Hi,

all current available "Outpost Firewall" versions do have severe 
vulnerabilities, every local user is able to run programs under the very 
high privileged LocalSystem account.

Steps to reproduce:

1.) create an empty text file (e.g. "empty.txt")
2.) create a batch file which will open a command shell.
     sth. like:
     cmd.exe
3.) open the Outpost Firewall GUI
4.) call one of the open or save file dialogs
     e.g. "File - Load Configuration"
     change the file type to "All Files *.*"
5.) drag the "empty.txt" and drop it over the created batch file
6.) a command shell opens running under the LocalSystem account
     (you can check this with "whoami.exe" from the windows resource kit 
tools)


There're of course a lot other drag&drop possibilites ... you could e.g. 
drop the text file over "notepad.exe" which will open a notepad with 
system privileges.

Even if Agnitum disables the Drag&Drop functionality: the open/save 
dialog will always be able to read and write files with the rights of 
the LocalSystem account. Thus every user could severely damage the system.


This vulnerability is by design, there're dozens of other possibilities 
to gain system privileges with Outpost. The problem is that the GUI is 
part of the windows service and is running with SYSTEM privileges. Even 
MS says that the so called "Interactive Services" shouldn't be used --> 
MSDN Library, topic "Interactive Services" - "Security Considerations 
for Interactive Services".


-- 

H. WIEDEMANN

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/