Advisory:Multiple Vulnerabilities in ZoneAlarm

[alerts () WOLFPAK DYNIP COM]

Date:  12.20.2000

Name:  Multiple Vulnerabilities in ZoneAlarm

Application:  ZoneAlarm 2.1.44

Platforms:  Windows 9x, ME, NT, 2000

Severity:  ZoneAlarm does not detect several types of common Nmap scans.
It is also possible for a remote attacker, under certain circumstances, to
gain complete access to the file system  and disable ZoneAlarm.

Author:  The WolfPak, alerts () wolfpak dynip com

ZoneAlarm (http://www.zonelabs.com) is marketed as a personal firewall and
threat detection/prevention tool. It is directed at the Windows-based home
user with a constant connection to the Internet with a DSL or Cable modem
service.

Unfortunately, ZoneAlarm does not allow its users to maintain a true
understanding of their threat level and exposure. Attackers scanning a
system employing ZoneAlarm will go unnoticed when using the common Nmap
scan types ACK, FIN, Xmas, Window & Null. While these scans do not return
lists of open ports to the attacker, the ZoneAlarm user is not aware of
the probe or the possibility of attacks being directed against them.

In addition, a window of opportunity exists during the boot process, which
allows a remote attacker access to shared resources available on the
ZoneAlarm protected device. If file sharing is enabled via Windows
Networking and proper Access Controls (ACL) are not utilized, complete
access to all shared resources can be obtained through simple NetBIOS
drive mapping (tools such as Legion have proven the existence and
viability of this threat). Attackers gaining access to the install
location of ZoneAlarm (C:\Program Files\Zone Labs\ZoneAlarm by default)
using such a share, it is possible for the attacker to disable ZoneAlarm
by deleting or renaming either the executable or its associated DLL files.
In an NTFS partition, the entire directory, and all associated files, are
installed with 'Everyone:Full Control' as permissions. The registry keys
created by ZoneAlarm (HKLM\Software\Zone Labs) also have weak permissions,
being set at 'Everyone:Special Access', including SetValue, CreateSubkey &
Delete. Note that users do receive a pop-up dialog window asking for the
location of the deleted or renamed file, however, the message is
sufficiently ambiguous to confuse most basic users into just clicking
CANCEL.

Once ZoneAlarm is disabled, complete unmitigated access to the file system
is obtained. Data  may be removed, copied, modified, deleted or otherwise
manipulated. From this point, normal remote code execution attacks can be
utilized to further compromise the system.

According to the manufacturer, "More than 8 million PC users have
downloaded ZoneAlarm", making it a very popular target indeed. Zone Labs
has been advised of these vulnerabilities and no patch or work around has
been provided.

ZoneAlarm is copyright Zone Labs, Inc.
WolfPak Homepage: http://wolfpak.dynip.com