[VulnWatch] Local ZoneAlarm Firewall (probably all versions - tested on v3.1)

loper_at_hushmail.com
Date: 08/05/03

  • Next message: Peter Winter-Smith: "[VulnWatch] Directory Traversal Vulnerability in 121 WAM! Server 1.0.4.0" 
    Date: Tue,  5 Aug 2003 06:36:44 -0700
To: vulnwatch@vulnwatch.org

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA1

    sec-labs team proudly presents:

         Local ZoneAlarm Firewall (probably all versions - tested on v3.1)

         Device Driver vulnerability.
         by Lord YuP
         04/08/2003

     I. BACKGROUND

       ZoneAlarm is a very powerful and very common nowadays firewall for

       Windows produced by Zone Labs. (http://www.zonelabs.com)

     II. DESCRIPTION

       The driver installed with ZoneAlarm is vulnerable, and can be
       exploited in cause of that attacker can gain full system control
       (ring0 privileges).

       By sending properly formatted message to the ZoneAlarm Device
       Driver (VSDATANT - TrueVector Device Driver) you can cause an
       device driver memory overwrite.

       Overview, sending faked buffors with specific singal can cause
       a miscellaneous code execution:

       First signal should be send to overwrite specific memory location,

       in the current case it can be one of the case-if-statement.

         push 0 ;overlapped
         push offset bytes_returned ;bytes returned
         push 4 ;lpOutBuffer size
         push STATMENT_INSTRUCTION_POINTER ;memory to overwrite
         push 0 ;lpInBuffer size
         push 0 ;lpInBuffer
         push 8400000fh ;guess what X-D
         push vsdatant_handle ;device handle
         call DeviceIoControl ;send it!

       If the correct STATMENT_INSTRUCTION_POINTER will be put the address

       should be overwritten to 00060001h (example). After memory
       allocation at this address (inserting shellcode bla bla bla), the

       second signal must be send to jump into inserted code. That can
       be done with sending another signal:

         LpInBuffer:
         db STATMENT_OVERWRITTEN_NUMBER ;where to jump
         db 7 dup (0) ;data?
         dd temp_buff ;temp buffer
         db 10 dup (0) ;some space

       This one should be send with another dwIoControl code, however we

       are no longer publishing any exploits, even PoC (die kiddies)

       After sending second faked message, device driver will jump
       to the STATEMENT offset which was overwritten by first "signal"

     III. IMPACT

       The after sucessfull exploitation, attacker can obtain FULL SYSTEM

       CONTROL! In the worse for attacker option, OS can fault!

     IV. REFERENCE - DEVICE DRIVER ATTACKS

       The white paper about Device Drivers Attacks can be found at
       http://sec-labs.hack.pl the papers section.

    - --
    sec-labs team [http://sec-labs.hack.pl]

    -----BEGIN PGP SIGNATURE-----
    Note: This signature can be verified at https://www.hushtools.com/verify
    Version: Hush 2.3

    wkYEARECAAYFAj8vsuMACgkQoV/1CFyTO42zegCfSKgxbYwXVPA7fcGauhC46+YBFWAA
    oJNiPuMSgIDqvKAAH6iKBnLK/U2X
    =gYBu
    -----END PGP SIGNATURE-----

    Concerned about your privacy? Follow this link to get
    FREE encrypted email: https://www.hushmail.com/?l=2

    Free, ultra-private instant messaging with Hush Messenger
    https://www.hushmail.com/services.php?subloc=messenger&l=434

    Promote security and make money with the Hushmail Affiliate Program:
    https://www.hushmail.com/about.php?subloc=affiliate&l=427

  • Next message: Peter Winter-Smith: "[VulnWatch] Directory Traversal Vulnerability in 121 WAM! Server 1.0.4.0"