 SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | reply to Steve
I've had a couple of private queries that made clear that the exact method of "DLL Injection" is not so clear to everybody. I'd like to expand on this a bit.
First, this is not about infecting an executable file (the .EXE itself), though viruses clearly do this. The technique we're using never touches any program on disk - the firewall or otherwise - and only operates on in-memory objects.
Each window in the system has a title (for instance, "MSDN Library - January 2002 - Open Process" is the title of the Win32 API help browser I have open now. The firewall windows have a name too ("ZoneAlarm Pro", etc.).
Any program can ask the operating system: "do you know of any windows with name XYZ?", and receive a handle to the process that has that window. This handle lets us investigate and sometimes manipulate the process, but (again) has nothing to do with anything on disk.
The next step is to allocate memory in the remote process, and if you've not done it before, it seems bizarre. Normally when you allocate memory, it's in your own process space for your own use, but Win32 allows us to do it remotely. So the firewall process has a bit of extra memory just "show up", and it has no idea this has happened.
Because we can read and write memory in the remote firewall process, we fill up this new chunk of memory with some evil data and some evil code. We're about to light the fuse, and the firewall still has no idea this is going on right under its nose.
Finally the bomb goes off: we do CreateRemoteThread() that actually runs the code in that remote memory space - inside the firewall. This is a functionality normally reserved for debuggers, but even after studying it a lot for a few days it still seems far out.
But it works, and our evil code starts executing inside the firewall, and the firewall has no idea that it has any company. Our evil code is part of the firewall, and we can do pretty much anything we like. By default, this thread won't hurt any part of the rest of the firewall, so if we're careful we can remain undetected and won't mess the program up.
The current BackStealth doesn't touch the firewall code itself: it just uses it as a convenient parking space to do its work. But once we're running around inside the firewall, it's very hard for it to protect itself.
Now Sygate has (somehow) managed to prevent the bomb from going off by (somehow) causing the evil CreateRemoteThread to fail. I'm working on ways to circumvent this, but in any case they've forestalled most of this for now.
The technology to do DLL injection has been around for many years, so BackStealth is more of a "clever application of technology" than breakthrough original research. But it's still very clever.
Steve
--
Stephen J. Friedl • Security Consultant • Tustin, California USA • »www.unixwiz.net |
|
pslossPremium
join:2002-02-24
Alpharetta, GA | said by Steve:
Each window in the system has a title (for instance, "MSDN Library - January 2002 - Open Process" is the title of the Win32 API help browser I have open now. The firewall windows have a name too ("ZoneAlarm Pro", etc.).
Any program can ask the operating system: "do you know of any windows with name XYZ?", and receive a handle to the process that has that window. This handle lets us investigate and sometimes manipulate the process, but (again) has nothing to do with anything on disk.
It should also be possible to do this to processes that don't create windows, such as services. As has been stated more than once, if you can create a remote thread in a process with Admin rights, there's more complicated "trampolines" that could be built. Or, as has also been discussed, the firewall data structures could be diddled with...
said by Steve:
Now Sygate has (somehow) managed to prevent the bomb from going off by (somehow) causing the evil CreateRemoteThread to fail. I'm working on ways to circumvent this, but in any case they've forestalled most of this for now.
I don't have Sygate, but can you check to see if Sygate has marked the pages in its address space? It should be possible to reserve the pages so that they can't be grabbed from elsewhere -- something like VirtualAllocEx with MEM_RESERVE. One could create a whole bunch of guard pages...one might also be able to use VirtualProtect(Ex) to protect committed pages from being suballocated.
It's definitely interesting...
Thanks again for all your effort,
Philip Sloss |
|
 gt7697cPremium
join:2001-02-16
The Hive | reply to Steve
Steve, has anyone tested BID 3.5 with your modified BackStealth. In the main thread a user reported that BackStealth was shut down completely by BID 3.5, however I don't believe BackStealth was actually targeting BID 3.5.
I apologize if this has already been asked before.
--
Just my 2 bits. |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | reply to psloss
said by psloss:
It should also be possible to do this to processes that don't create windows, such as services.
Oh sure, looking in the "process table" for known system services is doable also: it just turned out that using window titles was the fast and easy way to do it here. Plenty of ways to get handles on "interesting" processes. quote:
I don't have Sygate, but can you check to see if Sygate has marked the pages in its address space?
Yup, that's next. I am able to open a PROCESS_ALL_RIGHTS handle to the Sygate firewall process, and both VirtualAllocEx() and WriteProcessMemory() work just fine: so I'm clearly able to muck with their address space. It's only CreateRemoteThread() that's failing.
I'm writing a program that queries all the modules loaded by the firewall and starts to map out their memory space: "just what have they done"? I have the prior version of the software too, and should be straightforward to "diff" the outputs.
But the VirtualAllocEx() call will certainly find a "hole" in their guarded space - I don't ask for any specific address.
I am still weak with the VM structure, but I figure I can use VirtualQueryEx() to stroll through the remote process's memory and see what's been done to it.
I originally thought they had done something with the process token take away the right to create a thread, but if they knew how to do this, they'd surely have done the same thing to the VirtualAllocEx() and ProcessWriteMemory() calls. Will be interesting to find out...
Steve
--
Stephen J. Friedl • Security Consultant • Tustin, California USA • »www.unixwiz.net |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | reply to gt7697c
said by gt7697c:
Steve, has anyone tested BID 3.5 with your modified BackStealth.
If they have, I don't know about it. My modified BackStealth tests these firewalls:- ZoneAlarm Pro Personal Firewall
- ZoneAlarm Personal Firewall
- Sygate Personal Firewall
- Sygate Personal Firewall Pro
- McAfee Personal Firewall
- Tiny Personal Firewall
- Norton Internet Security 2002
- Kerio Personal Firewall
Clearly the original didn't do it, and I don't either. I guess I gotta put it on my list.
Steve
--
Stephen J. Friedl • Security Consultant • Tustin, California USA • »www.unixwiz.net |
|
pslossPremium
join:2002-02-24
Alpharetta, GA | reply to Steve
said by Steve:
Yup, that's next. I am able to open a PROCESS_ALL_RIGHTS handle to the Sygate firewall process, and both VirtualAllocEx() and WriteProcessMemory() work just fine: so I'm clearly able to muck with their address space. It's only CreateRemoteThread() that's failing.
What is the failure signature for CreateRemoteThread? I was messing around with your sample code earlier this morning and certain compiler settings caused problems by implicitly linking in calls to code that wasn't there. This is discussed a little here:
»www.mvps.org/win32/processes/remthread.html
If I have time, I'll do a little historical Usenet search; I suspect that these issues have been discussed many times...
said by Steve:
I originally thought they had done something with the process token take away the right to create a thread, but if they knew how to do this, they'd surely have done the same thing to the VirtualAllocEx() and ProcessWriteMemory() calls. Will be interesting to find out...
Are you familiar with SysInternals.com? They have several utilities that enumerate handles, etc. (Process Explorer for example). There may be something there, too...Also, if Sygate, Zone Alarm, etc employ drivers (ZA does), they have the ability at a lower-level to manage their own processes and the kernel/user memory areas.
Philip Sloss |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by psloss:
What is the failure signature for CreateRemoteThread?
ERROR_ACCESS_DENIED (err#5). I can't find any reason why this would be denied for an admin with seDebugPrivilege. quote:
Are you familiar with SysInternals.com?
Oh sure, it's wonderful: smartest guys on the internet. But I also need to actually read the process memory, so I'm rolling my own (this is an educational project for me).
Steve
--
Stephen J. Friedl • Security Consultant • Tustin, California USA • »www.unixwiz.net |
|
pslossPremium
join:2002-02-24
Alpharetta, GA | said by Steve:
said by psloss:
What is the failure signature for CreateRemoteThread?
ERROR_ACCESS_DENIED (err#5). I can't find any reason why this would be denied for an admin with seDebugPrivilege.
What NT platform? NT, 2000, or XP? (Sorry if this has been asked already.)
Also, what is the process token for the Sygate process you're trying to get into?
Thanks,
Philip Sloss |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by psloss:
What NT platform? NT, 2000, or XP?
My particular testing is on NT 4.0 server quote:
Also, what is the process token for the Sygate process you're trying to get into?
It's pretty much like this:code:
WINDOW hWnd = FindWindow("Sygate Personal Firewall");
GetWindowThreadProcessId(hWnd, &dwProcessId);
HANDLE OpenProcess(PROCESS_ALL_ACCESS, FALSE, dwProcessId);
... and this is how all the firewalls are accessed. I do acquire seDebugPrivilege first, of course, and this worked find for Sygate until their update of a few days ago.
Steve
--
Stephen J. Friedl • Security Consultant • Tustin, California USA • »www.unixwiz.net |
|
 Time Out$Premium
join:2002-04-28
North Myrtle Beach, SC | If Jaykaykay can hijack an unwise.exe and make it go get some updates over the Internet, you guys do not have a chance to ever again feel your firewall is safe.
I would like the name this the JKK injection technolgy after one of our favotite members.
»Command line for RefUpdate to run automatically? |
|
pslossPremium
join:2002-02-24
Alpharetta, GA | reply to Steve
said by Steve:
My particular testing is on NT 4.0 server
NT 4...SP6a, then? There's a KB article that talks about a CreateRemoteThread handle leak in NT 4, SP6...I don't know if a hotfix was publicly released for this or not:
»support.microsoft.com/default.as···;q246691
That doesn't explain the failure, though; I'm testing on a system using Win2K SP2 (pre-rollup).
Did you get a chance to dump the process token for the Sygate process? By the way, is Sygate architected like Zone Alarm? Zone Alarm employs a driver, a service (actually two, vsmon/minilog), and a GUI process (zonealarm) that run mostly separately. Is Sygate anything like that?
Sorry, another question: have you tried attaching to the Sygate process with your trusty debugger? I'd be curious whether it protects against that.
Thanks,
Philip Sloss |
|
 Occasu$
join:2001-07-20
North Vancouver, BC
| reply to Steve
When you tested zonealarm and it came up with the popup, did anything like this happen?
I use NPF 2002 and it came up with a warning that IAMAPP.EXE wanted to connect to the internet. I chose block, but as you can see backstealth still claims to have connected to the internet and downloaded the text file. Where is the text file saved to? It says the file is saved to C\:retrieve.dat. I am confused (sorry if this has been answered already), is the file saved to disk retrieve.dat, or is it a .txt file that is save to the .dat?
Again i must apologize if this has been covered. I haven't been online for a week and as of late last night when i discovered these have been trying to read and catch up on these threads (zhen Xjells and yours). There is a lot of technical stuff that goes way over my head  .
[text was edited by author 2002-05-04 18:54:49] |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by Occasu:
Where is the text file saved to? It says the file is saved to C\:retrieve.dat.
BackStealth can't strictly be sure that it has penetrated the firewall, it only detects gross blockage. Look in the root directory of all your hard drives (C:, D:, etc.) and see if you can see \RETRIEVE.DAT. If you don't see this file, it didn't get through: my guess is that it didn't.
Steve
--
Stephen J. Friedl • Security Consultant • Tustin, California USA • »www.unixwiz.net |
|
Occasu$
join:2001-07-20
North Vancouver, BC | I do have a file on my C: called retrieve.dat, despite the warning that my norton firewall gave to wanting to connect and blocking. That is why i was wondering when you changed backstealth to work for ZA it may have downloaded the file despite the warning ZA prompted. |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by Occasu:
I do have a file on my C: called retrieve.dat,
Is the file empty, or not? Empty file means failure.
Steve
--
Stephen J. Friedl • Security Consultant • Tustin, California USA • »www.unixwiz.net |
|
Occasu$
join:2001-07-20
North Vancouver, BC
| Ahh i see 0 bytes
Edit: oops sorry steve, the answer to this question seems to be in Zhen Xjells thread... sorry 
[text was edited by author 2002-05-04 19:26:19]
[text was edited by author 2002-05-04 19:33:47] |
|
|
|
jvmorrisI Am The Man Who Was Not There.Premium,MVM
join:2001-04-03
Reston, VA | said by Occasu:
ahhh i see the file is 0 bytes. What i still dont understand is NPF/NIS is one of the firewalls it is designed to bypass. From what it seems this exploit only seems to provide a warning that a trusted application, in this case a firewall is trying to access the internet. It is not actually bypassing the firewall unless i allow it to. Is backstealth just a variation of the firehole test that used IE as a zombie?
Again thank you for your time in answering my most likely redundant questions
Well, let me respond to this, because you're pushing Steve a bit beyond his current researches.
According to prior posts by GT7697, if you're running one of the more recent versions of NIS/NPF (like 3.0x/4.0x) on HIGH Security and with Automatic Firewall Rule Creation DISABLED, you'll see exactly what you've reported.
Under normal circumstances, there is absolutely no reason why IAMAPP.EXE should be PERMITTED to access the Internet In other words, you made exactly the right choice.
Still, there is a flaw in the current publicly available Backstealth demonstration which will indicate that it has penetrated your NIS/NPF firewall -- even though it really hasn't. This flaw is similar to that which gwion has previously documented for TPF/KPF, but it seems it has somewhat different implications for NIS/NPF (and probably for AtGuard).
However If you had been running a recent version of NIS/NPF on Medium Security and/or with Automatic Firewall Rule Creation ENABLED, then it is quite likely that BackStealth would have succeeded (for real, by which I mean the receive.dat file would be a bit more than 0 bytes). And you would have seen no warning or other notification. In Medium Security, NIS/NPF does, indeed, trust itself and would not have asked for permission to connect; it would simply have done so. NIS/NPF users need to set security to HIGH and DISABLE Automatic Firewall Rule Creation to avoid this vulnerability. I think I've been recommending this for about two years now.
However, (don't you love all my 'howevers'?  ) there is a more fundamental vulnerability associated with BackStealth which (as I understand it) NIS/NPF is not yet capable of handling. As I understand it, Symantec is aware of the more fundamental problem and is already in the process of addressing it.
--
Regards, Joseph V. Morris |
|
Occasu$
join:2001-07-20
North Vancouver, BC
| Thank you very much for the reply JVmorris. Seeing that a lot of users use the default settings for NPF/NIS i see how this would be a problem. Even in the the warning i got it says "threat level low risk" for IAMAPP.EXE connecting to the internet. To someone a bit too trusting in their firewall would have still clicked automatic or even allow.
In this case I was expecting some sort of warning that my firewall or a component of it would try to connect, but had this happened out of the blue i can't say for certain that i would have blocked it (although i would like to think i would have been paranoid enough to just say no  ).
I would also like to mention System Safety Monitor correctly recognized backstealth.exe as trying to start and prevented it from doing anything until i allowed it to.
[text was edited by author 2002-05-04 19:52:22] |
|
jvmorrisI Am The Man Who Was Not There.Premium,MVM
join:2001-04-03
Reston, VA | said by Occasu:
. . . . Even in the the warning i got it says "threat level low risk" for IAMAPP.EXE connecting to the internet. To someone a bit too trusting in their firewall would have still clicked automatic or even allow.
Yep, and if you'd been running at Medium Security in NIS/NPF, that assessment is precisely what would have allowed the communication to go through with no further notification to the end-user.
If someone's got a good reason why IAMAPP.EXE might need to connect to the Internet (based on their own personal knowledge), I'd sure like to hear it.
quote:
In this case I was expecting some sort of warning that my firewall or a component of it would try to connect, but had this happened out of the blue i can't say for certain that i would have blocked it (although i would like to think i would have been paranoid enough to just say no ).
This is precisely what Steve Friedl, gwion, and others have been warning about (re social engineering). It is incredibly easy for the average end-user to assume that their firewall needs to connect to the Internet; indeed, some of them really do (as currently implemented). Any PSF that needs to connect directly to the internet, for any reason whatsoever, needs to be re-engineered now by the vendor; any other (legitimate) internet communication associated with firewall authentication or updating activities should be handled by a separate, independent application requiring its own PERMIT communications to the specific IP address(es) required to accomplish these functions.
quote:
I would also like to mention System Safety Monitor correctly recognized backstealth.exe as trying to start and prevented it from doing anything until i allowed it.
At the moment, SSM, SS, javacool's FileChecker, or Albert's File Change Alarm are about all we've got to work with. But, if I can social engineer you to respond to the pop-up in NIS/NPF or ZA/ZAP, I can also social engineer you to erroneously respond to the pop-ups provided by these utiltities! That's why it's critical that the PSF vendors not only remove any Internet-connection functionality from their main PSF applications (to a separate Application with highly restricted privileges regarding ports and remote IP addresses), but also warn their customers that any subsequent attempt by their main PSF application to connect to the Internet quite likely represents a compromise of the PSF itself. (Okay, I'll hold my breath and wait for that part to happen.)
--
Regards, Joseph V. Morris |
|
