Unsecure file permission of ZoneAlarm pro.

From: Bipin Gautam (visitbipin_at_hotmail.com)
Date: 08/20/04

  • Next message: http-equiv_at_excite.com: "What A Drag II XP SP2"
    Date: 20 Aug 2004 02:51:37 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    Hello list,

    Zone Alarm stores its config. files in %windir%\Internet Logs\* . But strangely,

    ZoneAlarm sets the folder/file permission (NTFS) of %windir%\Internet Logs\* to,

    EVERYONE: Full

    after its first started.

    Even If you try to change the permission to...

    Administrator (s): full
    system: full
    users: read and execute
    [these are the default permissions]

    Strangely, the permission again changes back to... EVERYONE: Full each time

    ZoneAlarm Pro (ZAP) is started. I've tested these in zap 4.x and 5.x

            This could prove harmful if we have a malicious program/user running with

    even with a user privilege on the system.

    Well a malicious program could modify those config file in a way ZAP will stop

    functioning. This is what ZoneLabs had to say...

    ---snip-------
    >anyone could open any ZoneAlarm file
    > (assuming it isn't locked), edit it with a hexeditor and
    > cause it to stop functioning. This type of modification
    > wouldn't be classified as an attack, as you have simply
    > modified the file and caused it to not function as expected.
    > This is true of any executable or other binary.
    >
    ---/snip-------
    yap, true... but shouldn’t ZAP have some protection against such attacks? instead

    of leaving the permission to " EVERYONE: Full " I wonder if a program could bypass

    ZAP filters using "safePrograms*.xml" [...experimenting]

    anyone wanna take this thing to a new level, please go on...

    Regards,

    Bipin Gautam
    http://www.geocities.com/visitbipin/


  • Next message: http-equiv_at_excite.com: "What A Drag II XP SP2"