[ale] how can a firewalled PC POSSIBLY be attacked?

[Matt Hessel]

Really good question, and on a subject I work very closely in..

The concept of a computer running with a firewall up (software)
blocking all incoming traffic is a fun model, but in reality it is
about as likely to find as the easter bunny or santa claus.  The truth
is, that networking protocols are chatty by nature - the software
firewall as mentioned will usually be configured to allow some traffic
to exit the pc (really it has to, unless you would like to ensure that
the machine will not be able to talk on a network at all, so why plug
it in?)

Down at layer 2 of the OSI model, you have stuff the Firewall doesn't
even care about, there are advertisements that happen for higher level
protocols to work in TCP/IP, like ARP, RARP, DHCP, in some cases STP.
All of the link state protocols live down here, and they frequently
talk, they have to, if you need to send packets anywhere, then it
needs to ARP for the firewall / gateway /router MAC address, also, for
you to recieve traffic, the NIC is listening to all the packets on the
wire, checks the MAC address in the destination to see if it belongs
to this machine or not.. etc..

above that, if this is running linux or unix OS, you will usually have
a listener for SSH, or you have Avahi services running and DDNS is
advertising via multicast --- there is a lot of work you have to do to
make your computer a virtual hole in the network, and the better you
do that, the less likely you will be to actually do anything with the
box..

Back on subject - any traffic that goes out your interface from the
computer, has to come back in some fashion, Firewalls used to just
statically allow traffic to tcp/udp port numbers, now they are more
intelligent and stateful.  the stateful property tracks any outbound
connection your computer makes to another device, then any incoming
packets are compared to that session entry,  if the packet shows it is
returning from the other machine, and in the same sequence and such,
the firewall will allow it back in - and you don't need to explicitly
allow this....

That is smart overall, but other smart people have figured out clever
ways to use this behavior to break stuff.

SNMP is a popular way to monitor network devices and Servers over the
network, you can get most any statistic from the hosts via some SNMP
requests to UDP 161... but you can also tell it to do stuff the same
way, if you can figure out the Read-write community string for it.  --
that could be hard, except most SNMP traffic (any version 1 or 2c) is
unencrypted, so my son can look at wireshark and read all the stuff in
and out, just look for the string with no dots....

better yet, SNMP is UDP which is stateless -- so I can use a program
on one computer to rewrite the packets I send.. so if there is an
access list on your server to prevent anyone but the proper management
box to use SNMP, I will send packets that have the same source ip
address, and it will gladly do whatever I tell it to.. SNMP does not
prompt "Are you sure?"

I'll stop rambling on, but this is not really the target that gets
compromised most of the time.. if you look up the Blackhat conference
or other hacker conventions, they usually have a contest to crack or
hack a machine, most of the time the exploit was not some wierd
windows thing, or linux buffer overflow etc..   It is usually a
redirection to a compromised webserver, and used a vulnerability in
Flash or Java (usually flash) that allows the hacker to install a
trojan horse into the computer, and then he owns it....

Firewalls are more of a security blanket than a guard dog.  They
normally do not validate the code you recieve, or the sites you visit,
or even exploitable code that runs over the interfaces... they only
look at source and destination ip addresses and the port for the
traffic.



On Tue, Jan 22, 2013 at 8:28 PM, Ron Frazier (ALE)
<atllinuxenthinfo at techstarship.com> wrote:
> The discussion on vpn's and security at Emory prompted me to ask this.  This was prompted by some statements in another thread that a PC could be in danger if attached to unfiltered lan ports on Emory's network.
>
> Assume you have a PC connected directly to the internet.  It doesn't matter if it's linux, windows, mac, or android.  I'm speaking in conceptual terms.  Assume the PC is not running any server type programs, so it is not listening on any ports.  Assume no one is browsing to potentially malicious web pages, or even any web pages.  The PC is just sitting there idling.  Assume the PC has firewall software running.  The firewall's only job is to drop all packets that are not part of a response to an inquiry that this PC has issued.    I don't want to debate, at this point, the pros and cons of dropping all packets or operating in stealth mode.
>
> My question is, conceptually speaking, how can this PC POSSIBLY be vulnerable to any remote attack?  How could anything phase it?
>
> Then, how does the answer change depending on whether it is linux, windows, mac, or android.
>
> Finally, if it were behind a hardware firewall, or router, how could any unwanted packets get on the lan?
>
> Sincerely,
>
> Ron
>
>
> --
>
> Sent from my Android Acer A500 tablet with bluetooth keyboard and K-9 Mail.
> Please excuse my potential brevity.
>
> (To whom it may concern.  My email address has changed.  Replying to former
> messages prior to 03/31/12 with my personal address will go to the wrong
> address.  Please send all personal correspondence to the new address.)
>
> (PS - If you email me and don't get a quick response, you might want to
> call on the phone.  I get about 300 emails per day from alternate energy
> mailing lists and such.  I don't always see new email messages very quickly.)
>
> Ron Frazier
> 770-205-9422 (O)   Leave a message.
> linuxdude AT techstarship.com
>
>
> _______________________________________________
> Ale mailing list
> Ale at ale.org
> http://mail.ale.org/mailman/listinfo/ale
> See JOBS, ANNOUNCE and SCHOOLS lists at
> http://mail.ale.org/mailman/listinfo