| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Mon, 08 Mar 2010 16:49:18 -0000 From: "Andrew Barkley" <barkley@....net> To: <bugtraq@...urityfocus.com> Subject: ZoneAlarm Security Circumvention Hi, During my (in)security research, I've discovered what appears initially to be a design oversight and not necessarily a vulnerability, affecting ZoneAlarm and various other security vendors. I've tested this on various XP platforms successfully, please feel free to notify the vendor as you wish and/or to publish whatever you feel appropriate under the circumstances. NOTE: Certain vendors (including ZoneAlarm) implement self-defence/self-protection measures (see below for clarification), so as to prevent inadvertent & malicious tampering with their software, and ultimately circumventing their security controls. This extends to certain administrative privileges. The following illustrates how one can easily disable ZoneAlarm's security for whatever malevolent purposes. This "vector" so to speak, is merely "abusing" a particular branch of the Windows registry, by registering this security service as disabled. When "exploiting" this "vector" (administrative privileges are assumed, see below for clarification) and the system rebooted, this security service will be disarmed. That said, this particular "vector" opens the door for "exploitation" via social means, thus unwitting victims may not even realise that their security has been disabled, leaving them exposed and unprotected. Step-by-step illustration How to easily circumvent ZoneAlarm's security, by disabling ZoneAlarm's service (vsmon.exe) aka "TrueVector Internet Monitor". ZoneAlarm doesn't protect this option, thus this is a good starting point for now. i.e. [HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_VSMON\0000] "CSConfigFlags"=dword:00000001 NOTE: The next step is not required, especially seeing as ZoneAlarm's service (vsmon.exe) was disabled in the previous step. However, should you also wish to reconfigure ZoneAlarm's services, especially seeing as they are now unprotected, to start manually or even disable completely; i.e. Command Prompt C:\> sc config vsmon start= disabled The following helps to clarify the misconceptions and assumptions around security software, especially in the context of administrator privileges. The following project from 'Matousec' examines security software for Windows OS that implement application-based security model. Introduction: http://www.matousec.com/projects/proactive-security-challenge/#introduction http://www.matousec.com/projects/proactive-security-challenge/level.php?num=1#tests Methodology and rules: Self-defense test: This category of tests include various attacks against the security product itself. Termination tests are the first subtype of tests that belongs in this category. These tests attempt to terminate or somehow damage processes, or their parts, of the tested product. The termination test usually succeeds if at least one of the target processes, or at least one of their parts, was terminated or damaged. Besides processes and threads, the security software usually relies on various files and registry entries. Tests that attempt to remove, destroy or corrupt these critical objects for the security product also belong to this category. Administrator's or limited account: http://www.matousec.com/projects/proactive-security-challenge/faq.php#administrators-limited-account Cheers Andrew Barkley (-_-)
Powered by blists - more mailing lists