|Home » Resources » Rants
Week of January 15, 2002
Subject: Uh oh...
Date: Tue, 16 Oct 2001 15:53:06 -0500
From: Tom Liston
Oh my... oh my....
I believe I've just stumbled onto something very bad.
In an effort to see if what I was doing was working at all, I cranked
up ZoneAlarm to the max on my machine.
Some background: I run both BlackIce and ZoneAlarm... Because
95% of the time I'm on our LAN here, sitting behind the Linux-
based firewall, I don't really concern myself with 'internet based
nasties.' I'm looking for stuff that might be happening 'inside the
network.' I like BlackIce because it offers you more control over
'ignoring' stuff... like being able to shut off warnings about certain
activities that I really can't disable because they're necessary. It
also tells me the IP *and* MAC of machines that are misbehaving.
BlackIce isn't really a firewall though. I keep ZA around for that,
and I also run it because it warns me of stuff on my machine that
may be attempting to 'talk' without my knowledge.
At least I thought it did. I wanted to test LaBrea9x, so I killed out
BlackIce and fired up ZA and set it to it's highest levels of
'security'. I fired up LaBrea9x, and launched off a http session
back at my laptop from a Linux box that we use as an internal
fax/mailserver. Sure enough, LaBrea9x works great... it 'tarpitted'
the connection because ZA was blocking Windows from replying.
ZA dutifully told me that it was blocking an inbound connection.
But that's when it hit me. ZA didn't say ANYTHING about
outbound. NOTHING. I looked at the settings, and it should have
BLOCKED the outbound stuff entirely... (I had both the local and
internet zones set to high and had turned on block both local and
Hmmmmm..... If I can send this packet without any complaining,
can't I send anything I damn well want to?
BTW, the LaBrea/ZA combo works for tarpitting...
Editor's note: Tom Liston waited over one month for Zone Labs to fix the vulnerability before disclosing it; it has still not been fixed.