I thought this would be nice to show all the people who have Zonealarm and think they are the shizzzznit because they have it Trojans can block ZoneAlarm by setting a Mutex in memory

ZoneAlarm and ZoneAlarm Pro can be stopped from loading by creating a memory-resident Mutex (using a call to the CreateMutex API). Uninstalling\reinstalling ZoneAlarm in a different path has no effect.
The impact of this vulnerability is that a Trojan running on a victim's machine can prevent ZoneAlarm from loading, and thus leave the victim open for attack.

Exploit:
A Trojan can easily set this Mutex ("Zone Alarm Mutex") with one simple call to the CreateMutex API (see msdn.microsoft.com for more information on Mutexes). ZoneAlarm and ZoneAlarm Pro are then prevented from loading as long as the Trojan is alive. If ZoneAlarm is running, all the Trojan has to do is terminate the processes of zonealarm.exe, vsmon.exe and minilog.exe first before creating the Mutex. Despite being services, vsmon.exe and minilog.exe can both be killed by any program by setting its local process token privileges to SeDebugPrivilege, giving it the power to kill any process/service.

A harmless, simple, working executable to demonstrate the vulnerability, is available at:
http://www.diamondcs.com.au/alerts/zonemutx.exe (16kb).
While the demo program is running, you will not be able to load ZoneAlarm or ZoneAlarm Pro, and if it finds that ZoneAlarm\ZoneAlarm Pro is running, it will terminate the ZoneAlarm processes and services first using SeDebugPrivilege before stealing the ZoneAlarm Mutex. The demo also opens an echo server socket to listen on TCP 7, allowing you to test socket connectivity/data transfer (try telnetting to 127.0.0.1 on port 7 and saying hello).

exploit 2
This Firewall has been found to contain a serious security hole that would allow a remote attacker to TCP and UDP scan the entire host's port range without detection. This is done by specifying a special port number in the source port part of the TCP or UDP packet.


Immune systems:
ZoneAlarm version 2.6 and up

If one uses port 67 as the source ports of a TCP or UDP scan, ZoneAlarm will let the packet through and will not notify the user. This means, that one can TCP or UDP port scan a ZoneAlarm protected computer as if there were no firewall there IF one uses port 67 as the source port on the packets.

Exploit:
UDP Scan:
You can use NMap to port scan the host with the following command line:
nmap -g67 -P0 -p130-140 -sU 192.168.128.88
(Notice the -g67 which specifies source port).

TCP Scan:
You can use NMap to port scan the host with the following command line:
nmap -g67 -P0 -p130-140 -sS 192.168.128.88
(Notice the -g67 specifies source port).
contains a feature called MailSafe. This is an email attachment protection for the home and cooperate users, which automatically renames dangerous extensions to a harmless one (.zl*). A security vulnerability in the product allows attackers to bypass this protection by attaching a file with a very long name.Vulnerable systems:
ZoneAlarm Pro version 2.6.84 and prior

MailSafe is a feature of ZoneAlarm Pro. MailSafe identifies potentially harmful files (for example: *.exe, *.com, *.reg, *.vbs or others that can be added in the configuration screen) in e-mail attachments and renames their extension to *.zl* in addition to showing an alarm box to inform the user about this.

The problem with this feature is that it does not work with long file names, for example:
<<zonetestzonetestzonetestzonetestzonetestzonetestzonetest zonetestzonetestzonetestzonetestzonetestzonetestzonetest zonetestzonetestzonetestzonetestzonetestzonetestzonetest zonetestzonetestzonetestzonetestzonetestzonetestzonetestzonetest.com>> (the same goes for other file types as .exe .reg or .vbs)
You think your safe with zonealarm think again hahahaahahahahahahahaha



zonealarm pro exploit