ZoneAlarm Extreme Security
Hi,
This disclosure pertains to ZoneAlarm 9 (ForceField). ZoneAlarm have been
informed. The following discusses similar issues as was previously disclosed
regarding ZoneAlarm 8.
ZoneAlarm 9 (ForceField)
ZoneAlarm version:9.1.007.002
http://labs.idefense.com/intelligence/vulnerabilities/
Aug 20, 2007
I. BACKGROUND
Zone Alarm products provide security solutions such as anti-virus,
firewall, spy-ware, and ad-ware protection. More information is
available at the Zone Labs web site at the following URL.
http://www.zonelabs.com/
http://labs.idefense.com/intelligence/vulnerabilities/
Aug 20, 2007
I. BACKGROUND
Zone Alarm products provide security solutions such as anti-virus,
firewall, spy-ware, and ad-ware protection. The vsdatant.sys driver,
also known as the TrueVector Device Driver, is the core firewall driver
in ZoneAlarm products. More information is available at the Zone Labs
web site at the following URL.
Hi,
During my (in)security research, I've discovered what appears initially to be
a design oversight and not necessarily a vulnerability, affecting ZoneAlarm
and various other security vendors. I've tested this on various XP platforms
successfully, please feel free to notify the vendor as you wish and/or to
publish whatever you feel appropriate under the circumstances.
Crashing ZoneAlarm 8.0.020.000 by Checkpoint (Component : TrueVector)
==========================================
- Keep ZoneALarm 8 running with vsmon.exe running (which runs by default)
- On System A : Run the rogue proxy (attached) za_crasher_proxy.exe and set a port number (eg: za_crasher_proxy.exe 5938)
- On System B : Use Internet Explorer 6 and set proxy settings as IP of System A and port 5938 for HTTP connections
By default IE 6 has homepage as
A customer service message from ZoneAlarm …
On Tuesday, Microsoft rolled out an automatic update to all of their users. Unfortunately, this cut off Internet access for anyone on Windows XP or Windows 2000 using the ZoneAlarm firewall. This is the #1 free firewall in the world, and is also included in other security products sold by ZoneAlarm.
For ways to fix this, go here: http://download.zonealarm.com/bin/free/pressReleases/2008/LossOfInternetAccessIssue.html
Or call Customer Service here: 1-877-966-5221
Application: ZoneAlarm Security Suite
OS: Windows Xp (All patches a day)
------------------------------------------------------
1 - Description
2 - Vulnerability
3 - POC/EXPLOIT
------------------------------------------------------
Description
* Trend Micro Internet Security Pro 2010 17.50.1647.0000
* Vba32 Personal 3.12.12.4
* VIPRE Antivirus Premium 4.0.3272
* VirusBuster Internet Security Suite 3.2
* Webroot Internet Security Essentials 6.1.0.145
* ZoneAlarm Extreme Security 9.1.507.000
* probably other versions of above mentioned software
* possibly many other software products that use kernel hooks to implement security features
More details are available here:
The latest auto update patch KB951748 (Windows all versions) cuts
connectivity for all users with ZoneAlarm set to 'high' security for the
internet zone
Workaround :
- Uninstall KB951748
- shutdown ZoneAlarm
- temporarily set ZoneAlarm 'security level' to medium
Example of critical security services affected
* BlackICE
* McAfee
* Pointsec
* ISS Proventia
* ZoneAlarm
* Avast
* AVG
* Trusteer Rapport
* Privatefirewall 5.0.14.2
* Process Monitor 1.22
* ProcessGuard 3.410
* ProSecurity 1.40 Beta 2
* RegMon 7.04
* ZoneAlarm Pro 7.0.362.000
* probably other versions of above mentioned software
* possibly many other software products that implement SSDT hooks
Not vulnerable software:
MULTIPLE LOCAL PRIVILEGE ESCALATION VULNERABILITIES
Ruben Santamarta < ruben(at)reversemode(dot)com >
08.20.2007
Affected Products: < ZoneAlarm 7.0.362
Vsdatant.sys is exposed via “\\.\vsdatant”. The permissive ACL allows
everyone to invoke privileged IOCTLs implemented in the driver.
The flaw exists due to insufficient buffer validation when the driver
all versions of zonealarm have been updated and are ready for download here:
http://download.zonealarm.com/bin/free/pressReleases/2008/LossOfInternetAccessIssue.html
After installing the updates, you can move the security level to high once again. The new versions can be installed as updates or clean installs. Rebooting will be required.
On 2010-03-08 Andrew Barkley wrote:
> The following illustrates how one can easily disable ZoneAlarm's
> security for whatever malevolent purposes. This "vector" so to speak,
> is merely "abusing" a particular branch of the Windows registry, by
> registering this security service as disabled. When "exploiting" this
> "vector" (administrative privileges are assumed
Anything starting with "a user with administrative privileges can ..."
is neither a vulnerability nor a design flaw. Administrators can by
design do anything they want on the system. Period.
BlackICE
McAfee
Pointsec
ISS Proventia
ZoneAlarm
On successfully disarming these security services, one could also use the following to then further manipulate the drivers & services, by reconfiguring their startup parameters to 'manual' and not 'automatic', or just disable them alltogether.
i.e. The following will reconfigure the startup parameters to 'manual' and not 'automatic' (default)
C:\>sc config VPatch start= demand
|
