RE: Unsecure file permission of ZoneAlarm pro.

To: bugtraq@xxxxxxxxxxxxxxxxx, visitbipin@xxxxxxxxxxx
Subject: RE: Unsecure file permission of ZoneAlarm pro.
From: Simon Zuckerbraun <szucker@xxxxxxxxxxxx>
Date: Sun, 22 Aug 2004 02:06:15 -0500
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm
User-agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.7.1) Gecko/20040707

Bipin, what you're bringing up is a very interesting point.

It turns out that, despite the lax NTFS permissions, thesafePrograms.xml file is apparantly quite well protected from tampering.The TrueVector driver, which runs kernel-mode, holds a lock on the filethat prevents any other process from modifying it. My observation isbased on ZoneAlarm with AntiVirus 5.1.011.000.

That said, I think that the fundamental question here is stillunanswered. Since you can alter firewall settings via the user-modeZoneAlarm client, there must exist a communication channel that theZoneAlarm client uses to issue commands to the TrueVector driver. Unlessthis channel is properly protected, malware can issue configurationcommands to TrueVector through this same channel.


So my questions are:

* How does the ZoneAlarm client communicate with the TrueVector firewalldriver?* What prevents malware from pretending to be the ZoneAlarm client andissuing arbitrary commands to the firewall driver?* Does the password-protect feature of the ZoneAlarm client haveanything to do with the security on this communications channel?

My guess is that the ZoneLabs people have done their homework and thatall is well. But these are important questions to investigate.


Simon



-----Original Message-----
From: Bipin Gautam [mailto:visitbipin@xxxxxxxxxxx]
Sent: Thursday, August 19, 2004 9:52 PM
To: bugtraq@xxxxxxxxxxxxxxxxx
Subject: Unsecure file permission of ZoneAlarm pro.




Hello list,

Zone Alarm stores its config. files in %windir%\Internet Logs\* . Butstrangely,

ZoneAlarm sets the folder/file permission (NTFS) of %windir%\InternetLogs\* to,


EVERYONE: Full

after its first started.

Even If you try to change the permission to...

Administrator (s): full
system: full
users: read and execute
[these are the default permissions]

Strangely, the permission again changes back to... EVERYONE: Full each time

ZoneAlarm Pro (ZAP) is started. I've tested these in zap 4.x and 5.x

        This could prove harmful if we have a malicious program/user running 
with

even with a user privilege on the system.

Well a malicious program could modify those config file in a way ZAPwill stop


functioning. This is what ZoneLabs had to say...

---snip-------
>anyone could open any ZoneAlarm file
> (assuming it isn't locked), edit it with a hexeditor and
> cause it to stop functioning. This type of modification
> wouldn't be classified as an attack, as you have simply
> modified the file and caused it to not function as expected.
> This is true of any executable or other binary.
>
---/snip-------

yap, true... but shouldn’t ZAP have some protection against suchattacks? instead

of leaving the permission to " EVERYONE: Full " I wonder if a programcould bypass


ZAP filters using "safePrograms*.xml" [...experimenting]

anyone wanna take this thing to a new level, please go on...

Regards,

Bipin Gautam
http://www.geocities.com/visitbipin/

Prev by Date: RE: IE, Firefox, Opera DoS (*not* a DoS, not even close)
Next by Date: RE: First vulnerabilities in the SP2 - XP ?...
Previous by thread: Re: Unsecure file permission of ZoneAlarm pro.
Next by thread: What A Drag II XP SP2
Index(es):
- Date
- Thread