COMMAND
ZoneAlarm
SYSTEMS AFFECTED
ZoneAlarm 2.1.44
PROBLEM
Following is based on a WolfPak Advisory. ZoneAlarm does not
detect several types of common Nmap scans. It is also possible
for a remote attacker, under certain circumstances, to gain
complete access to the file system and disable ZoneAlarm.
ZoneAlarm is marketed as a personal firewall and threat
detection/prevention tool. It is directed at the Windows-based
home user with a constant connection to the Internet with a DSL
or Cable modem service.
Unfortunately, ZoneAlarm does not allow its users to maintain a
true understanding of their threat level and exposure. Attackers
scanning a system employing ZoneAlarm will go unnoticed when
using the common Nmap scan types ACK, FIN, Xmas, Window & Null.
While these scans do not return lists of open ports to the
attacker, the ZoneAlarm user is not aware of the probe or the
possibility of attacks being directed against them.
In addition, a window of opportunity exists during the boot
process, which allows a remote attacker access to shared resources
available on the ZoneAlarm protected device. If file sharing is
enabled via Windows Networking and proper Access Controls (ACL)
are not utilized, complete access to all shared resources can be
obtained through simple NetBIOS drive mapping (tools such as
Legion have proven the existence and viability of this threat).
Attackers gaining access to the install location of ZoneAlarm
(C:\Program Files\Zone Labs\ZoneAlarm by default) using such a
share, it is possible for the attacker to disable ZoneAlarm by
deleting or renaming either the executable or its associated DLL
files. In an NTFS partition, the entire directory, and all
associated files, are installed with 'Everyone:Full Control' as
permissions. The registry keys created by ZoneAlarm
(HKLM\Software\Zone Labs) also have weak permissions, being set
at 'Everyone:Special Access', including SetValue, CreateSubkey &
Delete. Note that users do receive a pop-up dialog window asking
for the location of the deleted or renamed file, however, the
message is sufficiently ambiguous to confuse most basic users
into just clicking CANCEL.
Once ZoneAlarm is disabled, complete unmitigated access to the
file system is obtained. Data may be removed, copied, modified,
deleted or otherwise manipulated. From this point, normal remote
code execution attacks can be utilized to further compromise the
system.
This vulnerability requires a number of factors all lining up and
taking place on an already vulnerable operating system. This in
effect mitigates the vulnerability and makes it very unlikely to
ever be exploited. No reports exist on this being successfully
exploited. It is much more likely that an Internet user gets
attacked by turning off the protection of their choice.
1. The IP address of the target must be known and monitored (DHCP,
PPPoE, Dial up users are not at risk). This in itself sets the
attacker up for detection, by ZoneAlarm Pro and other security
products and devices.
2. TCP/IP must be bound to the Windows Netbios service
3. File sharing must be enabled for the system resources. This
requires the user deliberately enabling file sharing for system
files with no security.
4. Limited window of opportunity. The real window of opportunity
is between the time the computer is on the net and the drivers
are loaded. During these seconds of boot time the CPU of the
computer is very busy and it is not evident that even given
all these pre-requisites that the attacker could be successful.
SOLUTION
Users can completely eliminate the scenario described in the
report above by employing password protection on file shares and
by using limited file sharing access.
ZoneAlarm 2.1.44 does detect the Nmap scans mentioned in this
vulnerability. The scans are detected and silently dropped
because of ZoneAlarms default Stealth Mode. ZoneAlarm categorizes
the mentioned Nmap scans as Internet Background Noise, effectively
shielding the user from attacks and avoiding confusion due to
false alerts. If a user would want to be alerted to this type of
scans, ZoneAlarm Pro product allows for this by both alerting the
user and logging the event.