Zonealarm security ahhahaahaha

Printable View

February 9th, 2002, 10:56 PM
I am a cracker

I hacked Zonealarm security ahhahaahaha

Everyone knows the best way to find out how secure your computer is to Hack Your Own Sytem. This is the best way of making sure that your system is safe. Everytime I read about a promblem in a hacker ezine or some where on the web, I made sure that I understood how the exploit works and make sure that it doesn't work on any of the hosts on my LAN. I like to keep a data-base of exploits. Yesterday I decide to download "zonealarm" FROMwww.zonealarm.com I already have "nortons internet security 2002" I just wanted to see how hard it would be to exploit zonealarm let me tell you it's not that hard to do all I did to gain REMOTE ACCESS to my computer was I used a system backdoor attack to bind a shell to a higher port installed code that allows my commands to be "tunnelled" through my firewall using source routed packets and ICMP COMMANDS. TOTAL TIME ABOUT 11 MINUTES ... The best part was trying to erase zonealarm It seems that ZA comes with two spy dlls that according to the their manufacturer. I found these two: C:WINDOWSSYSTEMVSMONAPI.DLL C:WINDOWSSYSTEMVSUTIL.DLL Had been left on my system after uninstalling ZA. It seems that myystem configuration and maybe the activity is logged to the file Iamdb.rbd, then transmitted. (not 100% sure though)
February 9th, 2002, 11:35 PM
Berry Nehagen

try hack sygate pro 5.0;-) it's a bit better that ZA pro, ZA pro is a PR gimmic as well as norton, the live on their brand no on the product.
February 9th, 2002, 11:43 PM
I am a cracker

try to hack sygate pro 5.0? hey I'll try it no promblem i'll let you know how it goes
February 9th, 2002, 11:59 PM
the_g_nee

I used to rely on Norton personal firewall. One day however I downloaded a lil prog that automatically connects to an atomic clock when you sign on and adjusts the puters clock accordingly. This of course should have given me an alert from the firewall, it never did though. :( I dont know why this is, as I had the non automatic rule creation enabled, so I should have been asked if it were ok for the prog to access the net.

I'm trying out a few new firewalls at the mo.

:)
February 10th, 2002, 12:21 AM
ac1dsp3ctrum

I have ZoneAlarm..... I blocked all access to all ports and the server can only respond to the port that the request came from.... :)
February 10th, 2002, 01:46 AM
Berry Nehagen

i tried the outpost firewall as well but is was a bit fishi, is is a open source wall but, well it looks to mutch like norton for me to trust it. sygate havent failed me yet and it dosent mess with the entire system like some firewalls
February 10th, 2002, 01:47 AM
gold eagle

I run both of those and am shopping for others. ZA isn't strong and I'll likely get rid of it eventually but you can blcok everything as ac1dsp3trum said.
February 10th, 2002, 01:54 AM
Terr

Of the free firewall offerings...

My first: Tiny Personal Firewall. (Not sure how their recent acquisition will change this)
Close second: Sygate Personal Firewall. (Just stopped being freeware?)
February 10th, 2002, 01:55 AM
Berry Nehagen

ok. i talked to someone i this furom that had tested the outbound utility with sygate and he ran some stuff on his box to. sygate 5.0 had a high painlevel.

i tried to test outbound on outpost but i run Windoze Xtra Price and the adapters i XP is not standars, macaffe firewall cant run wither on xp to my expirience.
February 10th, 2002, 01:58 AM
Berry Nehagen

yes i tried tiny, was inpressed by it alerting med that XP is sending a signal on port 67 on start up and givving med the coice to block this but i dident find a rulset that was got on my lan to cable modem to NAT, we got an sniffer on the net and ZA is to esay and he aparently gotten by my isp's soho firebox 2?
February 10th, 2002, 02:43 AM
Midridth

Question: I am using Norton Internet Security Family Edition's firewall but on this post I hear a few negative things about it all. If I was to dump Norton what would you sujjest I use?
February 10th, 2002, 02:45 AM
uraloony

Try reading my review of personal firewall that is in the 1st AO newletter. Hope it helps! :)
February 10th, 2002, 02:52 AM
I am a cracker

I thinking about throwing "Norton's Internet Security 2002" away and getting sonicWALL or Mcafee firewall
February 10th, 2002, 03:26 AM
Berry Nehagen

looking at the page... procesing.. (slow cpu).

Yes i think you shoud throw away norton. norton was great when i had a 486 and i was on one disk and you manualy editet the deletet files, ahhh those ware the days.

But after a time until win2k came out norton was super but now? there is to many copies and lets face it norton hasent got more pressure than microsoft on it's back.

symatech is the king of system utilitys. Noton dosent need to develop their system to manage.
there is macaffe and nuts & bults etc, but there not a big of a name.

Ever tried to install norton 2001 on XP? if you did there is a chans that you needed to re install the os. the same goes for 2002, on some configuration i work and on some it dosent.

the NAV gets an script error when installing and dosent clean upp, norton say it a ie 6.0 bugg but it's XP and microsoft says that Norton systemworks/antivirus isant compatebole ( sorry for bad english, im dysletic and swedish) and not certified for XP's file system(??).

so for a firewall och system stability i dont give a cent for norton, not while running XP and i dont like that it screws upp the system.

klients have called back after 4 days and after a short talk they say -"yes. i installed norton i own it, it's a good program suite, but i dident se the os complaning".

I rekomend to my clients panda antivirus titanium, sygate och tiny, and that thay dont mess with the system (i password the bios etc)
February 11th, 2002, 10:43 PM
CyberSpyder

many flaws

I found out that zone alarm has many flaws. It really is a not to hard hack. :(
February 11th, 2002, 11:35 PM
iNViCTuS

Re: I hacked Zonealarm security ahhahaahaha

Quote:

Originally posted by I am a cracker
Everyone knows the best way to find out how secure your computer is to Hack Your Own Sytem. This is the best way of making sure that your system is safe. Everytime I read about a promblem in a hacker ezine or some where on the web, I made sure that I understood how the exploit works and make sure that it doesn't work on any of the hosts on my LAN. I like to keep a data-base of exploits. Yesterday I decide to download "zonealarm" FROMwww.zonealarm.com I already have "nortons internet security 2002" I just wanted to see how hard it would be to exploit zonealarm let me tell you it's not that hard to do all I did to gain REMOTE ACCESS to my computer was I used a system backdoor attack to bind a shell to a higher port installed code that allows my commands to be "tunnelled" through my firewall using source routed packets and ICMP COMMANDS. TOTAL TIME ABOUT 11 MINUTES ... The best part was trying to erase zonealarm It seems that ZA comes with two spy dlls that according to the their manufacturer. I found these two: C:WINDOWSSYSTEMVSMONAPI.DLL C:WINDOWSSYSTEMVSUTIL.DLL Had been left on my system after uninstalling ZA. It seems that myystem configuration and maybe the activity is logged to the file Iamdb.rbd, then transmitted. (not 100% sure though)

Please give some more details about how you "hacked" this system. It sounds to me like what you are saying is you installed a trojan on the system or something to bind a shell to a high port which you could then connect to from a remote machine. If this is the case, I don't know if I would call that a "hack"...

You have used alot of 'fancy' terms, but I would like to see some proof that this would actually work. So, I guess what I am looking for is more detailed information. Be specific...

I am also not sure how IP source routing or any ICMP commands would help you in this scenario. :confused:
February 11th, 2002, 11:45 PM
I am a cracker

Invictus

I don't know if I would call that a "hack"...! I would call it a hack if I can get into my own system and not to mention the 2,300,000 other people who have Zonealarm. If you don't think it works download Zonealarm and try it on yourself you will surprised with the results.
February 11th, 2002, 11:48 PM
akanicknick

I kind of agree with everyone,
but I don't like to take chances when it comes to my comp,
I run ZoneAlarmPRO, BlackICE defender, and Sygate Personal Firewall.
While running these (3) simultaneously I have never had any attack on my system get through, (to my knowledge). :)

Is this a good idea all? Just wondering about your opinions on this^^.
February 11th, 2002, 11:50 PM
akanicknick

I agree with Invictus too,
i am a cracker, it sounds like you are being extremely vague with what you are saying, again would you please be more specific.
February 11th, 2002, 11:50 PM
KorpDeath

As I've said before....If you want to be safe, the last thing you do is put on 2 rubbers. Know what i mean?

There are single products that do the job, Sygate, NeoWatch, I'm sure there are others but I've only heard convincing arguments for those two so far.
February 11th, 2002, 11:54 PM
iNViCTuS

Like I said in the previous post....please give more details about the attack so those of us who want to try it can. Just do a quick step-by-step that would get us all on the same page.

And no!! If you plant a backdoor on your own system...that is NOT a hack. I could install BO2K or Sub7 or any lame trojan, on my system and break into it and call it a hack. But $hit...if I really wanted to get into my own system (that I have admin access to) I would just create a user account. What did you do, send yourself an email and double click server.exe?

I am very skeptical until I see some proof, or you give me enough information to recreate the attack.

Don't get me wrong...I am not saying you are a lying...just the way you explained things here are not very good. The few brief steps you mentioned don't add up if you ask me (maybe because you need to explain ;))
February 12th, 2002, 01:38 AM
Chippunk

i've had a few problems with tiny and now i am using sygate
February 12th, 2002, 02:22 AM
FullySaturate

Well I have ZA and I have not had to many problems, its not the best firewall but it is good for a lockdown even though others offer that same option. I did run black ice but it just tells you if someone accesses a port on your system but I don’t think it blocks it, please tell me if I’m wrong. If someone would like to test the strength of ZA let me know and we can set up a time where I will be running it on one of my computers and you can attempt access.
February 12th, 2002, 02:35 AM
I am a cracker

THIS IS HOW I DID IT!

how to open arbitrary ports against a client

*Send a HTML email to an HTML - enabled mail reader containing the tag <img src="Anywhere u want.com/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa {Lots of A} aaaPORT 1,2,3,4,25,79,80,110, etc...> I also conceivably plant a web page somewhere on a server containing this link.

*I made sure I balanced the number of A so that the PORT command will begin on a new packet boundary. This may also be done by having the server use a low TCP MSS to decrease the number of A's that one has to add.

*The firewall in question will incorrectly parse the resulting RETR/aaaaaaaaaaaaaaaaaaaaaaaa[....] aaaaaaaaPORT 1,2,3,4,25,79,80,110 etc as first a RETR command then a PORT command and open port 139 <--fro example against your address.

*Now the server Anywhere u want.com can connect to the client on port 139 (it can be any port)

(You have to know the IP address of the client in order to fool the firewall into opening the port.)

THE JAVASCRIPT code below works on MSIE

vartool=java.awt.toolkit.gettoolkit ( );
addr=java.net.InetAddress.getLocalHost ( );
ip=addr.getHostAddress ( );

This will work in a browser.

The firewall sees this as 2 seperate commands:

RETR aaaaaaaaaaaaaaaaetc...
PORT 1,2,3,4,25 ETC

This works on implemented proxies are vulnerable aswell

There is a lot more detail than I put on here!

And the reason people do not know about this because the company suffered damage and are embarrassed to make the breach public
February 12th, 2002, 04:31 PM
iNViCTuS

Ok....where do I begin with this one...lol

*point #1: Even if this would work, you are still dependant on a user on the other end to open the email and the browser would have to be HTML based. Ok...not that hard

*point #2: So exactly how many A's does it take. Also, what would happen if you use B's instead. If it looks to the firewall like to separate requests, why would you not just send the PORT command on the first packet? Actually...let me answer that one, it is because the PORT command is used in FTP, not HTTP.

*Point #3: Again, even if this did work, the firewall would not inspect the contents of the packet beyond the TCP header anyway. Therefore it would not care about the size of the packet or how many A's it contained. what you are trying to explain here is a buffer overflow I believe, and this is not an attack against a firewall. Even if an application or service was vulnerable to a buffer overflow, it would not be the firewall's fault. So how can you say it is ZoneAlarm that has the problem?

*point #4: "You have to know the IP address of the client in order to fool the firewall into opening the port."
That is interesting...the firewall has nothing to do with opening port. The application or service would open a port. The firewall just has rules which tells the firewall which ports to leave open. ZA cannot dynamically allocate ports, unless the port is left open by the admin. AGAIN..not ZA's fault if this even was the case.

*point #5: A proxy server cannot proxy netbios through port 139 without some type of socket, so no...this will not work with a proxy server either.

*point #6: In your first post you said that it was done with SOURCE ROUTING and ICMP COMMANDS. Neither of which you mentioned here, nor did they make any sense in the first place.

Would you like me to go on?

This was enough evidence to for me to believe you are full of $hit
February 12th, 2002, 10:50 PM
iNViCTuS

What happened Cracker....where did you go?

I was just beginning to have some fun
February 12th, 2002, 10:53 PM
KorpDeath

I've been laughing for hours.

Yoooooohooooooo. Wait!!! He's probably thinkin' up a really witty rejoinder........
February 13th, 2002, 12:32 PM
Ennis

Maybe take a peek at this...

Quote:

ZoneAlarm and ZoneAlarm Pro can be stopped from loading by creating a memory-resident Mutex (using a call to the CreateMutex API). Uninstalling\reinstalling ZoneAlarm in a different path has no effect.
The impact of this vulnerability is that a Trojan running on a victim's machine can prevent ZoneAlarm from loading, and thus leave the victim open for attack.

Zone Labs "ZoneAlarm" and "ZoneAlarm Pro" programs both use a Mutex - an event synchronization memory object - to determine if it has already loaded (to prevent loading a second instance of the firewall).
By design, ZoneAlarm\ZoneAlarm Pro has no way of determining which program actually set the Mutex, thus allowing a Trojan to use the Mutex and block both ZoneAlarm and ZoneAlarm Pro from loading.

Exploit:
A Trojan can easily set this Mutex ("Zone Alarm Mutex") with one simple call to the CreateMutex API (see msdn.microsoft.com for more information on Mutexes). ZoneAlarm and ZoneAlarm Pro are then prevented from loading as long as the Trojan is alive. If ZoneAlarm is running, all the Trojan has to do is terminate the processes of zonealarm.exe, vsmon.exe and minilog.exe first before creating the Mutex. Despite being services, vsmon.exe and minilog.exe can both be killed by any program by setting its local process token privileges to SeDebugPrivilege, giving it the power to kill any process/service.

Demonstration:
A harmless, simple, working executable to demonstrate the vulnerability, is available at:
http://www.diamondcs.com.au/alerts/zonemutx.exe (16kb).
While the demo program is running, you will not be able to load ZoneAlarm or ZoneAlarm Pro, and if it finds that ZoneAlarm\ZoneAlarm Pro is running, it will terminate the ZoneAlarm processes and services first using SeDebugPrivilege before stealing the ZoneAlarm Mutex. The demo also opens an echo server socket to listen on TCP 7, allowing you to test socket connectivity/data transfer (try telnetting to 127.0.0.1 on port 7 and saying hello).

Quote:

it's a "resource hog"...running both BlackICE & NeoWatch together take less resources than running one ZoneAlarm
February 13th, 2002, 01:04 PM
pvck

Can anyone reccomend a url to a source I can point users to that outlines the specific issues with ZoneAlarm? I have some fairly technical people to convince of this, so details are good too.

Thnx,
--pvck
February 13th, 2002, 02:02 PM
iNViCTuS

Very nice Ennis....now that is what I call a good explanation of a vulnerability/exploit. Although it is still trojan based...it at least has a concept that could work.

Hey...Cracker....maybe you should go to this link and learn about a real exploit so you know what one is next time, instead of making up some BS story about how you "hacked" your system in 11 mins that nobody believes.... :o
February 18th, 2002, 04:36 AM
CyberSpyder

ha

At first I thought ZoneAlarm was good. Ha. I laugh at that idea.
February 18th, 2002, 04:44 AM
BERBURT

what is the best firewall to posess
February 23rd, 2002, 05:15 AM
k41d3r07h

haha, nice..
I always love seing the result of ignorance....that was awesome invictus,
the way you explained your points is how he should be explaining his hacks,
simple intelligible words that are
-to the point
-not a bunch of crap

thanks for the laugh...I needed it :)
February 23rd, 2002, 07:49 AM
I am a cracker

What the hell, I try to do something nice for the site and members and thats the thanks I get Some a-hole is clamming I am lying well If you don't believe me try it out for yourself you might be in a shock... This is security site right? Well I am just trying to do my part I don't give missleading information check every thread I wrote and replyed to IT'S NOT B.S it's helping people out when they need it... And that person who keeps Pm me you know who you are! Why do you guys keep assumeing that users on this site are stupid! Most users are smarter than your assumptions!
February 23rd, 2002, 02:16 PM
Matty_Cross

How about you answer iNViCTuS then? I mean, your saying this works.. but you haven't answered all the points that iNViCTuS has raised....

But I think its safe to draw, from the few points that iNViCTuS raised, that your full of ****...

If you wanna help the site and its users... Post something intelligent, not crap like this... Don't waste the experienced members time with your crap, and don't give the new users, who are here to learn, incorrect information which will do nothing but hinder their learning...
February 23rd, 2002, 02:35 PM
gold eagle

iNViCTuS you got him cold. hahha. Fianlly returned to this thread and read all the posts.

:-)