Subject: [EXPL] ZoneAlarm Firewall can be easily scanned for open ports Date: Sat, 22 Apr 2000 14:52:45 +0200 The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ZoneAlarm Firewall can be easily scanned for open ports -------------------------------------------------------------------------------- SUMMARY ZoneAlarm (http://www.zonelabs.com) is a very popular personal firewall for Microsoft Windows computers and easy to use for newbies because it is application based, meaning, you apply network permission to applications instead of ports. This Firewall has been found to contain a serious security hole that would allow a remote attacker to UDP scan the entire host's port range without detection. This is done by specifying a special port number in the source port part of the UDP packet. DETAILS Vulnerable systems: ZoneAlarm version 2.1.10 ZoneAlarm version 2.0.26 If one uses port 67 as the source port of a UDP scan, ZoneAlarm will let the packet through and will not notify the user. This means, that one can UDP port scan a ZoneAlarm protected computer as if there were no firewall there IF one uses port 67 as the source port on the packets. Exploit: You can use NMap to port scan the host with the following command line: nmap -g67 -P0 -p130-140 -sU 192.168.128.88 (Notice the -g67 which specifies source port). ADDITIONAL INFORMATION The information was provided by: Wally Whacker. ==================== DISCLAIMER: The information in this bulletin is provided "AS IS" without warranty of any kind. In no event shall we be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages.