[14667] in bugtraq
Re: ZoneAlarm
daemon@ATHENA.MIT.EDU (Stephen M. Milton)
Wed Apr 26 01:13:13 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 7bit
Message-Id: <NCBBIBOPMIPPABGOGBLKKEGOJIAA.milton@isomedia.com>
Date: Mon, 24 Apr 2000 09:33:25 -0700
Reply-To: "Stephen M. Milton" <milton@ISOMEDIA.COM>
From: "Stephen M. Milton" <milton@ISOMEDIA.COM>
X-To: BUGTRAQ@SECURITYFOCUS.COM
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <20000421044123.2353.qmail@securityfocus.com>
I tried this on Windows 2000 Server, also using version 2.1.10 of ZoneAlarm.
I received alerts on the scans both with and without the source port
specified to port 67.
Stephen Milton
ISOMEDIA, Inc.
> -----Original Message-----
> From: Bugtraq List [mailto:BUGTRAQ@SECURITYFOCUS.COM]On Behalf Of Wally
> Whacker
> Sent: Thursday, April 20, 2000 9:41 PM
> To: BUGTRAQ@SECURITYFOCUS.COM
> Subject: ZoneAlarm
>
>
> ZoneAlarm (http://www.zonelabs.com) is a very popular
> personal firewall for Microsoft Windows computers and easy
> to use for newbies because it is application based,
> meaning, you apply network permission to applications
> instead of ports.
>
> Because it is application based, I was wondering how it
> handled ports that weren't applications, i.e., what about
> ports that are opened by the kernel?
>
> I tried scanning a ZoneAlarm protected machine using
> various source ports that are often problems for other
> firewall environments. What I found was this:
>
> If one uses port 67 as the SOURCE port of a UDP scan,
> ZoneAlarm will let the packet through and will not notify
> the user. This means, that one can UDP port scan a
> ZoneAlarm protected computer as if there were no firewall
> there IF one uses port 67 as the source port on the packets.
>
> The version I tested this on was 2.1.10
>
> I strongly suspect port 67 needs to be left open because it
> is used for DHCP.
>
> On an earlier version 2.0.26 UDP packets from source port
> 53 also behaved as above but this doesn't seem to be the
> case with this latest version.
>
> The test was this:
>
> 1) Download and install ZoneAlarm version 2.1.10.
>
> 2) From another computer (unix, linux, etc) run nmap -P0 -
> p130-140 -sU 192.168.128.88 <-Your Computer Ip Address.
> This will run a small UDP scan on the computer.
>
> 3) ZoneAlarm will throw up alarms on these UDP probes
>
> 4) NOW, run nmap -g67 -P0 -p130-140 -sU 192.168.128.88
> (Notice the -g67 which specifies source port). This will
> run the same test as above except the packets will have a
> source port of 67.
>
> 5) ZoneAlarm will not throw up any alerts AND if you have
> any services running on those ports, nmap will find them.
>
> I'd appreciate it if any one else can independently verify
> this.
>
> Wally
>
> http://hackerwhacker.com
>
