Home » Resources » Software » Reviews » ZoneAlarm Pro 3.0
8 Dec 2001 11:38:19
Matt Scarborough sums things up.
Date: 8 Dec 2001 11:38:19
From: Matt Scarborough
Subject: Re: [FW: Flawed outbound packet filtering in various personal firewalls]
On Fri, 7 Dec 2001 14:35:19 +0100, Keith Smith wrote:
>ZoneLabs posted this response on BugTraq. Apologies to those who
>are on both lists and have seen this already.
Thanks Keith. I'll add my AIA to those who've already had their fill
of rhetoric. Somewhere in here I do try to provide news to use.
Getting back to an issue primary to Tom Liston in his release of the
proof-of-concept tool Outbound, remember that in the absence of
responsible release of similar tools, Personal Firewall vendors'
marketing ploys may be the sole criteria on which we can judge the
effectiveness of their products.
Let's start by filtering ZoneLabs' distractions towards LaBrea and
Tom's erm... disappointment, then remove the cross-vendor blaming
strategy:
* A vulnerability exists in ZoneAlarm and ZoneAlarm Pro that allows
packet drivers to bypass Personal Firewalls.
* Te Smith, Zone Labs Inc.'s Corporate Communications Director,
announced that unexpected behavior allows a packet driver to bypass
any personal firewall.
* Te did not commit to a release date, but reported ZoneLabs is
preparing a patch with another build ready for testing sometime next
week.
* Te offered no direct workaround for ZoneAlarm users in the
interim, but added that Windows NT, 2000, and XP(Professional) users
may be afforded some protection from this threat since malicious
packet drivers would need Administrator privileges to load.
That's my spin free advisory. Was that clear when you read
ZoneAlarm's response? As we move toward a world without full
disclosure, the vendors claims of performance and fluffed advisories
may be our *only* source of security information.
Until then I'll piggy-back on Tom's work (Thanks Tom!) and add a
tidbit or two.
For current WinPCap 2.x, if an Administrator has previously
installed and loaded the WinPCap driver, i.e., used Ethereal,
WinSnort, or Windump, on her Windows 2000 box, *any* user can access
the packet driver.[1] This includes IUSR_ under
default IIS if WinSnort is running on that NTx box.
In the event we use WinPCap enabled capture utilities, but logoff
and logon as a less privileged user, e.g., to browse the web with
Internet Explorer, we are still vulnerable (with or without
ZoneAlarm.)[2] One workaround is to invoke a cmd prompt and issue
net stop 'Netgroup Packet Filter' before logging off as an
Administrator. The kernel mode service name is available at
HKLM\SYSTEM\CurrentControlSet\Services\NPF and can be set to start
as manual or automatic by Registry edit.
The computing term 'bug' is often described as unexpected behavior.
I find it an outrageous abstraction of reality that 'a bug in
Windows NDIS layer' is blamed for this flaw in ZoneAlarm. WinPCap,
as both a packet capture *and* packet injection utility, is well
documented.
* WinPCap was a Microsoft sponsored project.[3]
* Its Packet injection capability was presented at the 6th IEEE
Symposium on Computers and Communications.[4]
* Mike Davis (noted Win32 Snort 1.7 porter) presented details about
WinPCap at ToorCon2k[5] and mirrors the Politecnico di Torino
command line utility similar to Tom Liston's tool Outbound!
* Packet injection VC++ source code for Traffic Generator that
bypasses Personal Firewalls has been freely available to
WinPCap/Windump users since 1999.
Without Tom's work, and the blessing of full disclosure, we might
have waited another two years for this PFW hole to be quietly
patched. It seems to me that any Personal Firewall vendor making the
claim that its product protects against 'known and unknown Internet
threats'[6] would have somehow stumbled across the capabilities of
packet injection using alternative device drivers.
But today we've glimpsed the future. In some brave new world without
full disclosure, ZoneAlarm is bulletproof, ICSA Labs certifies it,
and the vendor pushing industry standards for handling security
vulnerabilities takes the heat for the flaws.
Matt Scarborough 2001-12-08
[1] WinPcap: the Free Packet Capture Architecture for Windows FAQ
http://netgroup.polito.it/winpcap/misc/faq.htm
[2] Information on the 'Nimda' Worm (MS01-020)
http://www.microsoft.com/technet/security/topics/Nimda.asp
[3] Politecnico di Torino
http://research.microsoft.com/programs/europe/projects.asp
[4] An Architecture for High Performance Network Analysis
http://www.polito.it/~risso/research/WinPcap.pdf
[5] ToorCon 2k
http://www.toorcon.org/
[6] ZoneAlarm(tm) Pro Security You Can Trust
http://www.zonelabs.com/
Prev | TOC | Next
|