lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list] 
From: jftucker at gmail.com (James Tucker)
Subject: Unsecure file permission of ZoneAlarm pro.

Surely though, if a user chose to open file and printer sharing over
the network for any parent directory, it is possible that a remote
user can very easily do damage to ZAP, at the very least shutting it
down, at worst reconfiguring it.

There is absolutely no good reason I can envisage why you would need
to set these permissions like this.

Another security flaw relevant to this is the fact that many system
administrators of larger networks very carefully lock down file and
folder permissions on common system areas to help prevent users from
leaving new programs on the local system. This helps defend against
application scheduler attacks and the like. If you cant leave files on
the local system then you can't run anything after you log off.

>From now on, I will use this folder to produce exploits against ZAP,
if you wish to stop this from being done and publicised I strongly
recommend you consider hardening this security setting. There are
plenty of methods of accessing this folder with elevated privileges
than everyone or anonymous, especially when most of your application
runs as a system process.

Please refrain from forgetting that it is not just your configuration
files that you have opened up here, it is an entire folder. Folder
customisation based exploits could also be used, for example the
folder could be opened in a new window (allowed by many systems, can
be done with macro's, IE, mails, whatever). If the folder was
customised in the right way, this could formulate the run time vector
of a major exploit.

While I have not extensively tested your TrueVector kernel, it is
unlikely that it can protect against every conceivable unknown threat,
as such for a security company your above message seems a little
naive.

And finally, please tell me what TrueVector is capable of doing if the
malicious code (possibly running over SMB to a local file share) were
to use its full permissions to change ownership on the directory and
set DENY permissions to any user accounts / system accounts used by
ZAP? Do you have the ability to exploit NTFS permissions and re-set
them as required? If not, then after this has been done your firewall
will fail closed on every subsequent boot. How is an end-user to
recover from this problem?

These are just my initial thoughts on this matter, and the real
dangers could be far more sophisticated if we think more creatively
(and spend more than 3 minutes on the issue). Given that there is no
reason not to fix this, please fix it. If it will take a proven
exploit before you fix it then one will have to be produced.

On Fri, 20 Aug 2004 03:40:11 -0700, John LaCour <jlacour@...elabs.com> wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> There is absolutely no security issue here.
> 
> ZoneAlarm does not rely on file permissions to protect
> any configuration files.   Configuration files are protected
> by our TrueVector(r) driver in the kernel.
> 
> In addition to protecting configuration files against
> unauthorized changes, there are additional integrity checks and other
> protection mechanisms implemented for all policy configuration
> files.  Should any policy configuration files fail integrity
> checks, the firewall will fail closed.
> 
> Again, no issue.
> 
> - --
> John LaCour
> Security Services Group Manager
> Zone Labs LLC, A Check Point Company
> 
> > From: bipin gautam [mailto:visitbipin@...oo.com]
> > Sent: Thursday, August 19, 2004 7:51 PM
> > To: full-disclosure@...ts.netsys.com
> > Subject: [Full-Disclosure] Unsecure file permission of ZoneAlarm
> > pro.
> >
> >
> > Hello list,
> >
> > Zone Alarm stores its config. files in
> > %windir%\Internet Logs\* . But strangely,
> >
> > ZoneAlarm sets the folder/file permission (NTFS) of
> > %windir%\Internet Logs\* to,
> >
> > EVERYONE: Full
> >
> > after its first started.
> >
> > Even If you try to change the permission to...
> >
> > Administrator (s): full
> > system: full
> > users: read and execute
> > [these are the default permissions]
> >
> > Strangely, the permission again changes back to...
> > EVERYONE: Full each time
> >
> > ZoneAlarm Pro (ZAP) is started. I've tested these in
> > zap 4.x and 5.x
> >
> >       This could prove harmful if we have a malicious
> > program/user running with
> >
> > even with a user privilege on the system.
> >
> > Well a malicious program could modify those config
> > file in a way ZAP will stop
> >
> 
> [snip]
> 
> > Bipin Gautam
> 
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0.2
> 
> iQA/AwUBQSXVCqeZbSyAsADEEQK9fgCeLLipKBn3Z7+PYj1E6GXkT0lubIgAnjCY
> ssK9UOJxQn98yj/5x+tWiPzw
> =OdxT
> -----END PGP SIGNATURE-----
> 
> 
> 
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html
>

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ