Malicious code could trick ZoneAlarm firewall

Discussion in 'other firewalls' started by ronjor, Sep 30, 2005.

Thread Status:
Not open for further replies.
  1. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,721
    Location:
    Texas
    The issue affects the popular free ZoneAlarm firewall and default installations of version 5.5 and earlier of the paid product, maker Zone Labs said in a security advisory on Thursday. Default installations of the Check Point Integrity Client are also affected, but the paid ZoneAlarm 6.0 products, released in July, are not, Zone Labs said.

    Story
     
  2. unhappy_viewer

    unhappy_viewer Registered Member

    Joined:
    Sep 16, 2005
    Posts:
    259
    The vulnerbility can be prevented in the paid versions of ZA 5.5 by eneabling the "Advanced Program Control" feature in ZA:
    Go to "Program Control" section of ZA> Select the "Main Tab"> Select the "Custom" button in the "Program Control" subsection> Tick the box beside "Advanced Program Control"> Click "OK"

    Paid versions of ZA 6.0 will by default protect you due to the new OSFirewall feature.

    Free versions of ZA aren't protected. However to my knowledge, other free versions by other manufacturers also don't protect you from this.

    You can read the full details of this vulnerbility in this Zone Labs security Advisory:
    http://download.zonelabs.com/bin/free/securityAlert/35.html
     
  3. StevieO

    StevieO Guest

    The good news as i have just discovered for this DDE-IPC (Direct Data - Exchange Interprocess Communications) flaw, is that ZA Free users can also be made safe from this potential exploit, and very easily too !

    I imagine my advice would apply to other FW's too.

    All you need to do is ensure that your browser is NOT set to allow access to the internet by default in ZA.

    I have always thought it wise not to allow Any program automatic right of access as a precaution. Every time any App of mine requires access out for Anything, i have to physically click to allow, including AV updates etc.


    StevieO
     
  4. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Brilliant advice. This precaution, of course, would also block many of the firewall leaktests that piggyback on the browser. I mentioned this in another thread and was criticized for having a firewall rule that prevented the test from showing that my firewall was vulnerable.

    This precaution would also prevent a trojan downloader from auto-connecting out, which I've demonstrated in testing several real trojans.

    A bit of a nuisance, some will say, but it just becomes a part of your routine, and after awhile, the few seconds of extra time is not noticeable.

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  5. lotuseclat79

    lotuseclat79 Registered Member

    Joined:
    Jun 16, 2005
    Posts:
    5,090
    Hi ronjor,

    In the story, I notice the distinction is made about "network firewall" vs "OS firewall".

    I have noticed your view on firewalls on several posts in the past with regard to the lumping of features onto a network firewall to provide protections that normally an OS firewall would perform.

    Is it your take that you find those features misplaced in a network firewall? I would like to hear more discussion of this distinction and its relative pros and cons vs the direction various products have taken and whether that's a good thing or not.

    -- Tom
     
  6. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,721
    Location:
    Texas
    I prefer to use Proxomitron for scripts, etc. Proxomitron may prove difficult to use for those not familiar with the program.

    I am using Kerio 4.2 free at the moment. While it uses more resources than Kerio 2.15, it is acceptable to me. The application behaviour blocker is a nice feature. and, it does have script blocking in the paid version for those that want it.

    I tried the exploit mentioned in this post and it zips right through Kerio too.
     
  7. zcv

    zcv Registered Member

    Joined:
    Dec 11, 2002
    Posts:
    355
    Hi StevieO,

    Ok, IE wants access, at this point, how are you going to be able to tell whether there is a piggy-back process or not with the free version?

    Regards - Charles
     
  8. StevieO

    StevieO Guest

    Hi to you too zcv,

    Somehow i get the feeling you are asking a rhetorical question ?

    So if you had some Solutions/Answers you could have saved time and helped everybody out by posting them at the time !

    Of course it's a good question, and it might be possible for something like that to occur. I would be very suspicious of IE wanting access through ZA without my initiating it in the first place though.


    StevieO
     
  9. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Can you explain what this is and how it's different from Kerio 2?

    For example, any application not given permission to connect out is blocked in Kerio 2.

    thanks,

    -rich
     
  10. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Same here, with the browser rule set normally to permit outbound access.

    I'm wondering how many do, or would consider doing StevieO's suggestion in post #3, where you manually grant access for outbound connections?

    What I've experimented with is to include my most frequented websites in the Custom Address list, such as Wilders. Then, I'm not nagged everytime I open a new post or thread, but would be alerted if an exploit like Ron mentioned attempted out to another address.

    See attachment where the exploit was blocked when I unchecked the browser rule, prompting an alert.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     

    Attached Files:

  11. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,721
    Location:
    Texas
    Here are a few screenshots of the zabypass demo trying to get by Kerio 4.2. This is with the behaviour blocking enabled.
     

    Attached Files:

  12. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,721
    Location:
    Texas
    This is what you were talking about Rich. I have to give permission for Firefox to connect as directed by the malware.
     

    Attached Files:

  13. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,721
    Location:
    Texas
    I would suggest downloading the .chm or pdf file for a full rundown of the Kerio 4.2 features. As a long time user of Kerio 2.15, I find I like this version better.

    http://www.kerio.com/supp_kpf_manual.html
     

    Attached Files:

  14. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,721
    Location:
    Texas
    -----
     

    Attached Files:

  15. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,721
    Location:
    Texas
    -----
     

    Attached Files:

  16. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    This bypasses Outpost 3 as well. :(

    Thanks,

    Chris
     
  17. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,721
    Location:
    Texas
    Is anybody using Zone Alarm Pro that could give this bypass exploit a try?
     
  18. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    let me install it real fast.

    Thanks,

    Chris
     
  19. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    Thanks for all of the screen shots. I'll look at the manual.

    When Kerio 4 was first released, there were many bad reports about it. Sounds like this version has cleaned things up.

    I notice you have NIPS checked and that it used a database of attack signatures. When KPF goes out of business, I wonder if anyone else will take over updating this data base. Kerio would probably have to release the source code rights.

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  20. Chris12923

    Chris12923 Registered Member

    Joined:
    May 31, 2004
    Posts:
    1,097
    With ZAP 6 using default settings it tells you ZABypass.exe is trying to use iexplorer to access the internet using DDE.

    Thanks,

    Chris
     
  21. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,721
    Location:
    Texas
    Thanks Chris.
     
  22. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,721
    Location:
    Texas
    Good question Rich.
     
  23. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    (this thread is being hijacked by KPF4)

    I just downloaded the manual. On p. 98, regarding script blocking:

    ------------------------------------
    Block JavaScript, Block VBScript
    Enable these options to filter all commands of the corresponding script run from
    a website.
    ------------------------------------

    Does this refers to browser scripts? If so it's great protection because Wormguard doesn't provide that type of script protection. See

    https://www.wilderssecurity.com/showthread.php?t=91194

    regards,

    -rich
    ________________
    ~~Be ALERT!!! ~~
     
  24. ronjor

    ronjor Global Moderator

    Joined:
    Jul 21, 2003
    Posts:
    57,721
    Location:
    Texas
    I am using the free version so those options aren't available to me.
     
  25. -----

    ----- Guest

    And SSM, ProcessGuard, Online Armor, et al.
     
Loading...
Thread Status:
Not open for further replies.