Results 1 to 8 of 8

Thread: zone alert takedown

  1. #1
    Junior Member
    Join Date
    Aug 2001

    Angry zone alert takedown

    Diamond Computer Systems Security Advisory

    VULNERABILITY: ZoneAlarm and ZoneAlarm Pro can be taken down with a tiny batch file.

    SEVERITY: Low-Medium, but as Zone Labs will not be fixing the problem it could be considered Medium-High.

    AFFECTED SOFTWARE: "Zone Alarm" and "Zone Alarm Pro" (Zone Labs Inc. -, possibly all versions.


    RELEASE DATE: Friday Dec 29, 2000

    VENDOR NOTIFIED: Zone Labs Inc. were notified on Wednesday Dec 27, 2000, but as Zone Labs have given a final response to this particular vulnerability, it can now be disclosed to the public.


    ZoneAlarm and ZoneAlarm Pro, like all good multi-filed programs, supports an Uninstall feature. The Uninstall routine executes zonealarm.exe (or zapro.exe in the Pro version), vsmon.exe, and minilog.exe, passing special uninstall and unload parameters to each program. By doing this, ZoneAlarm shuts down it's user interface and services.

    By design, ZoneAlarm\ZoneAlarm Pro has no way of determining WHICH program is calling it to unload, thus allowing a trojan to execute the ZoneAlarm programs in the same way to shut down the firewall.

    A very trivial exploit - all a trojan has to do is look in HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs\ZoneAlarm\InstallDirectory to locate ZoneAlarm.exe (as just one of many ways to locate ZoneAlarm), then locate the Windows System32 directory before executing zonealarm.exe, vsmon.exe and minilog.exe, parsing each one the uninstall and unload parameters as specified in ZoneAlarm's Manual Uninstall.

    From Conrad Hermann, VP of Engineering at Zone Labs:
    "...Of course, you are intended to be able to uninstall ZoneAlarm--as I'm sure you can tell, this is a very important thing to be able to do, since it is an introductory product for new users. In testing ZoneAlarm Pro, it seems you did not set a password, or else you would have reported that the password would be required to shut down using VSMON -unload. Without the password, vsmon -unload doesn't disable security."

    In other words, if you get the buy-before-you-try version of ZA (ZoneAlarm Pro) AND you set passwords, you won't be vulnerable. As a matter of convenience, the majority of ZoneAlarm Pro users would _NOT_ use passwords - and by default there is no need for them to do so. It appears those who don't set passwords and regular ZoneAlarm users are left out in the cold with this one.

    Running this batch file will shut-down your ZoneAlarm\ZoneAlarm Pro firewall. The batch file assumes that you have installed ZoneAlarm\ZoneAlarm Pro into their default directory locations. Needless to say, this isn't a very efficient way of using the exploit, and a trojan would be a lot smarter in determining the locations of the four ZA executables, but this batch file demonstrates the simplicity of the vulnerability.

    ---File begins: ZONEDOWN.BAT ---
    @echo off
    @echo Shutting down ZoneAlarm and ZoneAlarm Pro, one moment...
    c:\progra~1\zonela~1\zoneal~1\zapro.exe -unload
    c:\progra~1\zonela~1\zoneal~1\zoneal~1.exe -unload
    %windir%\system\zonelabs\vsmon.exe -unload -uninstall
    %windir%\system\zonelabs\minilog.exe -unload -uninstall
    %windir%\system32\zonelabs\vsmon.exe -unload -uninstall
    %windir%\system32\zonelabs\minilog.exe -unload -uninstall
    @echo Finished
    @echo on
    ---File ends---

    DiamondCS would like to thank Steve Gibson of for his mutual assistance to both DiamondCS and Zone Labs.

    Publishing of this document is permitted providing the text is published in it's entirety and with no modifications.

    Copyright (C) 2000, Diamond Computer Systems Pty. Ltd. -

  2. #2
    Join Date
    Aug 2001
    Did Steve Gibson help them with this? He's been calling ZoneAlarm the only safe firewall for years!

  3. #3
    Junior Member
    Join Date
    Aug 2001

    Thumbs up steve gibson

    i guess so
    the text of the message also indicates this

    Any program can be terminated by trojans due to Windows flaws, recent trojans search for security software and terminate if found. diamond cs support are working on a new program which will protect against this, but for now you should turn on all scan options in Scan Control and run a full system scan to try to establish that you have no trojans. The programs could also be crashing, but you would usually see some message.

  4. #4
    Join Date
    Aug 2001

    Unload yes, uninstall no!

    I just tried the batch-file:

    - Unload: no problem: ZA just goes down, no warning, no nothing (trying to disable it in Windows does give a warning). That indeed is a flaw, but is it a Windows flaw or a ZA flaw?

    - Uninstall: ZA still gives a warning, so this one can't be used (by trojans, that is).

    Conclusion: unload yes, uninstall no way! Unloading ZA of course is the only thing necessary...

  5. #5
    Junior Member
    Join Date
    Aug 2001
    I dont know what to think really

    one thing that bothers me though is how simple it is to put a trojan file with common name like

    log.txt (.bat or exe or com hidden extra extention)

    ie *.pif files are hard to find

    or even explorer.exe (.pif)

    in the root dirctory ( where it boots first)or in some other deeply nested but innapropriate dirctory eg where the dbx files for outlooks databases are stored

    "sigh" new improved paranoiia seems to a benchmark these days

    slightly off topic again ithought the privacy groups bugnosis programme is pretty clever Bugnosis

    What do you think ?

  6. #6
    well alli know is that i usually keep zone alarm at the high setting and i know that norton tells me everyytime my boot files are messed with, so i think i'll be protected, maybe i missed seomthing but.....why would someone wanna run a batch file anyways, i mean, dos sucks

  7. #7
    Senior Member
    Join Date
    Aug 2001

    Arrow's not like someone can sit on the internet and stop your Zone Alarm remotely. They either 1. have to already have compromised your machine which means Zone Alarm already failed or 2. have to have physical access to your computer. If they already have physical access and they can run things, there are much worse things I would be worried about.
    \"If you torture the data enough, it will confess.\" --Ronald Coase

  8. #8
    Well yea, that makes sence, of course. I depend on zone alram and think is doing a great job so far.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts