NSSI Technologies Inc Research Labs Security Advisory http://www.nssolution.com (Philippines / .ph) "Maximum e-security" http://nssilabs.nssolution.com ZoneAlarm Pro 3.1 and 3.0 Denial of Service Vulnerability Author: Abraham Lincoln Hao / SunNinja e-Mail: abraham@nssolution.com / SunNinja@Scientist.com Advisory Code: NSSI-2002-zonealarm3 Tested: Under Win2k Advance Server with SP3 / WinNT 4.0 with SP6a / Win2K Professional / WinNT 4.0 workstation Vendor Status: Zone Labs is already contacted 1 month ago and they informed me that they going to release an update or new version to patched the problem. This vulnerability is confirmed by the vendor. Vendors website: http://www.zonelabs.com Severity: High Overview: New ZoneAlarm® Pro delivers twice the security—Zone Labs’ award-winning, personal firewall trusted by millions, plus advanced privacy features. the award-winning PC firewall that blocks intrusion attempts and protects against Internet-borne threats like worms, Trojan horses, and spyware. ZoneAlarm Pro 3.1 and 3.0 doubles your protection with enhanced Ad Blocking and expanded Cookie Control to speed up your Internet experience and stop Web site spying. Get protected. Compatible with Microsoft® Windows® 98/Me/NT/2000 and XP. ZoneAlarm Pro 3.1.291 and 3.0 contains vulnerability that would let the attacker consume all your CPU and Memory usage that would result to Denial of Service Attack through sending multiple syn packets / synflooding. Details: Zone-Labs ZoneAlarm Pro 3.1.291 and 3.0 contains a vulnerability that would let the attacker consume all your CPU and Memory usage that would result to Denial of Service Attack through Synflooding that would cause the machine to stop from responding. Zone-Labs ZoneAlarm Pro 3.1.291 and 3.0 is also vulnerable with IP Spoofing. This Vulnerabilities are confirmed from the vendor. Test diagram: [*Nix b0x with IP Spoofing scanner / Flooder] <===[10/100mbps switch===> [Host with ZoneAlarm] 1] Tested under default install of the 2 versions after sending minimum of 300 Syn Packets to port 1-1024 the machine will hang-up until the attack stopped. 2] We configured the ZoneAlarm firewall both version to BLOCK ALL traffic setting after sending a minimum of 300 Syn Packets to port 1-1024 the machine will hang-up until the attack stopped. Workaround: Disable ZoneAlarm and Hardened TCP/IP stack of your windows and Install latest Security patch. Note: To people who's having problem reproducing the vulnerability let me know :) Any Questions? Suggestions? or Comments? let us know. e-mail: nssilabs@nssolution.com / abraham@nssolution.com / infosec@nssolution.com greetings: nssilabs team, especially to b45h3r and rj45, Most skilled and pioneers of NSSI good luck!. (mike@nssolution.com / aaron@nssolution.com), Lawless the saint ;), dig0, p1x3l, dc and most of all to my Lorie. ----- Original Message ----- From: Packet Storm Security Date: Tue, 24 Sep 2002 00:16:19 -0700 To: Abraham Lincoln Subject: Re: T-shirt > On Mon, Sep 23, 2002 at 10:40:11PM +0800, Abraham Lincoln wrote: > > Mr. Alan, > > > > Hi! how are yah! :)hows the weekend? > > good! > > > Have u recieve my reply last week? regarding my personal information and address? Thanks! > > Yea, I put a tshirt in a box, it's in my car now, I have to wait in line at the post office... > > > -Alan > > > > > > Best Regards, > > -Abraham- > > > > ----- Original Message ----- > > From: Packet Storm Security > > Date: Thu, 19 Sep 2002 17:16:26 -0700 > > To: Abraham Lincoln > > Subject: Re: T-shirt > > > > > > > Sure, send your address and I will send you one of the shirts with the shellcode on it. > > > > > > What size? > > > > > > -Alan > > > > > > > > > > > > > > > On Thu, Sep 19, 2002 at 09:19:01PM +0800, Abraham Lincoln wrote: > > > > Hi.. Alan are u sure? :) that would be greatly appreciated... im from Philippines (.ph) we're one of ur biggest supporters of ur site :) my technical people is visiting ur site 20 hours a day :) just to look for updates etc... > > > > > > > > And i know that PHC people and el8 is trying to mess with websites like ur website and sec. companies thats part of the game... We will win this fight :) > > > > > > > > > > > > Anyaw Thanks again... ive downloaded ur t-shirts jpg the one with HEX hehe im obsessed with it but too expensive ;/ peso or .ph money is too low value. > > > > > > > > more power... > > > > > > > > cheers > > > > abraham > > > > > > > > ----- Original Message ----- > > > > From: Packet Storm Security > > > > Date: Wed, 18 Sep 2002 23:13:44 -0700 > > > > To: Abraham Lincoln > > > > Subject: Re: NSSI-2002-sygatepfw5: Sygate Personal Firewall IP Spoofing Vulnerability > > > > > > > > > > > > > I'll send you one if you are sure that you deserve it. > > > > > > > > > > -Alan > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > On Wed, Sep 18, 2002 at 09:50:56AM +0800, Abraham Lincoln wrote: > > > > > > Alan!, > > > > > > hey thanks ;) maybe u shld send me a Packetstorm T-Shirt i love it! heh ;) just jokin. > > > > > > > > > > > > > > > > > > Cheers! > > > > > > Abraham > > > > > > > > > > > > > > > > > > > > > > > > ----- Original Message ----- > > > > > > From: Packet Storm Security > > > > > > Date: Tue, 17 Sep 2002 14:25:42 -0700 > > > > > > To: Abraham Lincoln > > > > > > Subject: Re: NSSI-2002-sygatepfw5: Sygate Personal Firewall IP Spoofing Vulnerability > > > > > > > > > > > > > > > > > > > Thanks! > > > > > > > > > > > > > > http://packetstormsecurity.org/advisories/misc/sygate.spoof.txt fd159524034055f564376f851a3a20bd NSSI-Research Labs Security Advisory NSSI-2002-sygatepfw5 - The Sygate Personal Firewall v5.0 does not log or block packets with a source address set to 127.0.0.1, allowing denial of service and other attacks. Tested under Win2k Advance Server with SP3 / WinNT 4.0 with SP6a / Win2K Professional.  Homepage: http://www.nssolution.com. By Abraham Lincoln Hao > > > > > > > > > > > > > > > > > > > > > -Alan > > > > > > > > > > > > > > > > > > > > > On Mon, Sep 16, 2002 at 11:32:13PM +0800, Abraham Lincoln wrote: > > > > > > > > NSSI-Research Labs Security Advisory > > > > > > > > > > > > > > > > http://www.nssolution.com (Philippines / .ph) > > > > > > > > "Maximum e-security" > > > > > > > > > > > > > > > > http://nssilabs.nssolution.com > > > > > > > > > > > > > > > > Sygate Personal Firewall 5.0 IP Spoofing Vulnerability > > > > > > > > > > > > > > > > Author: Abraham Lincoln Hao / SunNinja > > > > > > > > > > > > > > > > e-Mail: abraham@nssolution.com / SunNinja@Scientist.com > > > > > > > > > > > > > > > > Advisory Code: NSSI-2002-sygatepfw5 > > > > > > > > > > > > > > > > Tested: Under Win2k Advance Server with SP3 / WinNT 4.0 with SP6a / Win2K Professional > > > > > > > > > > > > > > > > Vendor Status: Vendor already accepted the vulnerability and they will be releasing new version to Patch the vulnerability > > > > > > > > > > > > > > > > Vendors website: http://www.sygate.Com > > > > > > > > Severity: High > > > > > > > > > > > > > > > > Overview: > > > > > > > > Sygate Personal Firewall 5.0 is a host-based Firewall designed to protect your PC against attacks from both the Internet, and other computers in the local network. > > > > > > > > > > > > > > > > Sygate Personal Firewall 5.0 for windows platform contains IP Spoofing vulnerability. These vulnerability could allow an attacker with a source IP of 127.0.0.1 to Attack the host protected by Sygate Personal firewall without being detected. Sygate Personal firewall is having problem detecting incoming traffic with source ip 127.0.0.1 (loopback address) > > > > > > > > Details: > > > > > > > > > > > > > > > > Test diagram: > > > > > > > > [*Nix b0x with IP Spoofing scanner / Flooder] <===[10/100mbps switch===> [Host with SPF]  > > > > > > > >  1] IP Spoofing Vulnerability Default Installation > > > > > > > > > > > > > > > > - SPF is vulnerable with IP Spoofing attack by Scanning the host with a source ip address 127.0.0.1 or network address 127.0.0.0. The Attacker could scan or attack the target host without being detected by the personal firewall. This vulnerability is very serious w/c an attacker could start a Denial of Service attack against the spf protected host and launch any form of attack. > > > > > > > > - To those who wants to try to simulate the vulnerability, you may use source address 127.0.0.1 - 127.0.0.255 ;) > > > > > > > > > > > > > > > > Workaround: > > > > > > > > > > > > > > > > 1] Set the SPF to BLOCK ALL mode setting which i don't think the user would do ;) This type of setting would block everything all incoming request and outgoing. > > > > > > > > > > > > > > > > 2] Block source address 127.0.0.1 or 127.0.0.0 network address manually in Advance rules section. > > > > > > > > > > > > > > > > Any Questions? Suggestions? or Comments? let us know. (Free your mind) > > > > > > > > > > > > > > > > e-mail: nssilabs@nssolution.com / abraham@nssolution.com / infosec@nssolution.com > > > > > > > > > > > > > > > > greetings: > > > > > > > > nssilabs team bring the heat! ;) Lawless the saint ;), dig0, b45h3r, jethro, mr. d.f.a, p1x3lb0y, rj45-gu1t4rgawd and to our webmaster raymund (R2/D2) > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > > > __________________________________________________________ > > > > > > > > Sign-up for your own FREE Personalized E-mail at Mail.com > > > > > > > > http://www.mail.com/?sr=signup > > > > > > > > > > > > > > > > > > > > > > > > > > > -- > > > > > > __________________________________________________________ > > > > > > Sign-up for your own FREE Personalized E-mail at Mail.com > > > > > > http://www.mail.com/?sr=signup > > > > > > > > > > > > > > > > > > > -- > > > > __________________________________________________________ > > > > Sign-up for your own FREE Personalized E-mail at Mail.com > > > > http://www.mail.com/?sr=signup > > > > > > > > > > > -- > > __________________________________________________________ > > Sign-up for your own FREE Personalized E-mail at Mail.com > > http://www.mail.com/?sr=signup > > > -- __________________________________________________________ Sign-up for your own FREE Personalized E-mail at Mail.com http://www.mail.com/?sr=signup