Bugtraq mailing list archives
Re: ZoneAlarm
From: milton () ISOMEDIA COM (Stephen M. Milton)
Date: Mon, 24 Apr 2000 09:33:25 -0700
I tried this on Windows 2000 Server, also using version 2.1.10 of ZoneAlarm. I received alerts on the scans both with and without the source port specified to port 67. Stephen Milton ISOMEDIA, Inc.
-----Original Message----- From: Bugtraq List [mailto:BUGTRAQ () SECURITYFOCUS COM]On Behalf Of Wally Whacker Sent: Thursday, April 20, 2000 9:41 PM To: BUGTRAQ () SECURITYFOCUS COM Subject: ZoneAlarm ZoneAlarm (http://www.zonelabs.com) is a very popular personal firewall for Microsoft Windows computers and easy to use for newbies because it is application based, meaning, you apply network permission to applications instead of ports. Because it is application based, I was wondering how it handled ports that weren't applications, i.e., what about ports that are opened by the kernel? I tried scanning a ZoneAlarm protected machine using various source ports that are often problems for other firewall environments. What I found was this: If one uses port 67 as the SOURCE port of a UDP scan, ZoneAlarm will let the packet through and will not notify the user. This means, that one can UDP port scan a ZoneAlarm protected computer as if there were no firewall there IF one uses port 67 as the source port on the packets. The version I tested this on was 2.1.10 I strongly suspect port 67 needs to be left open because it is used for DHCP. On an earlier version 2.0.26 UDP packets from source port 53 also behaved as above but this doesn't seem to be the case with this latest version. The test was this: 1) Download and install ZoneAlarm version 2.1.10. 2) From another computer (unix, linux, etc) run nmap -P0 - p130-140 -sU 192.168.128.88 <-Your Computer Ip Address. This will run a small UDP scan on the computer. 3) ZoneAlarm will throw up alarms on these UDP probes 4) NOW, run nmap -g67 -P0 -p130-140 -sU 192.168.128.88 (Notice the -g67 which specifies source port). This will run the same test as above except the packets will have a source port of 67. 5) ZoneAlarm will not throw up any alerts AND if you have any services running on those ports, nmap will find them. I'd appreciate it if any one else can independently verify this. Wally http://hackerwhacker.com
Current thread:
- finding Meeting Maker passwords using tcpdump, (continued)
- finding Meeting Maker passwords using tcpdump mhpower () MIT EDU (Apr 24)
- ZoneAlarm Vulnerability Alfred Huger (Apr 25)
- Solaris Sparc 2.6 & 7 lp/lpset/lpstat root compromise exploit Laurent LEVIER (Apr 25)
- Re: Solaris Sparc 2.6 & 7 lp/lpset/lpstat root compromise exploit Casper Dik (Apr 26)
- Re: Solaris Sparc 2.6 & 7 lp/lpset/lpstat root compromise exploit Dimitri Avgoustakis (Apr 26)
- Re: Solaris Sparc 2.6 & 7 lp/lpset/lpstat root compromise exploit Theodor R. Gislason (Apr 26)
- SECURITY: UPDATED - RHSA-2000:014 New Piranha release available Cristian Gafton (Apr 26)
- gpm-root initgroups() Koblinger Egmont (Apr 23)
- Postgresql cleartext password storage Robert van der Meulen (Apr 23)
- Re: Postgresql cleartext password storage Alexandru Popa (Apr 24)
- Re: ZoneAlarm Stephen M. Milton (Apr 24)
- Microsoft Security Bulletin (MS00-027) Microsoft Product Security (Apr 20)
- Remote vulnerability in LCDproc 0.4 Andrew Hobgood (Apr 20)
- Remote DoS attack in RealServer David Cotter (Apr 20)
- CMD.EXE overflow (CISADV000420) Cerberus Security Team (Apr 21)