ZoneAlarm Security Circumvention
Hi,
During my (in)security research, I've discovered what appears initially t=
o be
a design oversight and not necessarily a vulnerability, affecting ZoneAla=
rm
and various other security vendors. I've tested this on various XP platfo=
rms
successfully, please feel free to notify the vendor as you wish and/or to=
publish whatever you feel appropriate under the circumstances.
NOTE:
Certain vendors (including ZoneAlarm) implement self-defence/self-protect=
ion
measures (see below for clarification), so as to prevent inadvertent &
malicious tampering with their software, and ultimately circumventing the=
ir
security controls. This extends to certain administrative privileges.
The following illustrates how one can easily disable ZoneAlarm's security=
for
whatever malevolent purposes. This "vector" so to speak, is merely "abusi=
ng" a
particular branch of the Windows registry, by registering this security
service as disabled. When "exploiting" this "vector" (administrative
privileges are assumed, see below for clarification) and the system reboo=
ted,
this security service will be disarmed. That said, this particular "vecto=
r"
opens the door for "exploitation" via social means, thus unwitting victim=
s may
not even realise that their security has been disabled, leaving them expo=
sed
and unprotected.
Step-by-step illustration
How to easily circumvent ZoneAlarm's security, by disabling ZoneAlarm's
service (vsmon.exe) aka "TrueVector Internet Monitor". ZoneAlarm doesn't
protect this option, thus this is a good starting point for now.
i.e.
[HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_VSMON\0000=
]
"CSConfigFlags"=3Ddword:00000001
NOTE:
The next step is not required, especially seeing as ZoneAlarm's service
(vsmon.exe) was disabled in the previous step. However, should you also w=
ish
to reconfigure ZoneAlarm's services, especially seeing as they are now
unprotected, to start manually or even disable completely;
i.e. Command Prompt
C:\> sc config vsmon start=3D disabled
The following helps to clarify the misconceptions and assumptions around
security software, especially in the context of administrator privileges.=
The
following project from 'Matousec' examines security software for Windows =
OS
that implement application-based security model.
Introduction:
http://www.matousec.com/projects/proactive-security-challenge/#introducti=
on
http://www.matousec.com/projects/proactive-security-challenge/level.php?n=
um=3D1#tests
Methodology and rules:
Self-defense test: This category of tests include various attacks against=
the
security product itself. Termination tests are the first subtype of tests=
that
belongs in this category. These tests attempt to terminate or somehow dam=
age
processes, or their parts, of the tested product. The termination test us=
ually
succeeds if at least one of the target processes, or at least one of thei=
r
parts, was terminated or damaged. Besides processes and threads, the secu=
rity
software usually relies on various files and registry entries. Tests that=
attempt to remove, destroy or corrupt these critical objects for the secu=
rity
product also belong to this category.
Administrator's or limited account:
http://www.matousec.com/projects/proactive-security-challenge/faq.php#adm=
inistrators-limited-account
Cheers
Andrew Barkley
(-_-)
討論串 (同標題文章)