About | Buy Stuff | News | Products | Rants | Search | Security
Home » Resources » Rants

Oh My

Week of January 15, 2002

Subject: Uh oh...
   Date: Tue, 16 Oct 2001 15:53:06 -0500
   From: Tom Liston
     To: radsoft.net

Oh my... oh my....

I believe I've just stumbled onto something very bad.

In an effort to see if what I was doing was working at all, I cranked
up ZoneAlarm to the max on my machine.

Some background:  I run both BlackIce and ZoneAlarm... Because
95% of the time I'm on our LAN here, sitting behind the Linux-
based firewall, I don't really concern myself with 'internet based
nasties.'  I'm looking for stuff that might be happening 'inside the
network.'  I like BlackIce because it offers you more control over
'ignoring' stuff... like being able to shut off warnings about certain
activities that I really can't disable because they're necessary.  It
also tells me the IP *and* MAC of machines that are misbehaving.

BlackIce isn't really a firewall though.  I keep ZA around for that,
and I also run it because it warns me of stuff on my machine that
may be attempting to 'talk' without my knowledge.

At least I thought it did.  I wanted to test LaBrea9x, so I killed out
BlackIce and fired up ZA and set it to it's highest levels of
'security'.  I fired up LaBrea9x, and launched off a http session
back at my laptop from a Linux box that we use as an internal
fax/mailserver.  Sure enough, LaBrea9x works great... it 'tarpitted'
the connection because ZA was blocking Windows from replying.
ZA dutifully told me that it was blocking an inbound connection.

But that's when it hit me.  ZA didn't say ANYTHING about
outbound.  NOTHING.  I looked at the settings, and it should have
BLOCKED the outbound stuff entirely...  (I had both the local and
internet zones set to high and had turned on block both local and
internet servers.)

Hmmmmm.....  If I can send this packet without any complaining,
can't I send anything I damn well want to?

BTW, the LaBrea/ZA combo works for tarpitting...


Editor's note: Tom Liston waited over one month for Zone Labs to fix the vulnerability before disclosing it; it has still not been fixed.

About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.