Re: ITCP Advisory 13: Bypassing of ATGuard Firewall possible

Hi,

Ye Olde Disclaimer: The information contained in this email is believed to be 
true. However, exhaustive regression testing has not been performed. No 
guarantees or warranties are implicitly or explicitly granted. Use the 
information within at your own risk.

Tested AtGuard version: 3.21.05
Tested OS's: NT4 SP6a, Win95 (don't hit me, I'm cheap)

BlueScreen wrote:
> 
> - ------------------------------------------------------------
> itcp advisory 13 advisories@xxxxxxxxxxxxxxxxx
> http://www.it-checkpoint.net/advisory/12.html
> April 29th, 2002
> - ------------------------------------------------------------
> 
> ITCP Advisory 13: Bypassing of ATGuard Firewall possible
> - -------------------------

*snip*

> DETAILS
*snip*
> Sadly ATGuard doesn't save the file paths / doesn't use checksums (would be
> much better), to
> determine wether the executed program is real the one, that is allowed to
> connect to all hosts on port 80.
> It just uses the filename (in this case "IEXPLORE.EXE").

Only if you've created your rule in interactive learning mode. See discussion 
below.

*snip*

> SOLUTION
> 
> There doesn't exist an solution, since ATGuard is not developped anymore. We
> were not able to test the Norton Personal Firewall
> for this problem, since no one of us owns it. We are contacting Norton
> directly with this Advisory.

Not quite correct. The bug reported in BlueScreen's advisory does exist. 
However, either the method of testing was incomplete, or the report was 
incomplete. Also, there is a workaround.

AtGuard has the ability to create firewall rules on the fly (in it's 
"interactive learning mode"). When a connection is attempted and AtGuard cannot 
find a matching rule, in "interactive learning mode" the user is presented with 
a window containing four options. Two of those options allow the user to 
specify whether the connection should be allowed or blocked, this one time 
only. The other two of those options allow the user to create a rule for 
particular connections (that may either block or allow the connections). This 
works on either incoming or outgoing connections.

When a rule is created in interactive learning mode, *only the application 
executable name* is stored in the rulebase. This is the bug that BlueScreen 
pointed out. Without a path to the application file in the rulebase, any 
application with a similar name can make use of the firewall rule (block or 
allow, as the case may be).

However, AtGuard also allows the user to create their own firewall rules 
manually. Click on the dashboard or tray icon, and launch the "Settings" menu 
item. Click the "Add" button, create a rule, and make sure you specify an 
application that the rule applies to (on the Application tab, click 
"Application Shown Above", click the Browse button, and specify the proper 
application with the File Dialog box). You will find the full path to the file 
specified in the rule. Shut down your machine, and start it up again, and 
you'll find the full path still there. You can verify the full path in the 
registry under the key:

HKEY_LOCAL_MACHINE\SOFTWARE\WRQ\IAM\FirewallObjects\Applications

Workaround: Manually create firewall rules instead of using interactive 
learning mode to create rules. If you do use interactive learning mode, you 
should reopen the "Settings" menu, and manually adjust the "Application Shown 
Above" so it shows the full path to the application that the rule applies to 
(you apparently don't have to trash all your current rules). This *appears* to 
resolve the issue (from my brief testing, YMMV).

Of course, this still wouldn't prevent someone from replacing the specified 
file with malware. However, if you're machine has been compromised to that 
level, it seems to me you've got more to worry about than a few firewall rules 
:/

It should be noted that AtGuard rules may be created that allow or block access 
to *all* applications. Such rules appear to not be affected by this bug.

> ADDITIONAL INFORMATION
> Vendor has not been contacted. (since he doesn't exist anymore).

Actually, the original vendor does exist: http://www.wrq.com. They simply don't 
sell the product any more. From what I can tell, the original firewall has been 
sufficiently morphed by Symantec so that it no longer has much resemblance to 
AtGuard. Thus, I don't think comparisons between products from these two 
vendors are fair or valid.

-UMus B. KidN