Another LeakTest - Mischel Internet Security Forum

Jobs | About | Blog | Contact

Download TrojanHunter Now
Free 30-day trial!

Latest TrojanHunter Version:
TrojanHunter 5.0

Order Now
License file delivered within minutes.

Welcome, Guest. Please Login or Register.

Nov 20^th, 2008, 7:09am

   Mischel Internet Security Forum
   Internet Security
   General (Moderators: Helena, Gavin_Coe, Magnus)
   Another LeakTest

« Previous topic | Next topic »

Pages: 1 2

Notify of replies

Send Topic

Author

Topic: Another LeakTest (Read 1712 times)

Magnus
Administrator

Ad astra per aspera.

Posts: 4120

Another LeakTest
« on: Dec 17^th, 2001, 11:11pm »

Quote

Modify

I got a crazy idea yesterday afternoon, and decided to try and write a little application to bypass ZoneAlarm. You know the little yellow popup window that asks you to confirm when a new application wants to access the Internet? What would happen if a malicious program clicked the "Yes" button in code?

Try for yourself (harmless demo program):

http://www.mischel.dhs.org/products/ZoneClickThrough.exe

IP Logged

Walter
Veteran

Gender:

Posts: 573

Re: Another LeakTest
« Reply #1 on: Dec 22^nd, 2001, 3:58am »

Quote

Modify

Hm...don't see any replies yet, so I wonder how many have tried this test so far. Well, for the record:
ZA passed the test. The ZONECLICKTHROUGH.EXE file was NOT able to access the internet. The "permission" window immediately popped up when I ran the test after downloading it. I did save the file (test) to a CD, and opened it from the CD. Would this have made any difference, I wonder?
When I clicked "no" in ZA, the screen below the message "If you see the web address...bypassed," went to "page unavailable off-line," or something like that.
Conclusion: ZA worked perfectly.
Fun little test, thanks Magnus.

IP Logged

Strange as it may seem, no amount of learning can cure stupidity, and formal education positively fortifies it. S Vizinczey

beefy
Guest

Re: Another LeakTest
« Reply #2 on: Dec 28^th, 2001, 5:13am »

Quote

Modify

Remove

Is this test still available?

I tried to run 12/27/01--came back with

Not Found
The requested URL /products/ZoneClickThrough.exe was not found on this server.

« Last Edit: Dec 28^th, 2001, 5:14am by beefy »

IP Logged

Magnus
Administrator

Ad astra per aspera.

Posts: 4120

Re: Another LeakTest
« Reply #3 on: Dec 28^th, 2001, 4:11pm »

Quote

Modify

Seems it didn't get uploaded when the server moved. It should be available again.

IP Logged

Jamming
Stole All the Forum Stars

Remember when a Trojan was just for protection.

Gender: male

Posts: 2039

Re: Another LeakTest
« Reply #4 on: Dec 30^th, 2001, 7:35am »

Quote

Modify

Is this a Mutex Hijack Exploit? If so I think that ZA works better if you have the "diamondcs" mutex patch installed.

« Last Edit: Dec 30^th, 2001, 7:36am by Jamming »

IP Logged

Team Z Member

Servare cives, major est virtus patriae patri.
- Lucius Annaeus Seneca
I was born an American; I live an American; I shall die an American!
- Daniel Webster

Magnus
Administrator

Ad astra per aspera.

Posts: 4120

Re: Another LeakTest
« Reply #5 on: Dec 30^th, 2001, 11:19am »

Quote

Modify

on Dec 30^th, 2001, 7:35am, Jamming wrote:

Is this a Mutex Hijack Exploit? If so I think that ZA works better if you have the "diamondcs" mutex patch installed.

Nope, it simply clicks the "Yes" button on the alert Window to bypass the firewall. No mutex patch in the world will help against that.

IP Logged

Roger
Guest

Re: Another LeakTest
« Reply #6 on: Dec 31^st, 2001, 3:32am »

Quote

Modify

Remove

Magnus

My test failed going out but was blocked coming in. Is there a patch available to stop this? Or anyway to stop this from happening?

IP Logged

davidovv
Newbie

Gender:

Posts: 17

Re: Another LeakTest
« Reply #7 on: Dec 31^st, 2001, 2:30pm »

Quote

Modify

on Dec 31^st, 2001, 3:32am, Roger wrote:

Magnus

My test failed going out but was blocked coming in. Is there a patch available to stop this? Or anyway to stop this from happening?

Roger,

My two sixpence: The only thing that one might conclude from this test is, software firewalls can be targetted - and that not only applies to ZA. Sortalike tests can be written for fairly all firewalls. Does this imply your firewall is vulnerable in essence? No. Does it imply one has to practice safe hex, and avoid downloading and executing (.exe-)files at random, without be sure of the the fact the source is trustworthy and the file is clean? Yes.

There is no patch, and there is no need for a patch. In this case, you voluntary downloaded and executed a file. Luckily from a trusted source. Just avoid doing so in general. That's all there's to it.

regards.

paul

IP Logged

davidovv
Newbie

Gender:

Posts: 17

Re: Another LeakTest
« Reply #8 on: Dec 31^st, 2001, 2:31pm »

Quote

Modify

on Dec 31^st, 2001, 3:32am, Roger wrote:

Magnus

My test failed going out but was blocked coming in. Is there a patch available to stop this? Or anyway to stop this from happening?

IP Logged

Roger
Guest

Re: Another LeakTest
« Reply #9 on: Jan 1^st, 2002, 1:56am »

Quote

Modify

Remove

Paul

That makes me feel a lot better, I always run virus checks on anything I download before opening them, thats why I became a little worried after the test. Another question if I can, would it be worth having another firewall , I have read on some forums that it is better to have 2.

Roger

IP Logged

davidovv
Newbie

Gender:

Posts: 17

Re: Another LeakTest
« Reply #10 on: Jan 1^st, 2002, 11:39am »

Quote

Modify

on Jan 1^st, 2002, 1:56am, Roger wrote:

Sounds like good practice. Compare what you have done by downloading and running the "test file" with downloading and running for example a trojan having the capacities putting firewalls etc. out of business. No one sound of mind would ever consider doing so.

As for running two firewalls resident in conjunction: this is in essence not only overkill, but might conflict as well. Better go for one really well configured firewall. The only exception I can think of, is running and IDS like BlackICE Defender in conjunction, as many ZA users seem to do. IMO there's no need for this - ZA coming first in line. It doesn't seem to conflict neither. But if users are happy with this combo, they should go for it.

regards.

paul

IP Logged

Jamming
Stole All the Forum Stars

Remember when a Trojan was just for protection.

Gender: male

Posts: 2039

Re: Another LeakTest
« Reply #11 on: Jan 4^th, 2002, 5:30am »

Quote

Modify

If I didn't make myself clear on this thread earlier, the test had no effect on allowing access through my ZAP Beta 2.6.364 version. It did not click the app to allow a connection, how do I know this, you ask? Simply there was no outbound transmission as my NAT firewall with filters (including the logging of all connections). It might of worked with other configurations but it didn't work with mine outbound.

« Last Edit: Jan 4^th, 2002, 5:31am by Jamming »

IP Logged

Team Z Member

Servare cives, major est virtus patriae patri.
- Lucius Annaeus Seneca
I was born an American; I live an American; I shall die an American!
- Daniel Webster

Magnus
Administrator

Ad astra per aspera.

Posts: 4120

Re: Another LeakTest
« Reply #12 on: Jan 5^th, 2002, 3:20pm »

Quote

Modify

ZoneClickThrough seems to fail to penetrate ZoneAlarm about 10% or so of the times it's run. I haven't taken the time to find out exactly why this is, but I think I've proven the point here, namely that ZoneAlarm can easily be bypassed. Run it a few more times and see if it gets through!

IP Logged

Jamming
Stole All the Forum Stars

Remember when a Trojan was just for protection.

Gender: male

Posts: 2039

Re: Another LeakTest
« Reply #13 on: Mar 7^th, 2002, 4:47am »

Quote

Modify

I am updating the discussion on this thread, the "ZoneClickThrough.exe" causes ZAP 3.0 to fail into the off position denying any access to the Internet if an attempt is made to use it in the High Security mode. This is only if the file is executed, evidently anything that tries and replicate the authorization except in the approved manner throught the interface will cause ZAP 3.0 to fail in the safemode of denying contact.

IP Logged

Team Z Member

Servare cives, major est virtus patriae patri.
- Lucius Annaeus Seneca
I was born an American; I live an American; I shall die an American!
- Daniel Webster

Magnus
Administrator

Ad astra per aspera.

Posts: 4120

Re: Another LeakTest
« Reply #14 on: Mar 7^th, 2002, 7:01am »

Quote

Modify

I haven't tried ZoneAlarm 3 yet, but I'd say it would be very impressive if they can tell the difference between a user pressing a button and an application programatically pressing a button! Generally, the technique should work for any software firewall, although the ZoneClickThrough demo was designed for ZoneAlarm version 2.

IP Logged

Pages: 1 2

Notify of replies

Send Topic


« Previous topic \| Next topic »

Search

Members

Login

Register