Zone Alarm Vulnerability
Results 1 to 3 of 3

Thread: Zone Alarm Vulnerability

  1. #1
    Senior Member
    Join Date
    Aug 2002
    Posts
    651

    Zone Alarm Vulnerability

    I got this off of Bugtraq yesterday and thought it may be of interest to you guys since I saw a few Zone Alarm posts here. Personally, I don't use it, but that doesn't mean you all wouldn't benefit from it. Happy reading!

    ZoneAlarm Pro 3.1 and 3.0 Denial of Service Vulnerability

    As contributed to HNS by Abraham Lincoln <sunninja@scientist.com>

    NSSI Technologies Inc Research Labs Security Advisory

    http://www.nssolution.com (Philippines / .ph)

    "Maximum e-security"

    http://nssilabs.nssolution.com

    ZoneAlarm Pro 3.1 and 3.0 Denial of Service Vulnerability

    Author: Abraham Lincoln Hao / SunNinja

    e-Mail: abraham@nssolution.com / SunNinja@Scientist.com

    Advisory Code: NSSI-2002-zonealarm3

    Tested: Under Win2k Advance Server with SP3 / WinNT 4.0 with SP6a / Win2K Professional / WinNT 4.0 workstation

    Vendor Status: Zone Labs is already contacted 1 month ago and they informed me that they going to release an update or new version to patched the problem. This vulnerability is confirmed by the vendor.

    Vendors website: http://www.zonelabs.com

    Severity: High

    Overview:

    New ZoneAlarm® Pro delivers twice the security-Zone Labs' award-winning, personal firewall trusted by millions, plus advanced privacy features. the award-winning PC firewall that blocks intrusion attempts and protects against Internet-borne threats like worms, Trojan horses, and spyware.

    ZoneAlarm Pro 3.1 and 3.0 doubles your protection with enhanced Ad Blocking and expanded Cookie Control to speed up your Internet experience and stop Web site spying. Get protected. Compatible with Microsoft® Windows® 98/Me/NT/2000 and XP.

    ZoneAlarm Pro 3.1.291 and 3.0 contains vulnerability that would let the attacker consume all your CPU and Memory usage that would result to Denial of Service Attack through sending multiple syn packets / synflooding.

    Details:

    Zone-Labs ZoneAlarm Pro 3.1.291 and 3.0 contains a vulnerability that would let the attacker consume all your CPU and Memory usage that would result to Denial of Service Attack through Synflooding that would cause the machine to stop from responding. Zone-Labs ZoneAlarm Pro 3.1.291 and 3.0 is also vulnerable with IP Spoofing. This Vulnerabilities are confirmed from the vendor.

    Test diagram:

    [*Nix b0x with IP Spoofing scanner / Flooder] <===[10/100mbps switch===> [Host with ZoneAlarm]

    1] Tested under default install of the 2 versions after sending minimum of 300 Syn Packets to port 1-1024 the machine will hang-up until the attack stopped.

    2] We configured the ZoneAlarm firewall both version to BLOCK ALL traffic setting after sending a minimum of 300 Syn Packets to port 1-1024 the machine will hang-up until the attack stopped.

    Workaround:

    Disable ZoneAlarm and Hardened TCP/IP stack of your windows and Install latest Security patch.

    Note: To people who's having problem reproducing the vulnerability let me know

    Any Questions? Suggestions? or Comments? let us know.

    e-mail: nssilabs@nssolution.com / abraham@nssolution.com / infosec@nssolution.com
    Opinions are like holes - everybody\'s got\'em.

    Smile

  2. #2
    Senior Member tampabay420's Avatar
    Join Date
    Aug 2002
    Posts
    953
    How old is this?

    Here is a link to the proof of concept >> http://packetstormsecurity.nl/adviso...ealarm.dos.txt

    Hope this helps. Find em' / Patch em'

    EDIT >> [This was taken from the .txt file linked above...]

    1] Tested under default install of the 2 versions after sending minimum of 300 Syn Packets to port 1-1024 the machine will hang-up until the attack stopped.

    2] We configured the ZoneAlarm firewall both version to BLOCK ALL traffic setting after sending a minimum of 300 Syn Packets to port 1-1024 the machine will hang-up until the attack stopped.
    yeah, I\'m gonna need that by friday...

  3. #3
    Senior Member
    Join Date
    Apr 2002
    Posts
    1,050
    thats why i always said outpost is better to people using zonealarm i say download outpost firewall

    get it here www.agnitum.com

    nice article t2k2 its more info like this that should be posted
    By the sacred **** of the sacred psychedelic tibetan yeti ....We\'ll smoke the chinese out
    The 20th century pharoes have the slaves demanding work
    http://muaythaiscotland.com/

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •