ZoneAlarm vulnerability
Results 1 to 6 of 6

Thread: ZoneAlarm vulnerability

  1. #1
    Join Date
    Jun 2003

    ZoneAlarm vulnerability

    Sorry if this has been posted before. I did look, and found nothing. It's a very informative article regarding ZoneAlarm, and a potential vuln. I have no space to put this up, so I have to post the whole e-mail I received:

    Hash: SHA1

    sec-labs team proudly presents:

    Local ZoneAlarm Firewall (probably all versions - tested on v3.1)

    Device Driver vulnerability.
    by Lord YuP


    ZoneAlarm is a very powerful and very common nowadays firewall for

    Windows produced by Zone Labs. (


    The driver installed with ZoneAlarm is vulnerable, and can be
    exploited in cause of that attacker can gain full system control
    (ring0 privileges).

    By sending properly formatted message to the ZoneAlarm Device
    Driver (VSDATANT - TrueVector Device Driver) you can cause an
    device driver memory overwrite.

    Overview, sending faked buffors with specific singal can cause
    a miscellaneous code execution:

    First signal should be send to overwrite specific memory location,

    in the current case it can be one of the case-if-statement.

    push 0 ;overlapped
    push offset bytes_returned ;bytes returned
    push 4 ;lpOutBuffer size
    push STATMENT_INSTRUCTION_POINTER ;memory to overwrite
    push 0 ;lpInBuffer size
    push 0 ;lpInBuffer
    push 8400000fh ;guess what X-D
    push vsdatant_handle ;device handle
    call DeviceIoControl ;send it!

    If the correct STATMENT_INSTRUCTION_POINTER will be put the address

    should be overwritten to 00060001h (example). After memory
    allocation at this address (inserting shellcode bla bla bla), the

    second signal must be send to jump into inserted code. That can
    be done with sending another signal:

    db 7 dup (0) ;data?
    dd temp_buff ;temp buffer
    db 10 dup (0) ;some space

    This one should be send with another dwIoControl code, however we

    are no longer publishing any exploits, even PoC (die kiddies)

    After sending second faked message, device driver will jump
    to the STATEMENT offset which was overwritten by first "signal"


    The after sucessfull exploitation, attacker can obtain FULL SYSTEM

    CONTROL! In the worse for attacker option, OS can fault!


    The white paper about Device Drivers Attacks can be found at the papers section.

    - --
    sec-labs team []

    Note: This signature can be verified at
    Version: Hush 2.3

    -----END PGP SIGNATURE-----

    Concerned about your privacy? Follow this link to get
    FREE encrypted email:

    Free, ultra-private instant messaging with Hush Messenger

    Promote security and make money with the Hushmail Affiliate Program:
    I got this from Vulnwatch mail.


  2. #2
    Join Date
    Jun 2003
    Again, no web site to host info, so I'm posting the full e-mail:

    [Hello. I apologize for sending this response to your vulnerability-reporting address, but it doesn't appear that you have a separate address for responses to the alerts you post. This is in response to Lord YuP's report, which he did not inform us of prior to posting. Please don't hesitate to contact me at the contact info below for additional information. Thank you.]

    Following is the official Zone Labs response to "Local ZoneAlarm Firewall (probably all versions - tested on v3.1)" originally written by Lord YuP.

    Corey Bridges

    Chief Editor of E-Communities

    Zone Labs, Inc.

    (v) 415.341.8355

    (f) 415.341.8299

    Zone Labs response to Device Driver Attack

    OVERVIEW: This vulnerability describes a way to send unauthorized commands to a Zone Labs device driver and potentially cause unexpected behavior. This proof-of-concept exploit represents a relatively low risk to Zone Labs users. It is a “secondary” exploit that requires physical access to a machine or circumvention of other security measures included in Zone Labs consumer and enterprise products to exploit. We are working on a fix and will release it within 10 days.

    EXPLOIT: The demonstration code is a proof-of-concept example that describes a potential attack against the Zone Labs device driver that is part of the TrueVector client security engine. In the exploit, a malicious application sends unauthorized commands to this device driver. The author also claims that this could potentially compromise system security. While we have verified that unauthorized commands could be sent to the device driver, we have not been able to verify that this exploit can actually affect system security. The code sample published was intentionally incomplete, to prevent malicious hackers from using it.

    RISK: We believe that the immediate risk to users from this exploit is low, for several reasons: this is a secondary attack, not a primary vulnerability created or allowed by our product. Successful exploitation of this vulnerability would require bypassing several other layers of protection in our products, including the stealth firewall and/or MailSafe email protection. To our knowledge, there are no examples of malicious software exploiting this vulnerability. Further, the code sample was written specifically to attack ZoneAlarm 3.1, an older version of our software.

    SOLUTION: Security for our users is our first concern, and we take reports of this kind seriously. We will be updating our products to address this issue by further strengthening protection for our device driver and will make these updates available in the next 10 days. Registered users who have enabled the "Check for Update" feature in ZoneAlarm, ZoneAlarm Plus, or ZoneAlarm Pro are informed by the software automatically whenever a new software update is released. Zone Labs will provide guidance to Integrity administrators regarding updating their client software.

    CONTACT: Zone Labs customers who are concerned about the proof-of-concept Device Driver Attack or have additional technical questions may reach our Technical Support group at: <>

    ACKNOWLEDGEMENTS: Zone Labs would like to thank Lord YuP for bringing this issue to our attention. However, we would prefer to be contacted at <> prior to publication, in order to allow us to address any security issues up front.
    ZoneAlarm always seems to take these issues seriously. I was impressed that they responded so quickly.


  3. #3
    Join Date
    Jul 2003
    They should take them seriously if they want users to continue to use their software and tell other people about it

  4. #4
    Senior Member deftones12's Avatar
    Join Date
    Jan 2003
    cali forn i a
    10 days seems kinda long...i dunno though...with as many users as they have and they even charge for they're product...they should be quicker than 10 days. I'm switchin from zonealarm to privatefirewall anyways...still hope this gets fixed though. Was that smart to post the exploit and how to create the packet to send???

  5. #5
    Join Date
    Jun 2003
    I did consider not posting the entire thing, but considering the fact that this is a security forum, rather than a hacking forum, I thought it in everyone's best interest to understand fully how the vulnerability works.

    AO seems fairly free of malicious script kiddies, and those few that do prowl the forums for info, likey couldn't craft a packet, or understand how overflows work. If any mods feel this post inappropriate, please remove it. My intentions were not bad, I simply thought the article interesting.


  6. #6
    Senior Member
    Join Date
    Mar 2003
    central il
    When in comes to a noncritical exploite (any exploite that is local only is useualy considered noncritical) 10 day is a very quick response time. I have seen known vulns get unadressed by software companies for years.
    Who is more trustworthy then all of the gurus or Buddha’s?

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts