Statement Regarding Reported Local Escalation of Privileges Vulnerability for ZoneAlarm

To: <bugtraq@xxxxxxxxxxxxxxxxx>
Subject: Statement Regarding Reported Local Escalation of Privileges Vulnerability for ZoneAlarm
From: "Zone Labs Product Security" <Product-Security.at.zonelabs.com@xxxxxxxxxxxxxxxxxxxxxx>
Date: Thu, 09 Mar 2006 15:47:27 -0800
List-help: <mailto:bugtraq-help@securityfocus.com>
List-id: <bugtraq.list-id.securityfocus.com>
List-post: <mailto:bugtraq@securityfocus.com>
List-subscribe: <mailto:bugtraq-subscribe@securityfocus.com>
List-unsubscribe: <mailto:bugtraq-unsubscribe@securityfocus.com>
Mailing-list: contact bugtraq-help@xxxxxxxxxxxxxxxxx; run by ezmlm

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Statement Regarding Reported Local Escalation of Privileges Vulnerability for 
ZoneAlarm
 
Severity: 
Low
 
Impact: 
Local escalation of privileges
 
Remotely exploitable:
No
 
Affected software: 
ZoneAlarm and its variations (6.x confirmed, other versions may be susceptible)
Integrity (specific versions affected not yet determined)
 
Description:
A local escalation of privileges issue in ZoneAlarm products does exist.
 
The TrueVector service (VSMON.exe), which runs under the local SYSTEM account, 
loads several DLLs (Dynamically Linked Libraries) as part of its startup 
process - which by default happens 
automatically when a user starts Windows. 
In some cases, DLLs may not be present in a given installation but will be 
searched for anyway. 
If a DLL matching one of those names appears in the set of directories 
searched, 
it may be loaded with the same privileges as the TrueVector service (SYSTEM 
level account). 
Internal testing of the issue is still ongoing, and additional symptoms may be 
undiscovered at this stage.
   
How an attacker may exploit this:
An attacker who succeeds placing a malicious DLL in a folder, which appears in 
the PATH before the ZoneAlarm folder, 
might run the malicious DLL under the SYSTEM local account privileges. 
Any software program that runs with SYSTEM privileges and dynamically loads 
DLLs from the PATH 
could be subjected to a similar issue. 
 
Mitigating factors:
An attacker must first place, or convince the user to place, a malicious DLL in 
a folder 
that appears in the path before the ZoneAlarm folder. 
In order to accomplish this, the machine would already be compromised through 
another hacking method, 
either Trojan-like malware or through social engineering.
 
Patch Release:
This issue has been given a high priority and a fix is currently under 
development. 
As soon as it is finished and tested, it will be released through a special 
product update. 
 
We encourage security researchers and users to report security related issues 
to security@xxxxxxxxxxxxx
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32) - WinPT 0.11.8

iD8DBQFEELoCUPFfDYizeYsRAo4xAJ9h5TvAo398UE8B8CQJYFwL8K16pwCeKE1I
Rx18vVgdWbGMh+KXxE1OIqQ=
=EaU6
-----END PGP SIGNATURE-----

Prev by Date: [ MDKSA-2006:035-1 ] - Updated php packages fix vulnerability
Next by Date: [SECURITY] [DSA 990-1] New bluez-hcidump packages fix denial of service
Previous by thread: [ MDKSA-2006:035-1 ] - Updated php packages fix vulnerability
Next by thread: [SECURITY] [DSA 990-1] New bluez-hcidump packages fix denial of service
Index(es):
- Date
- Thread