Lucene search
K
Database
Vendors
Products
Years
CVSS
Scanner
Agent Scanning
API Scanning
Manual Audit
Perimeter Scanner
Scanning
Projects
Email
Webhook
Plugins
Resources
Documents
Blog
Glossary
FAQ
Pricing
Contacts
About Us
Partners
Branding Guideline
securityvulnsSecurityvulnsSECURITYVULNS:DOC:4956
HistoryAug 06, 2003 - 12:00 a.m.

[sec-labs] Zone Alarm Device Driver vulnerability

2003-08-0600:00:00
vulners.com
9
JSON
 sec-labs team proudly presents:

 Local ZoneAlarm Firewall (probably all versions - tested on v3.1)
 Device Driver vulnerability.
 by Lord YuP
 04/08/2003

I. BACKGROUND

ZoneAlarm is a very powerful and very common nowadays firewall for
Windows produced by Zone Labs. (http://www.zonelabs.com)

II. DESCRIPTION

The driver installed with ZoneAlarm is vulnerable, and can be
exploited in cause of that attacker can gain full system control
(ring0 privileges).

By sending properly formatted message to the ZoneAlarm Device
Driver (VSDATANT - TrueVector Device Driver) you can cause an
device driver memory overwrite.

Overview, sending faked buffors with specific singal can cause
a miscellaneous code execution:

First signal should be send to overwrite specific memory location,
in the current case it can be one of the case-if-statement.

 push 0                                     ;overlapped
 push offset bytes_returned                 ;bytes returned
 push 4                                     ;lpOutBuffer size
 push STATMENT_INSTRUCTION_POINTER          ;memory to overwrite
 push 0                                     ;lpInBuffer size
 push 0                                     ;lpInBuffer
 push 8400000fh                             ;guess what X-D
 push vsdatant_handle                       ;device handle
 call DeviceIoControl                       ;send it!

If the correct STATMENT_INSTRUCTION_POINTER will be put the address
should be overwritten to 00060001h (example). After memory
allocation at this address (inserting shellcode bla bla bla), the
second signal must be send to jump into inserted code. That can
be done with sending another signal:

 LpInBuffer: 
 db STATMENT_OVERWRITTEN_NUMBER                     ;where to jump
 db 7 dup (0)                                       ;data?
 dd temp_buff                                       ;temp buffer
 db 10 dup (0)                                      ;some space

This one should be send with another dwIoControl code, however we
are no longer publishing any exploits, even PoC (die kiddies)

After sending second faked message, device driver will jump
to the STATEMENT offset which was overwritten by first "signal"

III. IMPACT

The after sucessfull exploitation, attacker can obtain FULL SYSTEM
CONTROL! In the worse for attacker option, OS can fault!

IV. REFERENCE - DEVICE DRIVER ATTACKS

The white paper about Device Drivers Attacks can be found at
http://sec-labs.hack.pl the papers section.


sec-labs team [http://sec-labs.hack.pl]

JSON