ZoneAlarm Pro 3.1 and 3.0 Denial of Service Vulnerability
From: doxical (doxical@WANADOO.FR)Date: 10/17/02
- Previous message: Russ: "Alert: Microsoft Security Bulletin - MS02-061"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Thu, 17 Oct 2002 13:40:53 +0200 From: doxical <doxical@WANADOO.FR> To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM
ZoneAlarm Pro 3.1 and 3.0 Denial of Service Vulnerability
As contributed to HNS by Abraham Lincoln <sunninja@scientist.com>
NSSI Technologies Inc Research Labs Security Advisory
http://www.nssolution.com (Philippines / .ph)
"Maximum e-security"
http://nssilabs.nssolution.com
ZoneAlarm Pro 3.1 and 3.0 Denial of Service Vulnerability
Author: Abraham Lincoln Hao / SunNinja
e-Mail: abraham@nssolution.com / SunNinja@Scientist.com
Advisory Code: NSSI-2002-zonealarm3
Tested: Under Win2k Advance Server with SP3 / WinNT 4.0 with SP6a / Win2K
Professional / WinNT 4.0 workstation
Vendor Status: Zone Labs is already contacted 1 month ago and they informed
me that they going to release an update or new version to patched the
problem. This vulnerability is confirmed by the vendor.
Vendors website: http://www.zonelabs.com
Severity: High
Overview:
New ZoneAlarm® Pro delivers twice the security-Zone Labs' award-winning,
personal firewall trusted by millions, plus advanced privacy features. the
award-winning PC firewall that blocks intrusion attempts and protects
against Internet-borne threats like worms, Trojan horses, and spyware.
ZoneAlarm Pro 3.1 and 3.0 doubles your protection with enhanced Ad Blocking
and expanded Cookie Control to speed up your Internet experience and stop
Web site spying. Get protected. Compatible with Microsoft® Windows®
98/Me/NT/2000 and XP.
ZoneAlarm Pro 3.1.291 and 3.0 contains vulnerability that would let the
attacker consume all your CPU and Memory usage that would result to Denial
of Service Attack through sending multiple syn packets / synflooding.
Details:
Zone-Labs ZoneAlarm Pro 3.1.291 and 3.0 contains a vulnerability that would
let the attacker consume all your CPU and Memory usage that would result to
Denial of Service Attack through Synflooding that would cause the machine to
stop from responding. Zone-Labs ZoneAlarm Pro 3.1.291 and 3.0 is also
vulnerable with IP Spoofing. This Vulnerabilities are confirmed from the
vendor.
Test diagram:
[*Nix b0x with IP Spoofing scanner / Flooder] <===[10/100mbps switch===>
[Host with ZoneAlarm]
1] Tested under default install of the 2 versions after sending minimum of
300 Syn Packets to port 1-1024 the machine will hang-up until the attack
stopped.
2] We configured the ZoneAlarm firewall both version to BLOCK ALL traffic
setting after sending a minimum of 300 Syn Packets to port 1-1024 the
machine will hang-up until the attack stopped.
Workaround:
Disable ZoneAlarm and Hardened TCP/IP stack of your windows and Install
latest Security patch.
Note: To people who's having problem reproducing the vulnerability let me
know :)
Any Questions? Suggestions? or Comments? let us know.
e-mail: nssilabs@nssolution.com / abraham@nssolution.com /
infosec@nssolution.com
greetings:
nssilabs team, especially to b45h3r and rj45, Most skilled and pioneers of
NSSI good luck!. (mike@nssolution.com / aaron@nssolution.com), Lawless the
saint ;), dig0, p1x3l, dc and most of all to my Lorie.
------------------------
+a doxical
www.doxi-security.com
- Previous message: Russ: "Alert: Microsoft Security Bulletin - MS02-061"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
