Secure Network Operations, Inc. http://www.secnetops.com/research Strategic Reconnaissance Team research[at]secnetops[.]com Team Lead Contact kf[at]secnetops[.]com Spam Contact `rm -rf /`@snosoft.com Our Mission: ************************************************************************ Secure Network Operations offers expertise in Networking, Intrusion Detection Systems (IDS), Software Security Validation, and Corporate/Private Network Security. Our mission is to facilitate a secure and reliable Internet and inter-enterprise communications infrastructure through the products and services we offer. To learn more about our company, products and services or to request a demo of ANVIL FCS please visit our site at http://www.secnetops.com, or call us at: 978-263-3829 Quick Summary: ************************************************************************ Advisory Number : SRT2004-01-17-0628 Product : Outpost Firewall. Version : 1.x and 2.x Vendor : http://www.agnitum.com/download/outpostpro.html Class : Local Criticality : High (to Outpost Firewall users) Operating System(s) : Win32 Notice ************************************************************************ 1-2 day Early Warning List: --------------------------- Secure Network Operations, inc. will very shortly have its own advisory notification mailing list. This list will notify you of advisories 1-2 days in advance of public release to other mailing lists. To subscribe please visit http://advisories.secnetops.com in the immediate future. 30-60 day Early Warning List: ----------------------------- Our early warning service will notify you of new vulnerabilities 30-60 days in advance of public release. This service has been created to protect companies by allowing them to repair security vulnerabilities before they become public knowledge. To purchase a one year subscription to this service please contact us at 978-263-3767. Alert *********************************************************************** Our advisories will contain full details excluding a working Proof of Concept. Our web page will contain our working proof of concept for the advisory if it exists. Yes folks this is a policy change for us. We will exercise our own disgression in regards to delay of exploit release vs advisory release. List subscribers will have advanced access to working proof of concept code depending on the severity and list subscription type. Basic Explanation ************************************************************************ High Level Description : Outpost Firewall allows local SYSTEM access. What to do : Apply update from vendor or limit local access. Basic Technical Details ************************************************************************ Proof Of Concept Status : SNO has Proof of Concept. Low Level Description : In the words of agnitum... "With hacker attacks and data theft rampant on the Internet, you need a constant defense to safeguard your PC. Antivirus protection is not enough! The comprehensive solution for protecting you and your family online is Outpost Personal Firewall Pro, the world's foremost security application.". Outpost will... "Protect your system from hackers, Guard the privacy of your data, Monitor network activity, Maintain and control your privacy on the Web, Remove annoying ads, And more!". Our testing was done on the demo version of both Outpost 1.0 and 2.0. We took all defaults while installing from OutpostProInstall.exe. No other tweaks to the settings of Outpost were made. Once started the outpost service provides a tray icon that is available to all users of the system. outpost.exe runs as SYSTEM so this poses an obvious security risk. If you wish to take local system rights from Agnitum Outpost Firewall do the following steps. 1. right click tray icon... 2. choose "options..." 3. choose application or plug-ins 4. click Add... 5. browse for c:\winnt\system32\cmd.exe and right click on it...choose open. Now you have a command prompt running as the user SYSTEM. There is also a similar alternate method... 1. double click tray icon. 2. click Help. 3. click contents. 4. right click help content... 5. choose view source. 6. you now have notepad.exe running as SYSTEM... taking cmd.exe from here is a matter of going to file then open, and duplicating step 5 above. Proof Of Concept: Live exploit code will be under our research shortly. Thanks to Brett Moore for all the conceptual help... sorry for my dumb questions! See http://www.secnetops.biz/research/ look for outpost_ex2.exe and outpost_ex2.c We will update our whats new section when the exploit is available. A screenshot of exploitation can be located at (without registration): http://www.secnetops.biz/images/SRT2004-01-17-0628.jpg Vendor Status : Vendor is has a fix for the issue. A vendor supplied patch should be supplied in the next week or so (of 1/17/2004). "We are glad to inform you that the problem you had reported was solved.", "We plan to release new version in a couple of weeks.", "We strongly recommend that you join the Agnitum News mailing list at www.agnitum.com/news to keep informed of security issues that may affect you, and of new version release." We (Snosoft) also reccomend you sign up for their list... they are very hard to communicate with otherwise. Web forms and long delays were what we encountered. Bugtraq URL : To be assigned. Disclaimer ---------------------------------------------------------------------- This advisory was released by Secure Network Operations,Inc. as a matter of notification to help administrators protect their networks against the described vulnerability. Release of exploit code is done at our own disgression. ---------------------------------------------------------------------- All content of this advisory is property of Secure Network Operations. ---------------------------------------------------------------------- Secure Network Operations, Inc. || http://www.secnetops.com "Embracing the future of technology, protecting you."