Results 1 to 10 of 10

Thread: ZoneAlarm Vulnerability

  1. #1
    Member
    Join Date
    Sep 2001
    Posts
    77

    ZoneAlarm Vulnerability

    Just saw a note in bugtraq that suggests a vulnerability in Zone Alarm, as I don't run ZA but some of my clients do, I was wondering if some of the board readers who do use ZA might test this.

    "ZoneAlarm Pro is firewall for Windows home-users.

    The following was tested with ZoneAlarm Pro latest version: 2.6.357

    I`m not sure if it also works with the free version but I can't imagine
    why it wouldn't.

    Similair to Internet Explorer ZoneAlarm Pro (ZAP) has security settings
    for Local and Internet.

    However ZAP in certain cases classifies connections as Local when they
    really aren't Local. All connections that have the same 2 octets as your
    IP (ex. Your ip 123.123.123.123 -> 123.123.*.*) are also considered
    Local.

    This means everyone on with the same two first octet's of your IP can
    connect to your computer under local level security settings instead of
    the internet level security settings.

    With default settings this will expose your computer and all it's ports
    plus opening and allow access to windows services and shares. Users to
    customize local level security to allow (and block) whatever they want.

    How did I discover this?

    I installed a webserver and asked some friends to view some pages but
    they weren't able to connect. Zone Alarm Pro blocked the http port I
    found out. But this surprised me since I viewed my http.acces and
    http.error logife before I enabeled port 80 in ZAP and already had a lot
    of requests from servers infected with nimba. After looking at the IP's
    the first two octets were all the same.. the same as mine.

    Philip Wagenaar
    The Netherlands
    philip@netlogics.nl"

    cheers
    I\'m not a BOT I\'m a beer droid!
    Prepare to be Assimilated.

  2. #2
    Hi mom!
    Join Date
    Aug 2001
    Posts
    1,103
    That would be pretty lame... I have a hard time believing... I'm not some ip-wizz, but doesn't that mean that, if you're on a LAN, for example, everyone can come through? (subnetmaks 255.255.255.0 and even 255.255.0.0) ... You'd say that a bug like that would be discovered the minute the first user uses the program.... or didn't I understand the bug correctly? You could set up a firewall, but all users of your isp could still get in...

  3. #3
    Junior Member
    Join Date
    Oct 2001
    Posts
    27
    I'm not sure I see why this is a vulnerability. Think about it, ZA has configurable settings for the Local zone "High" "Medium" and "Low". Each setting has bullets describing level of protection provided, so it shouldn't be any surprise. So, in a nutshell........ If you're worried about all of that, set it to "HIGH"!

    If the Class B network thing is an issue, then the company or individual has to do some serious work on protecting their network. If you're allowing unsolicited traffic from an entire class B network that you DON'T own into your network, you deserve whatever is coming to you.

    Sorry if I didn't explain it very thoroughly, but I didn't want to take up the whole thread. If there's anything I can clear up, let me know.................
    Pr3shuR
    ----------
    always

  4. #4
    Member
    Join Date
    Sep 2001
    Posts
    77
    The reason I was asking is because I don't have ZA set up, so I'm not sure if this works this way or not. I do know a lot of my clients would have a very confused look on their faces if you asked if they used a class b or other class of IP address

    The info in quotes in my first post was the posting from bugtraq, sorry, probably didn't make that clear. If anyone can confirm this for me, I would appreciate it.

    cheers
    I\'m not a BOT I\'m a beer droid!
    Prepare to be Assimilated.

  5. #5
    Junior Member
    Join Date
    Oct 2001
    Posts
    27
    obi, I wasn't getting on you bro, I just get frustrated with the way the word "vulnerability" is thrown around these days. People are so quick to point the finger at weaknesses in products, but so slow to take ANY responsiblity for what's going on behind THEIR network.

    Just releasing some Pr3shuR..................
    Pr3shuR
    ----------
    always

  6. #6
    Senior Member
    Join Date
    Sep 2001
    Posts
    800
    Interesting. I will try this at work within the next few days. I run ZA 2.6.231 and the 2.6.357 and tell you how it works.
    [gloworange]\"A hacker is someone who has a passion for technology, someone who is possessed by a desire to figure out how things work.\" [/gloworange]

  7. #7
    Member
    Join Date
    Sep 2001
    Posts
    77
    Thanks Casper, look forward to hearing your results, may have a reason to go visit all those clients again

    And I know Pr3shuR, was just trying to clarify my post.

    cheers
    I\'m not a BOT I\'m a beer droid!
    Prepare to be Assimilated.

  8. #8
    Junior Member
    Join Date
    Sep 2001
    Posts
    4

    Unhappy obi is right

    I would advice people to stop using all firewalls though as once a firewall is studyed by the right person , holes that people never knew about could be discovered, i personally dont use i firewall, i make sure not to run any services.
    ~KEMA~

  9. #9

    Re: obi is right

    Originally posted by kema
    I would advice people to stop using all firewalls though as once a firewall is studyed by the right person , holes that people never knew about could be discovered, i personally dont use i firewall, i make sure not to run any services.

    This is crazy talk! Stop using firewalls because people who study them will find holes?


    Of course people will get around them and find the odd hole or two....but thats what "patches" are for. Ever heard of a patch? Micro$oft has been using 'em for years!

  10. #10
    Senior Member
    Join Date
    Sep 2001
    Posts
    800
    Alright. I tried running a test.
    I have a DHCP service running with ip range of 10.0.0.2-10.0.0.254. I hooked up a laptop with Win95 and had a static IP of 10.0.10.244 to test it. The machine I used with the scanner was on 10.0.0.3 and running Win 2000. Both machines were running ZA 2.6.231. I used NetScan tools to do a scan of the IP number, port scan, name server lookup. It still would not see the other computer no matter what I tried. I also tried to disable ZA on the Win2000 machine. But still no luck.
    I also tried using the laptop to try and ping, telnet, and ftp to get into the 2000 machine, but to no avail. I have ZA, on the both, set up to only use the Ip range of 10.0.0.1-10.0.0.255.
    If anyone else wants test this and see what there results are compared to mine I'm open for comments.

    If you have no firewalls then your computer would be even a bigger target then a computer that has a firewall with a a small hole. Like Conf1rm3d_K1ll said you can patch up holes.
    [gloworange]\"A hacker is someone who has a passion for technology, someone who is possessed by a desire to figure out how things work.\" [/gloworange]

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •