Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

NSSI-2002-zonealarm3: ZoneAlarm Pro Denial of Service Vulnerability

From: "Abraham Lincoln" <sunninja () scientist com>
Date: Wed, 16 Oct 2002 22:46:39 +0800
NSSI Technologies Inc Research Labs Security Advisory 

http://www.nssolution.com (Philippines / .ph) 

"Maximum e-security" 

http://nssilabs.nssolution.com

ZoneAlarm Pro 3.1 and 3.0 Denial of Service Vulnerability

Author: Abraham Lincoln Hao / SunNinja

e-Mail: abraham () nssolution com / SunNinja () Scientist com

Advisory Code: NSSI-2002-zonealarm3 

Tested: Under Win2k Advance Server with SP3 / WinNT 4.0 with SP6a / Win2K Professional / WinNT 4.0 workstation 

Vendor Status:  Zone Labs is already contacted 1 month ago and they informed me that they going to release an update or 
new version to patched the problem. This vulnerability is confirmed by the vendor.

Vendors website: http://www.zonelabs.com

Severity: High

Overview:

     New ZoneAlarm® Pro delivers twice the security—Zone Labs’ award-winning, personal firewall trusted by millions, 
plus advanced privacy features. the award-winning PC firewall that blocks intrusion attempts and protects against 
Internet-borne threats like worms, Trojan horses, and spyware.   

 ZoneAlarm Pro 3.1 and 3.0  doubles your protection with enhanced Ad Blocking and expanded Cookie Control to speed up 
your Internet experience and stop Web site spying. Get protected. Compatible with Microsoft® Windows® 98/Me/NT/2000 and 
XP.    

    ZoneAlarm Pro 3.1.291 and 3.0  contains vulnerability that would let the attacker consume all your CPU and Memory 
usage that would result to Denial of Service Attack through sending  multiple syn packets / synflooding.  

Details:

    Zone-Labs ZoneAlarm Pro 3.1.291 and 3.0 contains a vulnerability that would let the attacker consume all your CPU 
and Memory usage that would result to Denial of Service Attack through Synflooding that would cause the machine to stop 
from responding. Zone-Labs ZoneAlarm Pro 3.1.291 and 3.0 is also vulnerable with IP Spoofing. This Vulnerabilities are 
confirmed from the vendor.

Test diagram:

   [*Nix b0x with IP Spoofing scanner / Flooder] <===[10/100mbps switch===> [Host with ZoneAlarm] 

 1] Tested under default install of the 2 versions after sending minimum of 300 Syn Packets to port 1-1024 the machine 
will hang-up until the attack stopped.

2] We configured the ZoneAlarm firewall both version to BLOCK ALL traffic setting after sending a minimum of 300 Syn 
Packets to port  1-1024 the machine will hang-up until the attack stopped. 

Workaround:

    Disable ZoneAlarm and Hardened TCP/IP stack of your windows and Install latest Security patch.

Note: To people who's having problem reproducing the vulnerability let me know :)

Any Questions? Suggestions? or Comments? let us know. 

e-mail: nssilabs () nssolution com / abraham () nssolution com / infosec () nssolution com

 

greetings:
   nssilabs team, especially to b45h3r and rj45, Most skilled and pioneers of NSSI good luck!. (mike () nssolution com 
/ aaron () nssolution com),  Lawless the saint ;), dig0, p1x3l, dc and most of all to my Lorie.  
-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup
Previous By Date Next
Previous By Thread Next

Current thread: