Home » Resources » Software » Reviews » ZoneAlarm Pro 3.0
6 Dec 2001 17:26:58
According to eEye, anything 'outside the normal loop' can defeat ZoneAlarm.
From: Ryan Permeh
To: Tom Liston
Subject: Re: Flawed outbound packet filtering in various personal firewalls
Date sent: Thu, 6 Dec 2001 17:26:58
this is likely also vulnerable(i haven't tested, so i can't say for
positive) in winnt versions. This is a design time decision on what
types of technologies they use in their products, and what type of
driver you yourself is implementing. Kernel subversion attacks like
this can easily bypass any in place 'filter', either by filtering
before, or, like in your case, appearing 'outside the normal loop'.
using a newer technique called NDIS hooking, or psuedo intermediate
mode, an attacker that could load a driver(like your packet driver),
could easily just 'hide' itself in there, regardless of the in place
kernel protections like za or tiny.
www.rootkit.com is a project that is designed to demonstrate some of
the techniques that you talk about, but in a nt environment. They
use a sniffer/injector driver to communicate without touching the
regular ip stack, using a completely 'phantom' one. kinda a neat
idea that goes along with the problems you are seeing. i mean even
if a firewall knew to stop packets coming to your ip, it probably
doesn't have any clue about stopping packets destined for a
'phantom' ip.
Just thought you would like to know some more about some of these
techniques. Also, how is your labrea porting efforts? are you
using the winpcap driver, or did you chose to start on your own?
either way, good luck, and keep up the research!
Signed,
Ryan Permeh
eEye Digital Security Team
http://www.eEye.com/Retina -Network Security Scanner
http://www.eEye.com/Iris -Network Traffic Analyzer
http://www.eEye.com/SecureIIS -Stop Known and Unknown IIS Vulnerabilities
Prev | TOC | Next
|