Bugtraq mailing list archives

Re: ZoneAlarm

From: gary () BWAPR COM (Gary Buckmaster)
Date: Sat, 22 Apr 2000 15:26:35 -0700


Wally,

Verified, ableit unscientifically.  ZoneAlarm does not appear to detect
udp traffic from source port 67.

Additionally, using nmap's -f flag allows you to send traffic past
ZoneAlarm without any alerts.

Wally Whacker wrote:

ZoneAlarm (http://www.zonelabs.com) is a very popular
personal firewall for Microsoft Windows computers and easy
to use for newbies because it is application based,
meaning, you apply network permission to applications
instead of ports.

Because it is application based, I was wondering how it
handled ports that weren't applications, i.e., what about
ports that are opened by the kernel?

I tried scanning a ZoneAlarm protected machine using
various source ports that are often problems for other
firewall environments. What I found was this:

If one uses port 67 as the SOURCE port of a UDP scan,
ZoneAlarm will let the packet through and will not notify
the user. This means, that one can UDP port scan a
ZoneAlarm protected computer as if there were no firewall
there IF one uses port 67 as the source port on the packets.

The version I tested this on was 2.1.10

I strongly suspect port 67 needs to be left open because it
is used for DHCP.

On an earlier version 2.0.26 UDP packets from source port
53 also behaved as above but this doesn't seem to be the
case with this latest version.

The test was this:

1) Download and install ZoneAlarm version 2.1.10.

2) From another computer (unix, linux, etc) run nmap -P0 -
p130-140 -sU 192.168.128.88 <-Your Computer Ip Address.
This will run a small UDP scan on the computer.

3) ZoneAlarm will throw up alarms on these UDP probes

4) NOW, run nmap -g67 -P0 -p130-140 -sU 192.168.128.88
(Notice the -g67 which specifies source port). This will
run the same test as above except the packets will have a
source port of 67.

5) ZoneAlarm will not throw up any alerts AND if you have
any services running on those ports, nmap will find them.

I'd appreciate it if any one else can independently verify
this.

Wally

http://hackerwhacker.com

Current thread:

freebsd libncurses overflow, (continued)
- - freebsd libncurses overflow Przemyslaw Frasunek (Apr 24)
    - Re: freebsd libncurses overflow Kris Kennaway (Apr 24)
    - Re: freebsd libncurses overflow Kris Kennaway (Apr 24)
    - Re: freebsd libncurses overflow Przemyslaw Frasunek (Apr 25)
    - Re: freebsd libncurses overflow Bill Fumerola (Apr 24)
    - Re: freebsd libncurses overflow Theo de Raadt (Apr 26)
    - Denial of Service Against pcAnywhere. Vacuum (Apr 25)
  - Re: IE 5 security vulnerablity - circumventing Cross-framesecurity policy using Java/JavaScript (and disabling ActiveScripting is not that easy) Georgi Guninski (Apr 24)
  - Hotmail security hole - injecting JavaScript in IE using "@import url(http://host/hostile.css)" Georgi Guninski (Apr 24)
- ZoneAlarm Wally Whacker (Apr 20)
  - Re: ZoneAlarm Gary Buckmaster (Apr 22)
  - CVS DoS Michal Szymanski (Apr 23)
    - Re: CVS DoS Kris Kennaway (Apr 24)
    - Re: CVS DoS Kris Kennaway (Apr 24)
    - finding Meeting Maker passwords using tcpdump mhpower () MIT EDU (Apr 24)
    - ZoneAlarm Vulnerability Alfred Huger (Apr 25)
    - Solaris Sparc 2.6 & 7 lp/lpset/lpstat root compromise exploit Laurent LEVIER (Apr 25)
    - Re: Solaris Sparc 2.6 & 7 lp/lpset/lpstat root compromise exploit Casper Dik (Apr 26)
    - Re: Solaris Sparc 2.6 & 7 lp/lpset/lpstat root compromise exploit Dimitri Avgoustakis (Apr 26)
    - Re: Solaris Sparc 2.6 & 7 lp/lpset/lpstat root compromise exploit Theodor R. Gislason (Apr 26)
    - SECURITY: UPDATED - RHSA-2000:014 New Piranha release available Cristian Gafton (Apr 26)

(Thread continues...)