Trojans can block ZoneAlarm by setting a Mutex in memory
11 Jan. 2001
ZoneAlarm and ZoneAlarm Pro can be stopped from loading by creating a memory-resident Mutex (using a call to the CreateMutex API). Uninstalling\reinstalling ZoneAlarm in a different path has no effect.
The impact of this vulnerability is that a Trojan running on a victim's machine can prevent ZoneAlarm from loading, and thus leave the victim open for attack.
The information has been provided by Wayne of DiamondCS and Te Smith of Zone Labs.
Versions of ZoneAlarm prior to 2.6 on Windows 9x/ME
ZoneAlarm 2.6 and ZoneAlarm Pro 2.6
Any version of ZoneAlarm on Windows NT/2000
Zone Labs "ZoneAlarm" and "ZoneAlarm Pro" programs both use a Mutex - an event synchronization memory object - to determine if it has already loaded (to prevent loading a second instance of the firewall).
By design, ZoneAlarm\ZoneAlarm Pro has no way of determining which program actually set the Mutex, thus allowing a Trojan to use the Mutex and block both ZoneAlarm and ZoneAlarm Pro from loading.
"its important to point out that the report suggests a
hypothetical attack that could affect users of ZoneAlarm (prior to version
2.6) only on Windows 9x and Me and only if their computer has already been
infected with a malicious program.
There have been no reported incidences of this type of exploit to date.
Users of Windows NT and 2000 who regularly use their system without
administrator privileges have never been at risk, because operating system
security grants "debug privilege" to administrators only.
Should users be concerned about this issue?
With the release of ZoneAlarm 2.6 and ZoneAlarm Pro 2.6 in April of 2001,
both products have 'hardened' security at the operating system level. This
'hardening' is achieved by loading very early in the boot process, therefore
pre-empting the possibility of the exploit occurring. Additionally, both
ZoneAlarm 2.6 and ZoneAlarm Pro 2.6 can recognize if any program component
has been tampered with, and if so, Internet access is shut down immediately.
This further fortifies the defenses that ZoneAlarm and ZoneAlarm Pro offer."
A Trojan can easily set this Mutex ("Zone Alarm Mutex") with one simple call to the CreateMutex API (see msdn.microsoft.com for more information on Mutexes). ZoneAlarm and ZoneAlarm Pro are then prevented from loading as long as the Trojan is alive. If ZoneAlarm is running, all the Trojan has to do is terminate the processes of zonealarm.exe, vsmon.exe and minilog.exe first before creating the Mutex. Despite being services, vsmon.exe and minilog.exe can both be killed by any program by setting its local process token privileges to SeDebugPrivilege, giving it the power to kill any process/service.
A harmless, simple, working executable to demonstrate the vulnerability, is available at: http://www.diamondcs.com.au/alerts/zonemutx.exe (16kb).
While the demo program is running, you will not be able to load ZoneAlarm or ZoneAlarm Pro, and if it finds that ZoneAlarm\ZoneAlarm Pro is running, it will terminate the ZoneAlarm processes and services first using SeDebugPrivilege before stealing the ZoneAlarm Mutex. The demo also opens an echo server socket to listen on TCP 7, allowing you to test socket connectivity/data transfer (try telnetting to 127.0.0.1 on port 7 and saying hello).
This patch re-hashes the Zone Alarm Mutex in both ZoneAlarm and ZoneAlarm Pro. It is a temporary "band-aid" patch, and as such it is not bulletproof and it is possible that it could be undone. However, it still greatly improves the local security of ZoneAlarm regarding this situation - its Mutex (as demonstrated by zonemutx.exe) can no longer be conventionally hijacked. Zone Labs can only implement the real solution to this problem.
To apply the patch:
Download and run zamutex.exe (and needless to say, make sure you properly shut down ZoneAlarm before running the patch) - it will ask you where the ZoneAlarm.exe/ZAPro.exe file you want to patch is located. Select the file, press OK and the program will do the rest by safely patching that file and its accompanying zoneband.dll file.
As with all patches, it is recommended that you make a backup of the files (zoneband.dll and zonealarm.exe/zapro.exe) before applying the patch.
Upgrade your ZoneAlarm. Both ZoneAlarm 2.6 and ZoneAlarm Pro 2.6 are available at www.zonelabs.com.