- Posts: 356
- Thank you received: 0
Zone Labs Products Technology Bypass Vulnerability
19 years 1 week ago #11325
by jhun
Zone Labs Products Technology Bypass Vulnerability was created by jhun
hi all,
i just wanted to share you this info...
Zone Labs Products Advance Program Control and OS Firewall (Behavioral Based) Technology Bypass Vulnerability
I. PRODUCT BACKGROUND
ZoneAlarm Pro and Internet Security Suite with its a new level of protection is what Zone Labs calls an "OS Firewall" based on "Behavior Based Analysis" has gone beyond network level protection and protects PCs against various local attacks on a windows machine. Currently available personal firewalls protects PCs against only network based attacks however the new Zone Labs "OS firewall" technology monitors activity at the kernel-level and prevents attacks at various level. The new approach alerts the user by closely monitoring at kernel level for any unusual activity in the system; like changes in critical registry keys, changes in start-up entries, any kind of Interprocess interactions and processes making outbound connections via other trusted programs. When ZoneAlarm sees unusual activity between
applications, it can put the kibosh on memory being read, or quash
unauthorized driver and service loading. The PoC below discusses how the ZoneAlarm Advance Program Control and Behavior Based Technology can be defeated by using HTML Modal Dialog Box.
II. TECHNICAL DESCRIPTION
Zone Alarm products with Advance Program Control or OS Firewall Technology enabled, detects and blocks almost all those APIs (like Shell, ShellExecuteEx, SetWindowText, SetDlgItem etc) which are commonly used by malicious programs to send data via http by piggybacking over other trusted programs. However, it is still possible for a malicious program (Trojans or worms etc) to make outbound connections to the evil site by piggybacking over trusted Internet browser using "HTML Modal Dialog" in conjunction with
simple "_JavaScript". Here it is assumed that the default browser (IE or Firefox etc) has authorization to access internet. In case of the default installation of ZoneAlarm Pro, IE is by default allowed to access internet.
III. IMPACT
On successful exploitation the malicious program will be able to send the victim's details and personal system information to the attacker and this can further leads to complete system compromise.
IV. AFFECTED PRODUCTS
Zone Alarm Pro 6.0.x
Zone Alarm Internet Security Suit 6.0.x
Zone Alarm Firewall with Anti-Spyware 6.1.x
Zone Alarm Firewall with Anti-Virus 6.0.x
Zone Alarm Firewall (Free Version) 6.0.x
V. PROOF-OF-CONCEPT:
By using ShowHTMLDialog() method, it is possible for any malicious program to creates a modal dialog box that displays HTML. This in turn can be used to redirect the page to the attacker's site. It is observed that using this method, ZA Pro and Internet Security Suit is unable to block internet access. This method can be used by any malicious program to send data outside via http to the attacker and at the same time it can also receive the command instructions from the attacker.
VI. CONCLUSION:
This exploit might work for all other personal firewalls available which are based on behavioral based analysis. I didn't considered this test for
ordinary personal firewall which does only network based protection as it is
beyond the capability of those firewalls to protect against such attack
although, this exploit will successfully bypass those firewalls.
VII. HISTORY:
10th Oct, 2005 - Bug Originally Discovered
15th Oct, 2005 - Vendor Reported
15th Oct, 2005 - Vendor acknowledged the report and asked me not go public until such time that they can fully investigate and coordinate a response.
17th Oct, 2005 - Vendor asked for more information
19th Oct, 2005 - Vendor provided with more information and the
version info on which the exploit was tested.
21st Oct, 2005 - Vendor coordinator replied that he is leaving Zone Labs and there will be someone else who will get in touch with me.
21st Oct, 2005 - Vendor coordinator replied that he is leaving Zone Labs and there will be someone else who will get in touch with me.
29th Oct, 2005 - Final follow up with the vendor but no response after the first vendor coordinator left the organization. Don't know what the problem is??
8th Nov, 2005 -- Public Disclosure
The PoC along with the compiled exploit can be download from the followinglink:
www.hackingspirits.com/vuln-rnd/vuln-rnd.html
VIII. CREDITS:
Tr0y (a.k.a Debasis Mohanty)
debasis@hackingspirits.com
www.hackingspirits.com
You can also verify this under securityfocus' site.
www.securityfocus.com/bid/15347/info
i just wanted to share you this info...
Zone Labs Products Advance Program Control and OS Firewall (Behavioral Based) Technology Bypass Vulnerability
I. PRODUCT BACKGROUND
ZoneAlarm Pro and Internet Security Suite with its a new level of protection is what Zone Labs calls an "OS Firewall" based on "Behavior Based Analysis" has gone beyond network level protection and protects PCs against various local attacks on a windows machine. Currently available personal firewalls protects PCs against only network based attacks however the new Zone Labs "OS firewall" technology monitors activity at the kernel-level and prevents attacks at various level. The new approach alerts the user by closely monitoring at kernel level for any unusual activity in the system; like changes in critical registry keys, changes in start-up entries, any kind of Interprocess interactions and processes making outbound connections via other trusted programs. When ZoneAlarm sees unusual activity between
applications, it can put the kibosh on memory being read, or quash
unauthorized driver and service loading. The PoC below discusses how the ZoneAlarm Advance Program Control and Behavior Based Technology can be defeated by using HTML Modal Dialog Box.
II. TECHNICAL DESCRIPTION
Zone Alarm products with Advance Program Control or OS Firewall Technology enabled, detects and blocks almost all those APIs (like Shell, ShellExecuteEx, SetWindowText, SetDlgItem etc) which are commonly used by malicious programs to send data via http by piggybacking over other trusted programs. However, it is still possible for a malicious program (Trojans or worms etc) to make outbound connections to the evil site by piggybacking over trusted Internet browser using "HTML Modal Dialog" in conjunction with
simple "_JavaScript". Here it is assumed that the default browser (IE or Firefox etc) has authorization to access internet. In case of the default installation of ZoneAlarm Pro, IE is by default allowed to access internet.
III. IMPACT
On successful exploitation the malicious program will be able to send the victim's details and personal system information to the attacker and this can further leads to complete system compromise.
IV. AFFECTED PRODUCTS
Zone Alarm Pro 6.0.x
Zone Alarm Internet Security Suit 6.0.x
Zone Alarm Firewall with Anti-Spyware 6.1.x
Zone Alarm Firewall with Anti-Virus 6.0.x
Zone Alarm Firewall (Free Version) 6.0.x
V. PROOF-OF-CONCEPT:
By using ShowHTMLDialog() method, it is possible for any malicious program to creates a modal dialog box that displays HTML. This in turn can be used to redirect the page to the attacker's site. It is observed that using this method, ZA Pro and Internet Security Suit is unable to block internet access. This method can be used by any malicious program to send data outside via http to the attacker and at the same time it can also receive the command instructions from the attacker.
VI. CONCLUSION:
This exploit might work for all other personal firewalls available which are based on behavioral based analysis. I didn't considered this test for
ordinary personal firewall which does only network based protection as it is
beyond the capability of those firewalls to protect against such attack
although, this exploit will successfully bypass those firewalls.
VII. HISTORY:
10th Oct, 2005 - Bug Originally Discovered
15th Oct, 2005 - Vendor Reported
15th Oct, 2005 - Vendor acknowledged the report and asked me not go public until such time that they can fully investigate and coordinate a response.
17th Oct, 2005 - Vendor asked for more information
19th Oct, 2005 - Vendor provided with more information and the
version info on which the exploit was tested.
21st Oct, 2005 - Vendor coordinator replied that he is leaving Zone Labs and there will be someone else who will get in touch with me.
21st Oct, 2005 - Vendor coordinator replied that he is leaving Zone Labs and there will be someone else who will get in touch with me.
29th Oct, 2005 - Final follow up with the vendor but no response after the first vendor coordinator left the organization. Don't know what the problem is??
8th Nov, 2005 -- Public Disclosure
The PoC along with the compiled exploit can be download from the followinglink:
www.hackingspirits.com/vuln-rnd/vuln-rnd.html
VIII. CREDITS:
Tr0y (a.k.a Debasis Mohanty)
debasis@hackingspirits.com
www.hackingspirits.com
You can also verify this under securityfocus' site.
www.securityfocus.com/bid/15347/info
19 years 1 week ago #11326
by Bublitz
The Bublitz
Systems Admin
Hospice of the Red River Valley
Replied by Bublitz on topic Re: Zone Labs Products Technology Bypass Vulnerability
cool
The Bublitz
Systems Admin
Hospice of the Red River Valley
Time to create page: 0.120 seconds