Malicious code could trick ZoneAlarm firewall

Hello,

I don't understand why the "DDE exploit" seems all of a sudden a "news", I thought that the 'Surfer' leaktest was already exploiting this for a while :
http://www.firewallleaktester.com/leaktest15.htm

Now may be that the current exploit uses it in another way, but still is the same known idea apparently.

Regards,

gkweb.

EDIT : the ZA version I have tested was passing Surfer indeed and is not passing (from what has been said) this new version, I wonder if they have changed anything in their firewall, I will test it more deeply when I will do again the tests.

 

Is there still a good link to the exploit?
All I get is a blank page with Firefox. Wanted to try it on KIS 2006.


thanks

controler

 

Unlike surfer, for this new test SSM does not "see" the attempt to use IE start. Why this is so......

 

Thanks for the explanations.

However, as quoted from the PoC's PDF (and as said in this thread by "unhappy_viewer") :

So if the Advanced Program Control is enabled, which is the case when I test ZAF Pro, ZA should see and block the exploit.

I will have to test myself this PoC to see what happen exactly

Regards,

gkweb.

 

As far as I know depending on the version you are testing 'program control' should be enabled...

With All non-free ZA 6 - it is blocked by the default setting
With all non free ZA 5.5. - It is blocked by 'program control'

Free version 6 does not block it
Free version of 5.5. above/equal 5.5.094 does not block
Free version of 5.5 from 5.5.062.011 block it



Fax
P.S. The explanation by the author of the PoC is poor since it was tested on a non-functional (at least the OS firewall) ZA Pro 6. Most likely tested on a corrupted database (that unfortunately happens quite often in ZA6)

 

Hi StevieO. sorry for not getting back to you sooner.

Half right, you didn't explain why not giving IE auto permission would guard against this particular exploit.

As we all would - but that doesn't address this issue.

I run the last ZAP 5.5 version with Program Control running high - always have. That's my suggestion.

This exploit has been around a long time - so you and others have been living with it for just as long. Why the exitement now?

I'm running Sygate free on another XP installation and I've lived with this vulnerablity all this time as well and will continue to do so.

Regards - Charles

 

I am using ZA Pro 6. I've had a look in my settings re Prog Control and apparently Enable Advance Prog Control is not tick, so should I tick it or leave it ?

 

You must tick it.

 

You do not have to tick this.

ZA6 Pro will alert to this attack with default settings. TeknO did you actually try this or just suggesting it be ticked? I have tried it and it is blocked and alerted on without the box ticked.

This is not intended to be rude just saying that on my system it did detect the attempt without being ticked.

Thanks,

Chris

 

Yes, I can also confirm (tested) you do not need to tick it unless you want to for other reasons than the DDE vulnerability

 

I just tried the zabypass.exe program to see what would happen. I am using Kerio 2.1.5, so I wanted to see if it would get through. I figured that it would get through Kerio, but that maybe something else would catch it.

Well, I didn't find out. Nothing happened at all. Maybe I somehow disabled this exploit, or maybe my OS isn't vulnerable. I am using Windows 98 SE.

Phil

 

I stopped being a fan of ZoneAlarm a long time ago. Nevertheless, your post has me wondering about something. And that is this: Which is the best free version of ZA?

Phil

 

Phil,
as far it concerns the 'DDE exploit' even ZA 4.5 free is NOT vulnerable!

For the rest.... I really don't know.

Fax

 

Hi zcv and everybody,

Well i wouldn't call it excitement lol

My earlier posts as you will see are based on my usual strict policy of not allowing access out automatically by ZA to anything.

This has proved time and time again to be a wise choice, and as Rmus says, it only takes a second or two to click to allow something you want.

Today i found time to DL and try the test out several times. At first WinSonar jumps straight in and blocks it, as it always does to any unknown .EXE's.

When i allowed it through WinSonar with an instance of IE running, i got taken to the test sitte demp page as you will see in my Screen Shot !

http://img24.imageshack.us/img24/4691/zabpd12fk.png

After i closed IE and retried, i got the normal ZA alert box asking me for permission, which i declined.

I am running ZA Free 5.5.062.000 on this particular 98SE PC.

So i can confirm that this version is actually susceptable to this POC after all, contrary to what is stated elsewhere !


StevieO

 

The line should read

When i allowed it through WinSonar with an instance of IE running, i got taken to the test "SITE DEMO" page as you will see in my Screen Shot !

Don't know what happened there sorry !


StevieO

 

Hi StevieO,

you can find the test on 5.5.062 and previous versions + screenshot at this link:

forum.zonelabs.org/zonelabs/board/message?board.id=security&message.id=13110#M13110

Who is right who is wrong? No idea...may be others with 5.5.062 can also give a try to PoC.

Or may be we just simply stick to what ZA have said in their note...

Fax

 

Hi fax,

It would appear that as usual not all Versions are equal !

Quite a few mentions are given on various forums etc to V 5.5.062 Without the extended numbers on the end. No wonder there is some confusion over this !

The V i tested was 5.5.062.000 and the link you gave was for V 5.5.062.011

I don't know how many V's there are between the above two, and where the cutoff point for the vulnerability begins ?


Posted by dr_del

Well I did a clean uninstall and even cleaned out the prefetch folder and installed the free version of 5.5.062.011 without any problems .I'd forgotten how few options it really has for the level of protection it offers

So I let ie (7 in this case) out just to make sure the net was available then clicked on the PoC - and it blocked it


StevieO

 

Thanks StevieO for clarifing!
Uhhm, in any case very weird...

Fax

 

Technically all free versions are vulnerable to this. Remember the vulnerbility is to use a trusted application to send information to the internet. The 'malware' should not make a direct connectionby itself.

When I saw the pics in that post in the ZA forum, I got suspicious of it for a few reasons:
1) Why is zabypass.exe asking for direct connection to the internet? The program was supposed to use IE to gain access to the net and therefore remain invisible to ZA's program protection. You may argue that the specified version is not vulnerable but that should not be the case. If its not vulnerable, it should have prompted you to give IE permission(if you ask ZA not to remember the setting), not zabypass.exe
2) If you set ZA to prompt you to ask you for permission each time an application is opened, it should ask if you allow the application to the internet/trusted zone, not a URL. I have not seen cases where ZA prompts you to give permission to a program to access a URL.
3) ZA always lists the proper IP that the program is trying to access. 0.0.0.0 isn't a valid internet IP and is especilly strange if ZA told you that the program was trying to visit a URL.

I may be wrong on the above points but those are the reasosn why I suspect that something is wrong. Either the program he downloaded is corrupted or he made a bogus picture to try to get people to remain on the free version of 5.5, especially at a time when people are having lots of trouble installing ZA 6, or Microsot has done something to IE 7. So far no users of the free version of ZA 5.5.062.011 has come forth to validate his claim, be it they are using IE 6 or IE 7. So I'd still say all free versions are vulnerable, as mentioned in ZL's security advisory.

 

Not only Winsonar. SSM, PG, et al have the same problem. Probably AE too , can someone confirm.

 

Yes - with AE or any program using a White List. Once you permit something to run, it goes

I allowed it to run but Kerio blocked the outbound attempt to the site.

-rich
________________
~~Be ALERT!!! ~~

 

I was personally hoping SSM at least which claims to be a system firewall would at least catch such attempts at inter-process communication.
Ditto for PG which claims to guard processes.

I suppose AE does not claim to be either, so I can let it off the hook.

I wasnt aware kerio blocks this test. Are you using unconvential rule settings, such as not giving Opera access to the web?

 

Yes. I have several browser rules - the one at the top uses custom addresses, such as Wilders, so that any other outbound attempt will alert.

Otherwise, Kerio doesn't flag this test.

-rich
________________
~~Be ALERT!!! ~~

 

I suppose that's one way to deal outright with the problem of leak tests , though I doubt this method appeals to most people since it's extremely troublesome for people who like to roam the net.

I read above another alternative that might rule out most leak tests without this drawback.

 

But it would work quite well in those cases where only limited access to the network is needed. Example: Person uses Linux for most web surfing, but boots into Windows occasionally to use some utility that needs to connect to a limited number of web sites.

Which is? I'm sorry, but I'm not certain what alternative you are referring to.


Phil