Scan Zonealarm Undetected

Huge area to cover, we have assembled and written tutorials that have proven helpful over time.
Post Reply
User avatar
weazy
Ex-Admin
Posts: 1688
Joined: Sun Jul 07, 2002 10:02 am
Location: any given
Contact:

Scan Zonealarm Undetected

Post by weazy » Fri May 30, 2003 5:35 pm

ZoneAlarm (http://www.zonelabs.com) is a very popular personal firewall for Microsoft Windows computers and easy to use for newbies because it is application based, meaning, you apply network permission to applications instead of ports.
This Firewall has been found to contain a serious security hole that would allow a remote attacker to TCP and UDP scan the entire host's port range without detection. This is done by specifying a special port number in the source port part of the TCP or UDP packet.


Details
Vulnerable systems:
ZoneAlarm version 2.1.10
ZoneAlarm version 2.0.26

Immune systems:
ZoneAlarm version 2.1.18 and up

If one uses port 67 as the source ports of a TCP or UDP scan, ZoneAlarm will let the packet through and will not notify the user. This means, that one can TCP or UDP port scan a ZoneAlarm protected computer as if there were no firewall there IF one uses port 67 as the source port on the packets.

Exploit:
UDP Scan:
You can use NMap to port scan the host with the following command line:
nmap -g67 -P0 -p130-140 -sU 192.168.128.88
(Notice the -g67 which specifies source port).

TCP Scan:
You can use NMap to port scan the host with the following command line:
nmap -g67 -P0 -p130-140 -sS 192.168.128.88
(Notice the -g67 specifies source port).
--The Devil is in the Details--

Post Reply