'[VulnWatch] NSSI-2002-zonealarm3: ZoneAlarm Pro Denial of Service Vulnerability'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       vulnwatch
Subject:    [VulnWatch] NSSI-2002-zonealarm3: ZoneAlarm Pro Denial of Service Vulnerability
From:       "Abraham Lincoln" <sunninja () scientist ! com>
Date:       2002-10-16 14:41:04
[Download RAW message or body]

NSSI Technologies Inc Research Labs Security Advisory 

http://www.nssolution.com (Philippines / .ph) 

"Maximum e-security" 

http://nssilabs.nssolution.com

ZoneAlarm Pro 3.1 and 3.0 Denial of Service Vulnerability

Author: Abraham Lincoln Hao / SunNinja

e-Mail: abraham@nssolution.com / SunNinja@Scientist.com

Advisory Code: NSSI-2002-zonealarm3 

Tested: Under Win2k Advance Server with SP3 / WinNT 4.0 with SP6a / Win2K \
Professional / WinNT 4.0 workstation 

Vendor Status:  Zone Labs is already contacted 1 month ago and they informed me that \
they going to release an update or new version to patched the problem. This \
vulnerability is confirmed by the vendor.

Vendors website: http://www.zonelabs.com

Severity: High

Overview:

     New ZoneAlarm® Pro delivers twice the security—Zone Labs’ award-winning, \
personal firewall trusted by millions, plus advanced privacy features. the \
award-winning PC firewall that blocks intrusion attempts and protects against \
Internet-borne threats like worms, Trojan horses, and spyware.   

 ZoneAlarm Pro 3.1 and 3.0  doubles your protection with enhanced Ad Blocking and \
expanded Cookie Control to speed up your Internet experience and stop Web site \
spying. Get protected. Compatible with Microsoft® Windows® 98/Me/NT/2000 and XP.    

    ZoneAlarm Pro 3.1.291 and 3.0  contains vulnerability that would let the attacker \
consume all your CPU and Memory usage that would result to Denial of Service Attack \
through sending  multiple syn packets / synflooding.  

Details:

    Zone-Labs ZoneAlarm Pro 3.1.291 and 3.0 contains a vulnerability that would let \
the attacker consume all your CPU and Memory usage that would result to Denial of \
Service Attack through Synflooding that would cause the machine to stop from \
responding. Zone-Labs ZoneAlarm Pro 3.1.291 and 3.0 is also vulnerable with IP \
Spoofing. This Vulnerabilities are confirmed from the vendor.

Test diagram:

   [*Nix b0x with IP Spoofing scanner / Flooder] <===[10/100mbps switch===> [Host \
with ZoneAlarm] 

 1] Tested under default install of the 2 versions after sending minimum of 300 Syn \
Packets to port 1-1024 the machine will hang-up until the attack stopped.

2] We configured the ZoneAlarm firewall both version to BLOCK ALL traffic setting \
after sending a minimum of 300 Syn Packets to port  1-1024 the machine will hang-up \
until the attack stopped. 

Workaround:

    Disable ZoneAlarm and Hardened TCP/IP stack of your windows and Install latest \
Security patch.

Note: To people who's having problem reproducing the vulnerability let me know :)

Any Questions? Suggestions? or Comments? let us know. 

e-mail: nssilabs@nssolution.com / abraham@nssolution.com / infosec@nssolution.com

 

greetings:
   nssilabs team, especially to b45h3r and rj45, Most skilled and pioneers of NSSI \
good luck!. (mike@nssolution.com / aaron@nssolution.com),  Lawless the saint ;), \
                dig0, p1x3l, dc and most of all to my Lorie.  
-- 
__________________________________________________________
Sign-up for your own FREE Personalized E-mail at Mail.com
http://www.mail.com/?sr=signup


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic