 SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5
1 edit | The ZoneAlarm/BBR research threadAs discussed here: »Broadband Constant Reports many of us are trying to figure out why ZoneAlarm 5.x is "phoning home" to BBR's webserver for updates.
What seems to be happening is that ZoneAlarm is somehow deciding that BBR is a proxy server, so the check for updates (whether manual or automatic) is done via BBR. This shows up in our logs as:
x.x.x.x 404 0 POST http://update.zonelabs.com/checkupdate.asp HTTP/1.0 "Zone Labs Registration Agent 1.0"
x.x.x.x 404 0 POST http://update.zonelabs.com/checkupdate.asp HTTP/1.0 "Zone Labs Registration Agent 1.0"
x.x.x.x 404 0 POST http://update.zonelabs.com/checkupdate.asp HTTP/1.0 "Zone Labs Registration Agent 1.0"
...
ZoneAlarm maintains two registry keys that it seems to create on the fly:
HKEY_LOCAL_MACHINE\Software\Zone Labs\HttpProxyEnabled [DWORD]
HKEY_LOCAL_MACHINE\Software\Zone Labs\HttpProxyServer [string]
Once filled in with the BBR information, it seems to use these values until it restarts, at which time it deletes the keys and presumably starts the proxy-detect all over again.
The problem is not "using a proxy" but "misdetecting a proxy", and I've written a bit of software that may help us figure out what's provoking this.
Unixwiz.net tool - ZAWatch
It's a small console-mode application that watches these keys and lets you know immediately when they have changed. It's hoped that when enough people report "I was doing ____ when it changed", some common threads may emerge.
It's very small (~20kbytes), completely read-only, and uses essentially zero CPU time. C++ source code is included.
I have installed ZoneAlarm on my Win2000 system and am hoping that the problem appears. Others are encouraged to do so as well and report your findings here.
Disclaimer - Though we've been working closely with Zone Labs on this, ZAWatch is a private effort, and they have not sponsored, endorsed, or reviewed this code. Use at your own risk to the extent that you trust my work (which very well may be "not at all").
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5
2 edits | Aha! Not five minutes after posting and moving off to do other things, I got ZoneAlarm to install a bad proxy setting: immediately after making this post I got the popup.
I'm now looking how to "reset" the proxy settings without a reboot, but it's clear that it's BBR related.
Edit - the post in the canchat forum got the proxy to rewrite as "broadbandreports.com", but a second post in /dev/null rewrote as "dslreports.com". I routinely surf with broadbandreports.com.
Odd.
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site |
|
 Ryan FTake Back The WebPremium
join:2002-10-18
Alexandria, VA
1 edit | reply to Steve
Excellent work Steve!
I got the warning just as I pushed the post now button.
I reset mine by simply deleting the HttpProxyServer key. This allowed Zone Alarm to properly connect to it's update site.
Once I posted again, the key reappeared with dslreports as the proxy. |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | reply to Steve
A bunch of us are testing in the /dev/null forum, and if anybody has a sniffer, restart it before each attempt (so you capture only the post).
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site |
|
 atangelNow What??Premium
join:2002-02-18
Bronx, NY
4 edits | reply to Steve
Ditto> I'm guessing you want the results here?
Using latest ZAP5, Win XP SP1 fully patched.
Rebooted my system. Started ZAWatch. Started Mailwasher. started Trillian. Opened firefox 0.9 and checked some e-mails, went to CNN.
Then came straight into my postlist. Still nothing. Edited an old message, previewed and spell checked it, nothing.
Clicked Post to update the old message and wham! ZAWatch threw up the alert. Changed to www.broadbandreports.com (I typically, also, come in on that as well). This was in the software forum.
I hadn't thought I was affected, for some reason. Guess I was too 
Edit: dimb typo 
Another Edit: Just posted over in computer cops, sent e-mail from yahoo, no such change registered. |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | I captured one! I don't know whether it's looking at outgoing or incoming data, but I have the data to fool with. I'll see if I can simulate it.
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | Well when I reply my POST data, ZoneAlarm doesn't seem to get confused, so it may not be strictly related to short patterns but data as appearing over a longer period.
This may take some doing.
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by Steve:
This may take some doing.
... and I can now reliably reproduce the ZoneAlarm proxy confusion with a fixed stream of data to the BBR webservers (essentially replaying the captured data from tcpdump with a small perl program), so now it's just a matter of trimming stuff out until it stops misdetecting; then we'll know what the patterns are.
Woo hoo!
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site |
|
|
|
| reply to Steve
»Re: Broadband Constant Reports
said by bobby_peru:
... Could "posting" have anything to do with it? Just a thought.
»Re: Broadband Constant Reports
said by bobby_peru:
... But, does it happen when you _only_visit_ dslr/bbr, or
only when you 1) Log-on or,
only when you 2) Log-on _and_ post
What a surprise!
--
**~~Infected/Hijacked? FAQ~~~Protect/Secure Your Box/Data FAQ~~~Security Forum FAQs~~** |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5
4 edits | reply to Steve
OK, I have this mostly figured out. I managed to capture a failure with tcpdump on my Linux box, and I wrote a bit of perl to parse the traces into what was sent to the BBR servers. I trimmed down the 3542 bytes of data into 48 bytes, and this send/response sequence will confuse ZoneAlarm every time:
POST /zatest HTTP/1.0
Host: unixwiz.net
POST x
HTTP/1.1 302 Found
Date: Sun, 20 Jun 2004 05:00:08 GMT
Server: Apache/1.3.29 (Unix) mod_perl/1.29
Location: /
Content-Type: text/html
X-Cache: MISS from www.dslreports.com
Connection: close
Redirected /
HTTP/1.1 302 Found
Date: Sun, 20 Jun 2004 05:00:08 GMT
Server: Apache/1.3.29 (Unix) mod_perl/1.29
Location: /
Connection: close
Transfer-Encoding: chunked
Content-Type: text/html; charset=iso-8859-1
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<HTML><HEAD>
<TITLE>302 Found</TITLE>
</HEAD><BODY>
<H1>Found</H1>
The document has moved <A HREF="/">here</A>.<P>
</BODY></HTML>
My program runs on Windows and is written in perl, and anybody can download ActivePerl from »www.activestate.com (this is a fantastic free implementation of perl) and run it directly. On my system (Win2000) it causes ZoneAlarm to falsely detect a proxy every time as identified by ZAWatch.
At this point I have done all I can do, so Zone Labs should be able to reproduce this in house. I heard a rumor that they are considering a special debug build to help track this down, but I think I beat them to it :-)
The perl code is at zatest.txt (named .txt for easy download). Instructions are in the comments. When run, it sets the ZA proxy to unixwiz.net, so be sure to restart ZoneAlarm after :-)
Time to take the rest of the evening off - it's been a long day.
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site |
|
 skjWelcome to the far side of realityPremium,Mod
join:2002-04-04
Gone South | Great job Steve! 
You really need to consider being a security consultant. You would make an excellent one. |
|
 SmokeyI'd rather be skiingPremium
join:2003-05-20
Wild West | reply to Steve
Thxs for the hard work Steve!! |
|
 novaflareThe Dragon Was HerePremium
join:2002-01-24
Barberton, OH | reply to Steve
said by Steve:
The perl code is at zatest.txt (named .txt for easy download). Instructions are in the comments. When run, it sets the ZA proxy to unixwiz.net, so be sure to restart ZoneAlarm after
Err this is bad realy bad if zonealarm can be so easly fooled in to changing its settings whats to stop a script kiddie from writeing a peral script and putting it on a web site that allows a given ip to have un restricted access to say port 139?
--
new 3d chat comunity at »planetvirtuel.com my site »spellbound.valshea.com/news.php |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5
1 edit | said by novaflare:
Err this is bad realy bad if zonealarm can be so easly fooled in to changing its settings whats to stop a script kiddie from writeing a peral script and putting it on a web site that allows a given ip to have un restricted access to say port 139?
It's not that simple: the perl code has to run on the client, not on the server, and if the bad guy can run stuff on the client, he can do a lot worse than fool ZoneAlarm.
And as far as we know, the only thing that ZoneAlarm is doing with this proxy is checking for updates. It's not actually getting the updates (that's done through your browser), so the only thing one could do is delay a genuine check for updates for a while. ZoneAlarm resets its proxy settings when it restarts - it's not a "sticky" setting.
I have been toying with the idea of seeing if it's possible to buffer-overflow ZoneAlarm with a carefully-crafted reply from the dummy checkupdate.asp CGI script, but I have run out of time to do testing on this.
Edit - if anybody else can reproduce this with zatest.txt (the perl program), please post here; I've only run it from my own network.
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site |
|
| reply to Steve
Your post shows HTTP header:
Transfer-Encoding: chunked
|
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | said by inTulsa:
Transfer-Encoding: chunked
That's the reply from the BBR servers (which I have no control over); I have no idea if that's got anything to do with it.
I really should set up a dummy CGI on my webserver to tune the replies as well as what I sent.
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site |
|
| If that was the real reply, I suspect it may have something to do with it. Chunked responses are blocks of content prefixed by a count of #characters, and terminated with a zero count. If ZA isn't properly accounting for the invalid content chunk it could be having an adverse effect on their buffers.
Since chunked encoding is a standard part of HTTP/1.1 (rarely mis-formatted by servers), this would be something "unique" to our site. |
|
SteveI know your IP addressConsultant
join:2001-03-10
Yorba Linda, CA
kudos:5 | Well, that reply is not representative of a "regular" BBR session. I'm not sending any cookies, and the URL is for a request that's known not to be valid: if I try it to "look like a real post", the reply is much, much larger. I don't recall if it had the chunked stuff or not.
Dammit, now I gotta go and fire it up on my own server to test it out
Steve
--
Stephen J. Friedl * Security Consultant * Tustin, California USA * my web site |
|
| I know it's not representative of BBR. I've been trying to locate a similar invalid response from this site - no luck yet. |
|
BPremium,MVM
join:2000-10-28 | reply to Steve
What nice work!
Not only did you bitch about the problem but you got your hands filthy and practically figured the whole thing out for ZoneLabs.
Now if ZoneAlarm were open source I'm sure you would have fixed the code now too...
-- B
--
In a realm outside causality and function |
|
