Re: Unsecure file permission of ZoneAlarm pro.

[James Tucker <jftucker () gmail com>]

Surely though, if a user chose to open file and printer sharing over
the network for any parent directory, it is possible that a remote
user can very easily do damage to ZAP, at the very least shutting it
down, at worst reconfiguring it.

There is absolutely no good reason I can envisage why you would need
to set these permissions like this.

Another security flaw relevant to this is the fact that many system
administrators of larger networks very carefully lock down file and
folder permissions on common system areas to help prevent users from
leaving new programs on the local system. This helps defend against
application scheduler attacks and the like. If you cant leave files on
the local system then you can't run anything after you log off.

> From now on, I will use this folder to produce exploits against ZAP,
if you wish to stop this from being done and publicised I strongly
recommend you consider hardening this security setting. There are
plenty of methods of accessing this folder with elevated privileges
than everyone or anonymous, especially when most of your application
runs as a system process.

Please refrain from forgetting that it is not just your configuration
files that you have opened up here, it is an entire folder. Folder
customisation based exploits could also be used, for example the
folder could be opened in a new window (allowed by many systems, can
be done with macro's, IE, mails, whatever). If the folder was
customised in the right way, this could formulate the run time vector
of a major exploit.

While I have not extensively tested your TrueVector kernel, it is
unlikely that it can protect against every conceivable unknown threat,
as such for a security company your above message seems a little
naive.

And finally, please tell me what TrueVector is capable of doing if the
malicious code (possibly running over SMB to a local file share) were
to use its full permissions to change ownership on the directory and
set DENY permissions to any user accounts / system accounts used by
ZAP? Do you have the ability to exploit NTFS permissions and re-set
them as required? If not, then after this has been done your firewall
will fail closed on every subsequent boot. How is an end-user to
recover from this problem?

These are just my initial thoughts on this matter, and the real
dangers could be far more sophisticated if we think more creatively
(and spend more than 3 minutes on the issue). Given that there is no
reason not to fix this, please fix it. If it will take a proven
exploit before you fix it then one will have to be produced.

On Fri, 20 Aug 2004 03:40:11 -0700, John LaCour <jlacour () zonelabs com> wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> There is absolutely no security issue here.
>
> ZoneAlarm does not rely on file permissions to protect
> any configuration files.   Configuration files are protected
> by our TrueVector(r) driver in the kernel.
>
> In addition to protecting configuration files against
> unauthorized changes, there are additional integrity checks and other
> protection mechanisms implemented for all policy configuration
> files.  Should any policy configuration files fail integrity
> checks, the firewall will fail closed.
>
> Again, no issue.
>
> - --
> John LaCour
> Security Services Group Manager
> Zone Labs LLC, A Check Point Company
>
> > From: bipin gautam [mailto:visitbipin () yahoo com]
> > Sent: Thursday, August 19, 2004 7:51 PM
> > To: full-disclosure () lists netsys com
> > Subject: [Full-disclosure] Unsecure file permission of ZoneAlarm
> > pro.
> >
> >
> > Hello list,
> >
> > Zone Alarm stores its config. files in
> > %windir%\Internet Logs\* . But strangely,
> >
> > ZoneAlarm sets the folder/file permission (NTFS) of
> > %windir%\Internet Logs\* to,
> >
> > EVERYONE: Full
> >
> > after its first started.
> >
> > Even If you try to change the permission to...
> >
> > Administrator (s): full
> > system: full
> > users: read and execute
> > [these are the default permissions]
> >
> > Strangely, the permission again changes back to...
> > EVERYONE: Full each time
> >
> > ZoneAlarm Pro (ZAP) is started. I've tested these in
> > zap 4.x and 5.x
> >
> >       This could prove harmful if we have a malicious
> > program/user running with
> >
> > even with a user privilege on the system.
> >
> > Well a malicious program could modify those config
> > file in a way ZAP will stop
>
> [snip]
>
> > Bipin Gautam
>
> -----BEGIN PGP SIGNATURE-----
> Version: PGP 8.0.2
>
> iQA/AwUBQSXVCqeZbSyAsADEEQK9fgCeLLipKBn3Z7+PYj1E6GXkT0lubIgAnjCY
> ssK9UOJxQn98yj/5x+tWiPzw
> =OdxT
> -----END PGP SIGNATURE-----
>
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.netsys.com/full-disclosure-charter.html

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html