Re: [Full-Disclosure] SOHO firewalls trust everyone? WAS Unsecure file permission of ZoneAlarm pro. (ZA will fail to load)

• Previous message: Kurt Lieber: "[ GLSA 200408-22 ] Mozilla, Firefox, Thunderbird: New releases fix vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

To: BoneMachine <bonemach@sdf.lonestar.org>
Date: Mon, 23 Aug 2004 16:31:53 +0100

(BoneMachine you forgot to hit "reply all", the list didn't get your
email.)

            [ scroll down for my reply ]

On Mon, 2004-08-23 at 15:04, BoneMachine wrote:
> Hello
> Bipin showed that a method to prevent ZA to load is to change the attributes of the files within %windir%/Internet Logs usintg the attrib command.
> This is obviously something different than changing the ACL of the directory.
> Have you (or anybody on the list for that matter) tested changing the attributes to cause a DoS.
> Also, if I follow the discussion correctly, it is possible to delete or move the config file from the directory. Will this result in a DoS or is some overly permissible default configuration created when the config files are moved from the directory.
>
> Thank you for your time,
> Bone Machine
>
> ---
> "I can hardly wait Betty" - The Pixies

I've tried deleting the files, the only deletable files are BACKUP.RDB
and ZALog.txt when the program is running, all the rest are locked by
the running process, but if you stop the process you can modify any file
you like, the files are replaced on reload but my settings disappear, my
firewall rules and other configuration modifications and so on all
defaulted.

This is not an issue for ZA? any user on my system can modify my
configuration if at any point ZA is shutdown or crashes?

I've also tried controlling ZA as a normal user, no wait, a RESTRICTED
user (as per the windows 2000 add user wizard), I was able to switch the
firewall off completely, and change the settings, so I don't need to
delete or modify any files, I can break the firewall as anyone, ZA is
designed to be a home/office product, ZoneLabs assume that everyone in
the home or office should be allowed to mess with the firewall from a
convenient location in the system tray. This is how most SOHO firewalls
work. *!*_THIS IS BAD BAD BAD!_*!*

MS have moved their OS to a more multi-user orientated approach with
versions starting at 2k. (Although they still are determined to give the
first user admin privs as well as the admin user) but most of the
products running on the OS such as this _security_ product still treat
it as a one user system, privilege separation is an alien concept to
them. This makes many of the firewalls features useless.

For example, if I want to stick a trojan on a ZA machine I know that as
any user I can......
1. Stop the firewall process
2. Install my trojan
3. Set the firewall to insanely open
4. Have my merry way owning this user spamming the zonelabs security
team with "how to rip off your users with a fake security program"
emails and DoSing SCO, just for fun.

The user wont suspect a thing because ZA didn't popup and say
"
Hello, you've been owned, would you like evil_trojan.exe to rape the
internet on your behalf?
        [DENY] [ALLOW]
".

Maybe someone from ZoneLabs can explain to me the usefulness of keeping
a list of programs allowed to access the net or a list of allowed
outgoing ports if an attacker can modify this list at will without even
breaking out of a restricted account? I don't see your logic, why not
just switch off the outgoing filter altogether? seems like wasted cpu
cycles which could be much better utilised by the trojan that previously
infected the system and trivially bypassed the _firewall_.

I don't want to single out ZA for this as I know other firewalls have
the same setup. They are utterly useless against protecting from
ANYTHING on the inside, the outbound filtering is broken if the rogue
program can modify it at will. Security programs MUST be separated from
the regular users on the system, or they provide no real protection at
all.

The argument against this could be "but a single user system will only
have one user and they will have admin privs anyway so it wouldn't
matter"

My answer to that would be, the user only has admin privileges because
of bad security design on the part of the OS vendor. Their design being
broken isn't a valid reason to duplicate it. As a vendor of security
products ZoneLabs and their peers as SOHO firewall developers should
educate the user in the proper methods for securing their system.

A false sense of security may benefit the pockets of the vendors
shareholders, but it has a detrimental effect to their clients. IMO this
is wilful negligence and a sure fire sign you should avoid the vendor's
products.

-- 
Barrie Dempster (zeedo) - Fortiter et Strenue
  http://www.bsrf.org.uk
[ gpg --recv-keys --keyserver www.keyserver.net 0x96025FD0 ]

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html

• application/pgp-signature attachment: This is a digitally signed message part

• Previous message: Kurt Lieber: "[ GLSA 200408-22 ] Mozilla, Firefox, Thunderbird: New releases fix vulnerabilities"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]