• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Bad Sites   »   Windows Firewall Interface Issue in Handling Exceptions

Windows Firewall Interface Issue in Handling Exceptions

  • Posted on:September 2, 2005 at 3:07 pm
  • Posted in:Bad Sites
  • Author:
    Rainer Link (Senior Threat Researcher)
1

Microsoft has just released an advisory disclosing how a flaw in the Windows Firewall graphical user interface may hide an exception from showing up in the Exceptions list. This unexpected behavior is be triggered by a malformed registry entry.

Windows Firewall is configured to block incoming network connections by default. However, a system administrator can allow incoming network connections by creating an exception in the Windows Firewall configuration. This exception will then allow network services running in the system access to the network.

Note that this issue only affects the Windows Firewall GUI. The command-line “netsh” tool is not affected by this issue.

Microsoft stresses that “this is not a vulnerability.” It cannot be used to compromise a system. Furthermore, administrative privileges are required in order to edit the offending registry entries. Refer to these links for the MS security bulletins.




  • Windows Firewall Exception May Not Display in the User Interface

  • An exception may not show up in the Windows Firewall graphical user interface if you create the exception by modifying the registry

What can a malware do?

  1. Get installed in the system, hoping that the user who executed the malware has administrative privileges.


  2. Edit the affected registry entries to put a certain port number in the exceptions list. The edited registry entry should be able to take advantage of this flaw so that the port number is hidden from the Exceptions list in the Firewall GUI.
  3. Open the port just added in the Exceptions list.
To get unrestricted network access, the malware no longer needs to terminate the Windows Firewall service (just like what most bots do). All it needs to do is to add the port number it is going to use in the Exceptions list, and hide it.
Just like what Microsoft said, this is not a vulnerability, per se. But it could be leveraged to hide a malware’s presence in the system. But if a user is able to run a malware in his/her system, and is logged-in with administrative privileges, then this issue is the least of your concern.

Some testing

Ports that are in the exceptions list are placed in this registry key (will wrap)

HKLMSystemCurrentControlSetServicesSharedAccessParameteres
FirewallPolicyDomainProfileGloballyOpenPortsList

Since this is located in the HKEY_LOCAL_MACHINE registry hive, only an administrator has the power to edit the entries in this key.

For my PC, for example, I see the following registry entries in the said key.





It means that ports 139 (TCP), 445 (TCP), 137 (UDP), and 138 (UDP) are allowed through the firewall. That’s okay, ’cause I need those ports for file and print sharing.

It is apparent that the format of the registry entries in the exceptions list is the following.



PortNumber:TCP:*:Enabled:Exception Name

The flaw is in Exception Name. If you’d leave Exception Name blank, then that particular exception is hidden from the Windows Firewall GUI.

As a little test, I created these two registry entries



12345:TCP = 12345:TCP:*:Enabled:Testing
23456:TCP = 23456:TCP:*:Enabled

As is shown in this snapshot.





My Windows Firewall GUI shows this





At this point, you can clearly see that one of the exceptions we entered (port 23456) is not visible. But are we really sure that it is in the exceptions list? However, we know for a fact that the “netsh” command-line tool is not affected. So let’s use it.



As can be clearly seen from the output of the netsh tool, TCP port 23456 is indeed in the Exceptions list, but is not visible in the Windows Firewall GUI.

As an additional test, I set up listening ports on 12345 and 23456, and tried connecting from a remote machine. I was able to connect in both occations.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.