|
|
|
|
| |
| ZoneAlarm is marketed as a personal firewall and threat detection/prevention tool. It is directed at the Windows-based home user with a constant connection to the Internet with a DSL or Cable modem service. It has been found that ZoneAlarm does not detect several types of common port scans. There is also a small window of opportunity, at system boot time, when a remote attacker can gain complete access to the file system and disable ZoneAlarm. |
| |
Credit:
The information has been provided by The WolfPak.
|
| |
Vulnerable systems:
ZoneAlarm 2.1.44
Attackers scanning a system employing ZoneAlarm will go unnoticed when using the common Nmap scan types ACK, FIN, Xmas, Window & Null. While these scans do not return lists of open ports to the attacker, the ZoneAlarm user is not aware of the probe or the possibility of attacks being directed against them. So although this attack does not give any new information to an attacker, it will not alert the user that an attack is in progress.
In addition, a window of opportunity exists during the boot process, which allows a remote attacker access to shared resources available on the ZoneAlarm protected device.
If file sharing is enabled via Windows Networking and proper Access Controls (ACL) are not utilized, complete access to all shared resources can be obtained through simple NetBIOS drive mapping (tools such as Legion have proven the existence and viability of this threat). Attackers gaining access to the install location of ZoneAlarm (C:\Program Files\Zone Labs\ZoneAlarm by default) using such an open share, will be able to disable ZoneAlarm by deleting or renaming either the executable or its associated DLL files.
In an NTFS partition, the entire directory, and all associated files, are installed with 'Everyone:Full Control' permissions. The registry keys created by ZoneAlarm (HKLM\Software\Zone Labs) also has weak permissions, being set at 'Everyone:Special Access' (which include SetValue, CreateSubkey & Delete). Note that users do receive a pop-up dialog window asking for the location of the deleted or renamed file, however, the message is sufficiently ambiguous to confuse most basic users into just clicking CANCEL.
Once ZoneAlarm is disabled, complete unmitigated access to the file system is obtained. Data may be removed, copied, modified, deleted or otherwise manipulated. From this point, normal remote code execution attacks can be utilized to further compromise the system.
Vendor Response:
The following response was received from Zone Labs:
ZoneAlarm users can completely eliminate the scenario described by employing password protection on file shares and by limiting file sharing access.
ZoneAlarm 2.1.44 does in fact detect all Nmap scans mentioned in the report.
The scans are silently dropped by ZoneAlarm which operates in stealth mode by default. ZoneAlarm categorizes the mentioned Nmap scans as "Internet background noise", shielding the user from attacks while avoiding confusion due to false alerts. If a user wants to be alerted to portscanning, our ZoneAlarm Pro product allows for this by both alerting the user and logging the event.
The vulnerability described requires a number of factors all being present and coordinated on an already vulnerable operating system.
This mitigates the vulnerability and makes it very unlikely to ever be exploited. As of this time, no validated reports exist of this exploit being successful.
An Internet user is much more likely to be attacked by intentionally turning off the protection by his or her choice.
The following conditions must be present in order for the exploit to work:
1. The IP address of the target must be known and monitored (Dial up, PPPoE, and most DHCP users are not at risk).
The necessity of monitoring the user in itself sets the attacker up for detection, both by ZoneAlarm Pro and by other security products and devices.
2. TCP/IP must be bound to the Windows NetBIOS service.
3. File sharing must be enabled for the system resources.
This requires that the user deliberately enable file sharing for system files, and that the file sharing be set up with no security.
4. Limited window of opportunity.
The real window of opportunity is between the time the computer is on the net and the time the drivers are loaded. During these seconds of boot time, the CPU of the computer is very busy; even if all the above prerequisites are met, it is not evident that the attacker could be successful.
ZoneAlarm is a consumer product designed to be easy to install and use. For consumers trying a free product, it is especially important that we provide out-of-the-box security that does not compromise your Internet connection or become impossible to remove from the computer. At Zone Labs, we believe we have struck the best balance between effective out-of-the-box security and ease of use.
|
|
|
|
|
|
|
|
|
|
