Can prox stop this?

[Steve V.]

Hi all PROX GURU's!

I new to prox. but I like this tool allot!

I have one question to you!

Is it possible to set up a filter with prox that stops outgoing browser access. When the browser is running in hidden mode?

The reason for my question is that there is a bug hype regarding firewalls and firewall vulnerbilities!

Many (almost all) FW does not have sufficent outbound filtering when a malicous program trying to get outbound access from your system. There are many friendly DEMO "trojans" which demonstartes this vulnerbility of the FWs!

Example of those are!

1. Tooleaky (tooleaky.zensoft.com)
2. PC AUIDT (http://www.isa-llc.com/)
3. leaktest (grc.com)

There is also other tools that demonstrates this (more or less sofisticated). I belive that a common pattern these tools using, is that it uses a trusted application (your browser, often in hidden mode) to get access to internet then it tunnels out information from your system via the trusted application.

Can prox stop a HTTP connections when the browser is running in hidden mode?





Edited by - Zhen-Xjell on 06 Mar 2002  05:03:30

[dave1006]

Hi Steve,
I'm not sure that Prox can filter such access, someone else will have to answer that. But, my suggestion would simply be not to use IE, use Opera or another browser, then you can remove all IE internet access form your firewalls 'allowed' list, and thus solve a significant amount of problems caused by the tests you list.

-------------------------
|David Gallagher        
|dave1006 at hotmail.com
-------------------------

[Zhen-Xjell]

I moved this from General into this Security forum for two reasons:

1) Nothing was in the Security forum
2) This is more of a general Security question

If a program is piggy-backing onto IE as some of these "test" programs do, then Proxomitron of course should be able to handle the information.

However, I wouldn't use Proxomitron for something it wasn't meant to be: a firewall.  I'd highly suggest installing one right away if you don't already have one.

Do you have one?  Do you need links/information?

[Veegertx]

Actually just switching browser's won't help 100%. Although it does'nt work with Opera < at current time. He say's simply it does'nt recognize the browser. Which mean's he simply did'nt port it to work with it since it's piggybacking on the web browser. I have beta version of latest Zone Alarm Pro 3.0.070 and it bypasses it easy. They've added some stuff to ZA like cookie, Ad blocking and script blocking and it seem's to work ok. I'm still waiting on the NetFilter Steve (over at GRC) is working on. I'm sure it will be better than other versions out here on the www.

This is Firehole leaker and has some interesting reading about the way he does it.
 http://keir.net/firehole.html

 

[Zhen-Xjell]

The reason why that gets past zone alarm is due to a configuration issue.  If you allow IE to access the web, then the program gets past zone alarm b/c it uses IE for web access.  So, you have to set it to prompt instead.  When IE wants web access, it will prompt you. This is how mine is set, and ZAP catches these tests.

[Veegertx]

Kewl, I'll try that with IE. Started using this Opera since I'm on dial-up and it browses faster than IE6.01 on XP here. He said on that previous page that most won't set their firewall that way and I did'nt since it bugs me. I like the ZA Pro cause over at Flank or GRC and several other's I test my defenses at it show's I'm full stealth on all ports they test. Also I tried (all) the exploits at Flank like teardrop, Nuke and It showed I'm protected. I come across a lot of sites that say ZA is a joke among IT pro's and Tiny is better. They might want to check out this>    http://www.pcflank.com/art19.htm
Not from my experience either. With Win ME I could'nt ever get full stealth just Closed, but with XP I have and frankly I have'nt turned off any of the services  yet.
 Only thing is I used UnPlug and Pray and turned off Universal Plug and Play.



Edited by - Veegertx on 07 Mar 2002  03:04:29

[hpguru]

This isn't an IE issue at all but a browser issue in general. Just because somebody's exploit example doesn't call Opera is no indication that Opera or any other HTTP client couldn't be used in the place of IE. In fact a resourceful trojan writer might just read the system registry to determine the default browser and use it. Take a look at the Help menu of the various applications on your system. Often times you'll find a "Visit Website" menu entry. If Opera is the default browser does clicking the entry open Opera? It does indeed if the application is programmed to open the default browser and Opera is the default. If it can be done it response to a click it can also be done behind your back.

You will never be 100% secure but here are a few things you can do to minimize your risk.

Configure only your default browser to use Prox but configure your firewall rules so that the only way your other browsers can connect is through Prox. This way your less oft used browsers will be incapable of connecting out until you reconfigure them to use Prox to connect when you need them.

Configure your firewall rules such that access to the proxy on localhost is explicit rather than implicit. An example of implicit access is when you create a firewall rule to allow any application to connect to localhost via TCP/UDP by any port. This will allow any application to connect out through Prox. To prevent this you can create two localhost loopback rules.

The first localhost loopback rule should allow inbound/outbound TCP/UDP to/from localhost with a remote port range from 1 to 8079 (localhost:1-8079) for any application.

The second localhost loopback rule allows inbound/outbound TCP/UDP to/from localhost with a remote port range from 8081 to 65535 (localhost:8081-65535) for any application. You cannot just block localhost loopback because some of your apps and perhaps Windows itself will yield errors, hang or even crash.

Once you've done that create two rules for every browser on your system.

The first rule will allow your browser to connect out via TCP (and UDP in the case of IE) to any address. Restrict it to the local port range from 1024 to 5000 and remote port 8080.

The second is for SSL and will allow your browser to connect out via TCP(/UDP) to any address with a remote port of 443 (HTTPS). Again the local port range is 1024 to 5000. If you feel comfortable with it you can configure Prox to filter secure pages but it may result in these pages being cached to disk (I don't know how Prox handles temp files). I recommend disabling the SSL rules until you need them.

You could also create a third rule to allow FTP but I personally think it's safer and more practical to use a dedicated FTP client.

The firewall rule for Prox will allow it to connect out via TCP. If your firewall allows for it, configure a discrete set of remote ports, e.g. 80, 443, 3128, 7734, 8080 and so on as you require. The local port range is always the same, 1024-5000.

Now to minimize the risk of malware utilizing your browser to connect, don't configure Prox to start with Windows and don't even run Prox if you're not browsing the web. With the above firewall rules, if Prox is not running your browsers cannot connect out, period. I even shut Prox down while typing this.

Finally if you are practicing "Safe Hex" and performing regular security audits of your system then malware shouldn't be a problem for you but that's another topic.