TUCoPS :: Security App Flaws :: win4906.htm

Various personal firewalls
7th Dec 2001 [SBWID-4906]
COMMAND

	Various personal firewalls

SYSTEMS AFFECTED

	 At least : ZoneAlarm & ZoneAlarm Pro (current versions)

	            Tiny Personal FireWall (current version)

PROBLEM

	Tom Liston found following problem, on  two  personal  firewalls  -  the
	only two he tested. It might be  the  same  on  other  Windows  personal
	firewalls.
	

	Issue: Outbound filtering in personal firewalls does not  block  packets
	that are generated by protocol stacks other than the  default  Microsoft
	stack.
	

	While working to port LaBrea to the Win9x platform,  I  was  faced  with
	the task of creating packets with specific flags, window  sizes,  etc...
	In order to accomplish this, I was forced to \"roll  my  own\"  protocol
	adapter that would allow me to send TCP packets  formatted  in  specific
	ways. As a side effect of this, I  found  that  at  least  two  personal
	firewalls don\'t \"see\" the  TCP  packets  that  this  \"non-standard\"
	protocol adapter generates.
	

	In experimenting further, it was found  that  the  \"Lock\"  or  \"Block
	All\" settings of those  firewalls  was  also  ineffective  against  TCP
	packets from non-standard protocol adapters.
	

	

	

	I  believe  that  the  real  issue  at  hand  has  little  to  do   with
	vulnerabilities  and  protocol  adapters.  The  real   issue   here   is
	marketing. The entire personal firewall  industry  has  been  driven  to
	make claims that it cannot deliver on. There is  a  vicious  \"me  too\"
	cycle that drives personal firewall  vendors.  Now,  there  are  testing
	labs  and  \"certifications.\"  (Both  TinyPFW  and   ZoneAlarmPro   are
	certified by ICSA Labs.) This  is  just  insane.  When  I  look  at  the
	concept of \"outbound filtering\", I see a distinct parallel  to  \"copy
	protection.\" Both concepts suffer from the same, basic flaws. The  problem
	is in the claims that personal firewall vendors are making and the  fact
	that they\'re allowed to get away with it.
	

	An application, demonstrating this vulnerability is available at:
	

	http://www.hackbusters.net/ob.html

SOLUTION

	Vendors are working on a patch. Contact yours for last version.

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2025 AOH