[18332] in bugtraq
Re: Advisory:Multiple Vulnerabilities in ZoneAlarm
daemon@ATHENA.MIT.EDU (foobar@COTSE.COM)
Fri Dec 22 18:51:32 2000
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 8bit
Message-ID: <977506814.3a4391fe12daf@webmail.cotse.com>
Date: Fri, 22 Dec 2000 12:40:14 -0500
Reply-To: foobar@COTSE.COM
From: foobar@COTSE.COM
To: BUGTRAQ@SECURITYFOCUS.COM
> Comments in line with text.
Likewise
> >
> > Unfortunately, ZoneAlarm does not allow its users to maintain a true
> > understanding of their threat level and exposure. Attackers scanning a
> > system employing ZoneAlarm will go unnoticed when using the common Nmap
> > scan types ACK, FIN, Xmas, Window & Null. While these scans do not return
> > lists of open ports to the attacker, the ZoneAlarm user is not aware of
> > the probe or the possibility of attacks being directed against them.
>
> But the scans do not provide any information so where is the security issue?
> How is the typical home user at risk by not knowing that someone is scanning
> them and not receiving any replies?
Someone will find a use for this. Don't worry.
> > In addition, a window of opportunity exists during the boot process, which
> > allows a remote attacker access to shared resources available on the
> > ZoneAlarm protected device. If file sharing is enabled via Windows
>
> Did you actually test this? Granted, Internet connectivity is available at
> a small point before the Zone Alarm services start but there is a very small
> window to be exploited. Not only that, how do you suppose one detects when
> a Zone Alarm users reboots his machine? Plus, you would have literally
> seconds (on my machines anyways) to get at the registry. Plus, once Zone
> Alarm starts, the netbios connection will no longer function and you will
> not be able to finish any changes you have been making.
Tested on a win98 PII fulltime ethernet connection. About a 20 second delay.
Not acceptable. A new trojan can force a reboot and burrow in under that
window. "Real" firewalls will engage their engine before the NIC starts
communicating. Check against ICSA certification.
> >
> > According to the manufacturer, "More than 8 million PC users have
> > downloaded ZoneAlarm", making it a very popular target indeed. Zone Labs
> > has been advised of these vulnerabilities and no patch or work around has
> > been provided.
>
> I don't agree. The window of opportunity is 1.) Very small and 2.)
> Undetectable. The unreported port scans while they do not give the user any
> warning or information, they also do not give the attacker any information
> so I do not see where the harm is.
Where there is a window there is a way.
Including the NT permission structure.
Very simple. It needs to be fixed.
And as the advisory states: Multiple Vulnerabilities in ZoneAlarm
>
> Regards;
>
> Steve Manzuik
> Moderator - Win2KSecAdvice
>
>
