COMMAND

    ZoneAlarm

SYSTEMS AFFECTED

    ZoneAlarm 2.1.44

PROBLEM

    Following is  based on  a WolfPak  Advisory.   ZoneAlarm does  not
    detect several types  of common Nmap  scans.  It  is also possible
    for  a  remote  attacker,  under  certain  circumstances,  to gain
    complete access to the file system  and disable ZoneAlarm.

    ZoneAlarm  is  marketed   as  a  personal   firewall  and   threat
    detection/prevention tool.   It is  directed at  the Windows-based
    home user with  a constant connection  to the Internet  with a DSL
    or Cable modem service.

    Unfortunately, ZoneAlarm does  not allow its  users to maintain  a
    true understanding of their threat level and exposure.   Attackers
    scanning  a  system  employing  ZoneAlarm  will  go unnoticed when
    using the common  Nmap scan types  ACK, FIN, Xmas,  Window & Null.
    While  these  scans  do  not  return  lists  of  open ports to the
    attacker, the  ZoneAlarm user  is not  aware of  the probe  or the
    possibility of attacks being directed against them.

    In  addition,  a  window  of  opportunity  exists  during the boot
    process, which allows a remote attacker access to shared resources
    available on the ZoneAlarm protected  device.  If file sharing  is
    enabled via  Windows Networking  and proper  Access Controls (ACL)
    are not utilized, complete access  to all shared resources can  be
    obtained  through  simple  NetBIOS  drive  mapping  (tools such as
    Legion have proven  the existence and  viability of this  threat).
    Attackers  gaining  access  to  the  install location of ZoneAlarm
    (C:\Program  Files\Zone  Labs\ZoneAlarm  by  default) using such a
    share, it  is possible  for the  attacker to  disable ZoneAlarm by
    deleting or renaming either  the executable or its  associated DLL
    files.   In  an  NTFS  partition,  the  entire  directory, and all
    associated files,  are installed  with 'Everyone:Full  Control' as
    permissions.     The   registry   keys   created   by    ZoneAlarm
    (HKLM\Software\Zone Labs)  also have  weak permissions,  being set
    at 'Everyone:Special Access',  including SetValue, CreateSubkey  &
    Delete.  Note that users do receive a pop-up dialog window  asking
    for the  location of  the deleted  or renamed  file, however,  the
    message  is  sufficiently  ambiguous  to  confuse most basic users
    into just clicking CANCEL.

    Once ZoneAlarm  is disabled,  complete unmitigated  access to  the
    file system is obtained.   Data may be removed, copied,  modified,
    deleted or otherwise manipulated.  From this point, normal  remote
    code execution attacks can  be utilized to further  compromise the
    system.

    This vulnerability requires a number of factors all lining up  and
    taking place on an already  vulnerable operating system.  This  in
    effect mitigates the vulnerability  and makes it very  unlikely to
    ever be exploited.   No reports exist  on this being  successfully
    exploited.   It is  much more  likely that  an Internet  user gets
    attacked by turning off the protection of their choice.
    1. The IP address of the target must be known and monitored (DHCP,
       PPPoE, Dial up users are not at risk).  This in itself sets the
       attacker up for detection, by ZoneAlarm Pro and other  security
       products and devices.
    2. TCP/IP must be bound to the Windows Netbios service
    3. File sharing  must be enabled  for the system  resources.  This
       requires the user deliberately enabling file sharing for system
       files with no security.
    4. Limited window of opportunity.  The real window of  opportunity
       is between the time the computer is on the net and the  drivers
       are loaded.  During these seconds  of boot time the CPU of  the
       computer is  very busy  and it  is not  evident that even given
       all these pre-requisites that the attacker could be successful.

SOLUTION

    Users  can  completely  eliminate  the  scenario  described in the
    report above by employing  password protection on file  shares and
    by using limited file sharing access.

    ZoneAlarm  2.1.44  does  detect  the  Nmap scans mentioned in this
    vulnerability.   The  scans  are  detected  and  silently  dropped
    because of ZoneAlarms default Stealth Mode.  ZoneAlarm categorizes
    the mentioned Nmap scans as Internet Background Noise, effectively
    shielding  the  user  from  attacks  and avoiding confusion due to
    false alerts.  If a user would want to be alerted to this type  of
    scans, ZoneAlarm Pro product allows for this by both alerting  the
    user and logging the event.