All current available Outpost Firewall versions suffer from severe vulnerabilities that allow any local user to gain access to the LocalSystem account.
9f8073aa2da59bd44cac7addf49e490496ffab3e3b2d4cdf2c8ed4fc8dfa123aHi,
all current available "Outpost Firewall" versions do have severe
vulnerabilities, every local user is able to run programs under the very
high privileged LocalSystem account.
Steps to reproduce:
1.) create an empty text file (e.g. "empty.txt")
2.) create a batch file which will open a command shell.
sth. like:
cmd.exe
3.) open the Outpost Firewall GUI
4.) call one of the open or save file dialogs
e.g. "File - Load Configuration"
change the file type to "All Files *.*"
5.) drag the "empty.txt" and drop it over the created batch file
6.) a command shell opens running under the LocalSystem account
(you can check this with "whoami.exe" from the windows resource kit
tools)
There're of course a lot other drag&drop possibilites ... you could e.g.
drop the text file over "notepad.exe" which will open a notepad with
system privileges.
Even if Agnitum disables the Drag&Drop functionality: the open/save
dialog will always be able to read and write files with the rights of
the LocalSystem account. Thus every user could severely damage the system.
This vulnerability is by design, there're dozens of other possibilities
to gain system privileges with Outpost. The problem is that the GUI is
part of the windows service and is running with SYSTEM privileges. Even
MS says that the so called "Interactive Services" shouldn't be used -->
MSDN Library, topic "Interactive Services" - "Security Considerations
for Interactive Services".
--
H. WIEDEMANN
© 2022 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed