Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Bugtraq: Re: Zonealarm exports sensitive data

Re: Zonealarm exports sensitive data

From: Brett Glass <brett_at_LARIAT.ORG>
Date: Fri, 25 Feb 2000 18:17:28 -0700

It should be noted that BlackICE Defender, a competitive product,
does precisely the same thing if one clicks on the "AdvICE" button.
Since the attack information displayed by the program's graphical
interface is quite brief (there's more in the log files, but
only sophisticated users will know how to find and read them),
users are strongly motivated to click the button.

I do not know whether the URLs sent by either product are being
used to gather statistics on the frequency of attacks or as a
means of piracy detection. They certainly could be, if the vendors
had a mind to do so.

--Brett Glass

At 12:40 AM 2/25/2000 , Andrew Daviel wrote:

>ZoneAlarm by zonelabs.com can export possibly sensitive data if
>the "More Info" button is clicked from an alert.
>
>ZoneAlarm is a personal dynamic firewall for Windows 9x/NT.
>When a rule is triggered (typically an inbound connection to
>an unregistered or alarmed service) an alert box appears with a brief
>description of the event and a button labelled "More Info". When this
>is clicked a URL is passed to the user's Web browser sending information
>to Zone Labs' server for more detailed explanation.
>
>Currently (version 2.0.26) the information passed includes:
>Source Address and Port
>Destination Address and Port
>Operating system version
>Firewall version
>Whether the connection was blocked
>The lock status of the firewall
>
>All this information is sent in clear as an HTTP GET request (port 80).
>
>It could possibly be seen on the Internet in transit or in proxy logs, and
>may include information about machines on an internal network inside a
>corporate firewall. The request itself could be blocked by ZoneAlarm, but
>it is likely that the setting for the Web browser would allow it to access
>the external network (Internet).
>
>It is fairly simple to edit the .EXE file to disable this feature, or
>to redirect it to a local server.
>
>(IMO the benefits from using the product outweigh the risks of this data
>leak....)
>
>Andrew Daviel
>Vancouver Webpages etc.
Received on Feb 27 2000

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos