|
Vulnerability ZoneAlarm Affected ZoneAlarm 2.1.44 Description Following is based on a WolfPak Advisory. ZoneAlarm does not detect several types of common Nmap scans. It is also possible for a remote attacker, under certain circumstances, to gain complete access to the file system and disable ZoneAlarm. ZoneAlarm is marketed as a personal firewall and threat detection/prevention tool. It is directed at the Windows-based home user with a constant connection to the Internet with a DSL or Cable modem service. Unfortunately, ZoneAlarm does not allow its users to maintain a true understanding of their threat level and exposure. Attackers scanning a system employing ZoneAlarm will go unnoticed when using the common Nmap scan types ACK, FIN, Xmas, Window & Null. While these scans do not return lists of open ports to the attacker, the ZoneAlarm user is not aware of the probe or the possibility of attacks being directed against them. In addition, a window of opportunity exists during the boot process, which allows a remote attacker access to shared resources available on the ZoneAlarm protected device. If file sharing is enabled via Windows Networking and proper Access Controls (ACL) are not utilized, complete access to all shared resources can be obtained through simple NetBIOS drive mapping (tools such as Legion have proven the existence and viability of this threat). Attackers gaining access to the install location of ZoneAlarm (C:\Program Files\Zone Labs\ZoneAlarm by default) using such a share, it is possible for the attacker to disable ZoneAlarm by deleting or renaming either the executable or its associated DLL files. In an NTFS partition, the entire directory, and all associated files, are installed with 'Everyone:Full Control' as permissions. The registry keys created by ZoneAlarm (HKLM\Software\Zone Labs) also have weak permissions, being set at 'Everyone:Special Access', including SetValue, CreateSubkey & Delete. Note that users do receive a pop-up dialog window asking for the location of the deleted or renamed file, however, the message is sufficiently ambiguous to confuse most basic users into just clicking CANCEL. Once ZoneAlarm is disabled, complete unmitigated access to the file system is obtained. Data may be removed, copied, modified, deleted or otherwise manipulated. From this point, normal remote code execution attacks can be utilized to further compromise the system. This vulnerability requires a number of factors all lining up and taking place on an already vulnerable operating system. This in effect mitigates the vulnerability and makes it very unlikely to ever be exploited. No reports exist on this being successfully exploited. It is much more likely that an Internet user gets attacked by turning off the protection of their choice. 1. The IP address of the target must be known and monitored (DHCP, PPPoE, Dial up users are not at risk). This in itself sets the attacker up for detection, by ZoneAlarm Pro and other security products and devices. 2. TCP/IP must be bound to the Windows Netbios service 3. File sharing must be enabled for the system resources. This requires the user deliberately enabling file sharing for system files with no security. 4. Limited window of opportunity. The real window of opportunity is between the time the computer is on the net and the drivers are loaded. During these seconds of boot time the CPU of the computer is very busy and it is not evident that even given all these pre-requisites that the attacker could be successful. Solution Users can completely eliminate the scenario described in the report above by employing password protection on file shares and by using limited file sharing access. ZoneAlarm 2.1.44 does detect the Nmap scans mentioned in this vulnerability. The scans are detected and silently dropped because of ZoneAlarms default Stealth Mode. ZoneAlarm categorizes the mentioned Nmap scans as Internet Background Noise, effectively shielding the user from attacks and avoiding confusion due to false alerts. If a user would want to be alerted to this type of scans, ZoneAlarm Pro product allows for this by both alerting the user and logging the event.