[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <386ocHqWs5572S04.1268066958@cmsweb04.cms.usa.net>
Date: Mon, 08 Mar 2010 16:49:18 -0000
From: "Andrew Barkley" <barkley@....net>
To: <bugtraq@...urityfocus.com>
Subject: ZoneAlarm Security Circumvention
Hi,
During my (in)security research, I've discovered what appears initially to be
a design oversight and not necessarily a vulnerability, affecting ZoneAlarm
and various other security vendors. I've tested this on various XP platforms
successfully, please feel free to notify the vendor as you wish and/or to
publish whatever you feel appropriate under the circumstances.
NOTE:
Certain vendors (including ZoneAlarm) implement self-defence/self-protection
measures (see below for clarification), so as to prevent inadvertent &
malicious tampering with their software, and ultimately circumventing their
security controls. This extends to certain administrative privileges.
The following illustrates how one can easily disable ZoneAlarm's security for
whatever malevolent purposes. This "vector" so to speak, is merely "abusing" a
particular branch of the Windows registry, by registering this security
service as disabled. When "exploiting" this "vector" (administrative
privileges are assumed, see below for clarification) and the system rebooted,
this security service will be disarmed. That said, this particular "vector"
opens the door for "exploitation" via social means, thus unwitting victims may
not even realise that their security has been disabled, leaving them exposed
and unprotected.
Step-by-step illustration
How to easily circumvent ZoneAlarm's security, by disabling ZoneAlarm's
service (vsmon.exe) aka "TrueVector Internet Monitor". ZoneAlarm doesn't
protect this option, thus this is a good starting point for now.
i.e.
[HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_VSMON\0000]
"CSConfigFlags"=dword:00000001
NOTE:
The next step is not required, especially seeing as ZoneAlarm's service
(vsmon.exe) was disabled in the previous step. However, should you also wish
to reconfigure ZoneAlarm's services, especially seeing as they are now
unprotected, to start manually or even disable completely;
i.e. Command Prompt
C:\> sc config vsmon start= disabled
The following helps to clarify the misconceptions and assumptions around
security software, especially in the context of administrator privileges. The
following project from 'Matousec' examines security software for Windows OS
that implement application-based security model.
Introduction:
http://www.matousec.com/projects/proactive-security-challenge/#introduction
http://www.matousec.com/projects/proactive-security-challenge/level.php?num=1#tests
Methodology and rules:
Self-defense test: This category of tests include various attacks against the
security product itself. Termination tests are the first subtype of tests that
belongs in this category. These tests attempt to terminate or somehow damage
processes, or their parts, of the tested product. The termination test usually
succeeds if at least one of the target processes, or at least one of their
parts, was terminated or damaged. Besides processes and threads, the security
software usually relies on various files and registry entries. Tests that
attempt to remove, destroy or corrupt these critical objects for the security
product also belong to this category.
Administrator's or limited account:
http://www.matousec.com/projects/proactive-security-challenge/faq.php#administrators-limited-account
Cheers
Andrew Barkley
(-_-)
Powered by blists - more mailing lists