|
Vulnerability ZoneAlarm Affected ZoneAlarm (Pro) Description Following is based on a Diamond Computer Systems Sec. Advisory. ZoneAlarm and ZoneAlarm Pro can be taken down with a tiny batch file. This is Low-Medium risk, but as Zone Labs will not be fixing the problem it could be considered Medium-High. Zone Labs Inc. were notified on Wednesday Dec 27, 2000, but as Zone Labs have given a final response to this particular vulnerability, it can now be disclosed to the public. ZoneAlarm and ZoneAlarm Pro, like all good multi-filed programs, supports an Uninstall feature. The Uninstall routine executes zonealarm.exe (or zapro.exe in the Pro version), vsmon.exe, and minilog.exe, passing special uninstall and unload parameters to each program. By doing this, ZoneAlarm shuts down it's user interface and services. By design, ZoneAlarm\ZoneAlarm Pro has no way of determining WHICH program is calling it to unload, thus allowing a trojan to execute the ZoneAlarm programs in the same way to shut down the firewall. A very trivial exploit - all a trojan has to do is look in HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs\ZoneAlarm\InstallDirectory to locate ZoneAlarm.exe (as just one of many ways to locate ZoneAlarm), then locate the Windows System32 directory before executing zonealarm.exe, vsmon.exe and minilog.exe, parsing each one the uninstall and unload parameters as specified in ZoneAlarm's Manual Uninstall. Running following batch file will shut-down your ZoneAlarm\ZoneAlarm Pro firewall. The batch file assumes that you have installed ZoneAlarm\ZoneAlarm Pro into their default directory locations. Needless to say, this isn't a very efficient way of using the exploit, and a trojan would be a lot smarter in determining the locations of the four ZA executables, but this batch file demonstrates the simplicity of the vulnerability. @echo off @echo Shutting down ZoneAlarm and ZoneAlarm Pro, one moment... c:\progra~1\zonela~1\zoneal~1\zapro.exe -unload c:\progra~1\zonela~1\zoneal~1\zoneal~1.exe -unload %windir%\system\zonelabs\vsmon.exe -unload -uninstall %windir%\system\zonelabs\minilog.exe -unload -uninstall %windir%\system32\zonelabs\vsmon.exe -unload -uninstall %windir%\system32\zonelabs\minilog.exe -unload -uninstall @echo Finished @echo on Solution According to Zone Labs, if you get the buy-before-you-try version of ZA (ZoneAlarm Pro) AND you set passwords, you won't be vulnerable. As a matter of convenience, the majority of ZoneAlarm Pro users would _NOT_ use passwords - and by default there is no need for them to do so. It appears those who don't set passwords and regular ZoneAlarm users are left out in the cold with this one.