lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: jftucker at gmail.com (James Tucker)
Subject: Unsecure file permission of ZoneAlarm pro.

> >>Zone Alarm stores its config. files in %windir%\Internet Logs\* . But strangely,
> Isn't it supposed to store logs ? My english knowledge is probably too poor.

The folder name would suggest that. I raised an eyebrow when I saw that too.

> >>EVERYONE: Full

This means that anyone / anything which can access / see this folder
can CHANGE anything about that folder (including permissions) without
being stopped by the file system.

> As everybody knows, windows * is a single user system

Not true, windows NT is a multi user kernel, although you only have a
single client access license and as such you can log on one at a time
to windows xp. Windows * Server is different, typically you get 5
CAL's straight away (although licensing all changed again in 2k3 and I
have not yet learnt the changes).


> only install zonealarm, no other software, especially no software using
> this directory for storing any kind of information. As I understand the

What?

> zap answer: Kidding with file permissions is not an issue on any os...
> unless, maybe, if you wish to use your system.

File permissions are VERY important to security, even with very high
vigilance in all other areas you can be fully "rooted" (exploited /
attacked) if your file permissions are set wrong in the wrong place.



THE POINT:

Providing ZA includes this folder in its integrity checks (I have yet
to have the time to start on this project, and so I cannot verify that
it does, although the messages in this thread indicate that this
folder contains not logs, but configs -_^  ) then ALL YOU NEED TO DO,
is to change the folder permissions to EVERYONE: DENY, and NTFS will
not EVER allow you to recover this folder. ZA will thus never operate
properly on this machine again. In order to restore the file
permissions you will need a third party NTFS driver (in short, this
would be very very bad).

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ