DefenseWall v3.05 released

View previous topic View next topic Go down

DefenseWall v3.05 released

Post by Ruhe on 26/7/2010, 23:35

Release date: Jul 26 2010

Changelog:
- Windows Shell .lnk exploit coped

Download
avatar
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

View user profile

Back to top Go down

Re: DefenseWall v3.05 released

Post by ssj100 on 27/7/2010, 15:58

Wait, what?
http://ssj100.fullsubject.com/security-f7/vulnerability-in-windows-shell-could-allow-remote-code-execution-t187.htm#1307

Negative. DefenseWall invulnerable to it.

Ilya's own words. And yet he releases a new version specifically to address the exploit. I don't know about you guys, but this dramatically reduces the amount of trust/faith I have in Ilya and DefenseWall.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: DefenseWall v3.05 released

Post by Ruhe on 27/7/2010, 16:02

Do you mean this post? http://gladiator-antivirus.com/forum/index.php?showtopic=107368&st=0&p=260294&#entry260294

There he writes
Looks like I need to make a separate file status for .lnk's.
Maybe this is the fix?!
avatar
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

View user profile

Back to top Go down

Re: DefenseWall v3.05 released

Post by ssj100 on 27/7/2010, 16:11

I don't know. It sounds like very conflicting information. He says DefenseWall is invulnerable to it. How can it be invulnerable to it when he releases a brand new version and writes in the changelog:

Windows Shell .lnk exploit coped
?

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: DefenseWall v3.05 released

Post by ssj100 on 27/7/2010, 16:35

I've updated this thread:
http://ssj100.fullsubject.com/security-f7/lnk-vulnerability-poc-re-test-t206.htm#1435

As you can see, Ilya has done something to block Test B. This is further proof that a potential hole in DefenseWall has now been patched.

However, the strange (and slightly unsettling) behaviour still persists as described below:
http://ssj100.fullsubject.com/security-f7/vulnerability-in-windows-shell-could-allow-remote-code-execution-t187.htm#1303

On running the exploit (everything "Untrusted") as described, nothing comes up on the Debugger (suggesting that DefenseWall blocks it). However, a new folder called "DefenseWallVC" is spontaneously created in the directory, and within is a sub-folder called "HarddiskVolume1". Within this sub-folder is a shortcut file called "suckme". Furthermore, the original shortcut file that loads the DLL has now become "Trusted" (on checking via DefenseWall "File properties")! This is obviously concerning in itself, even though it's not really a direct bypass.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: DefenseWall v3.05 released

Post by ssj100 on 27/7/2010, 17:52

Oh and another thing. I recall Ilya saying that .txt files don't need to be protected by DefenseWall because they couldn't become malicious. Well, perhaps he thought the same about "shortcut" files as well?

I think all newly introduced files can potentially be malicious. This is why I don't understand why people trust the DefenseWall "Untrusted" status of a file so much (excuse the slight pun there haha). For example, we already know that even if a picture file is labelled "Untrusted" by DefenseWall, it will fail to open "Untrusted" with Windows Picture and Fax Viewer when double clicking on it. In this case, the only way to "guarantee" that the picture file opens "Untrusted" is to right click it and specifically choose to run it as "Untrusted" by DefenseWall.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: DefenseWall v3.05 released

Post by Ruhe on 27/7/2010, 23:44

avatar
Ruhe
Valued Member
Valued Member

Posts : 261
Join date : 2010-04-16
Location : Germany

View user profile

Back to top Go down

Re: DefenseWall v3.05 released

Post by ssj100 on 28/7/2010, 01:38

How did 3.04 not fail the test? He admits that the DLL was loaded. This is what my tests show too - the debugger displays the relevant text. This means DefenseWall was bypassed on that level. If it didn't fail the test, the text shouldn't have been displayed in the debugger.

I suppose what he means is that the DLL remained untrusted, and therefore by definition, DefenseWall wasn't bypassed. It's like with Sandboxie - everything is contained in Sandboxie (according to tzuk) but the Debugger displays text for both Test A and B. However, I'm uncertain as to how we interpret the result for DefenseWall - it's not a sandbox like Sandboxie as it doesn't completely isolate files into one area - everything is allowed to run on the REAL system.

And he still doesn't address why changing the name of the shortcut file gives it "Trusted" status (when it started off as "Untrusted").

I guess the only sure way to know how DefenseWall 3.04 does is to test it against some real-world malware of this type and see what happens. Regardless, it's good to see protection has been "fixed" on "both levels" in 3.05.

_________________
Sandboxie + LUA + SRP + DEP + SuRun
Windows Firewall + NAT Router + IPSec (on-demand)
VirtualBox (on-demand)
Drive SnapShot (on-demand)
avatar
ssj100
Administrator
Administrator

Posts : 1389
Join date : 2010-04-14

View user profile http://ssj100.fullsubject.com

Back to top Go down

Re: DefenseWall v3.05 released

Post by Sponsored content


Sponsored content


Back to top Go down

View previous topic View next topic Back to top

- Similar topics

 
Permissions in this forum:
You cannot reply to topics in this forum