Diamond Computer Systems Security Advisory http://www.diamondcs.com.au/alerts/zonedown.txt
VULNERABILITY:
ZoneAlarm and ZoneAlarm Pro can be taken down with a tiny batch file.

SEVERITY:
Low-Medium, but as Zone Labs will not be fixing the problem it could be
considered Medium-High.

AFFECTED SOFTWARE:
"Zone Alarm" and "Zone Alarm Pro" (Zone Labs Inc. - www.zonelabs.com), (http://www.zonelabs.com),)
possibly all versions.

REMOTE EXPLOIT:
No.

RELEASE DATE:
Friday Dec 29, 2000

VENDOR NOTIFIED:
Zone Labs Inc. were notified on Wednesday Dec 27, 2000, but as Zone Labs
have given a final response to this particular vulnerability, it can now be
disclosed to the public.

---

DESCRIPTION:
ZoneAlarm and ZoneAlarm Pro, like all good multi-filed programs, supports an
Uninstall feature. The Uninstall routine executes zonealarm.exe (or
zapro.exe in the Pro version), vsmon.exe, and minilog.exe, passing special
uninstall and unload parameters to each program. By doing this, ZoneAlarm
shuts down it's user interface and services.

THE PROBLEM:
By design, ZoneAlarm\ZoneAlarm Pro has no way of determining WHICH program
is calling it to unload, thus allowing a trojan to execute the ZoneAlarm
programs in the same way to shut down the firewall.

THE EXPLOIT:
A very trivial exploit - all a trojan has to do is look in
HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs\ZoneAlarm\InstallDirectory to locate
ZoneAlarm.exe (as just one of many ways to locate ZoneAlarm), then locate
the Windows System32 directory before executing zonealarm.exe, vsmon.exe and
minilog.exe, parsing each one the uninstall and unload parameters as
specified in ZoneAlarm's Manual Uninstall.

ZONE LABS RESPONSE:
From Conrad Hermann, VP of Engineering at Zone Labs:
"...Of course, you are intended to be able to uninstall ZoneAlarm--as I'm
sure you can tell, this is a very important thing to be able to do, since it
is an introductory product for new users. In testing ZoneAlarm Pro, it seems
you did not set a password, or else you would have reported that the
password would be required to shut down using VSMON -unload. Without the
password, vsmon -unload doesn't disable security."

In other words, if you get the buy-before-you-try version of ZA (ZoneAlarm
Pro) AND you set passwords, you won't be vulnerable. As a matter of
convenience, the majority of ZoneAlarm Pro users would _NOT_ use passwords -
and by default there is no need for them to do so. It appears those who
don't set passwords and regular ZoneAlarm users are left out in the cold
with this one.

DEMONSTRATION:
Running this batch file will shut-down your ZoneAlarm\ZoneAlarm Pro
firewall. The batch file assumes that you have installed ZoneAlarm\ZoneAlarm
Pro into their default directory locations. Needless to say, this isn't a
very efficient way of using the exploit, and a trojan would be a lot smarter
in determining the locations of the four ZA executables, but this batch file
demonstrates the simplicity of the vulnerability.

---File begins: ZONEDOWN.BAT ---
@echo off
@echo Shutting down ZoneAlarm and ZoneAlarm Pro, one moment...
c:\progra~1\zonela~1\zoneal~1\zapro.exe -unload
c:\progra~1\zonela~1\zoneal~1\zoneal~1.exe -unload
%windir%\system\zonelabs\vsmon.exe -unload -uninstall
%windir%\system\zonelabs\minilog.exe -unload -uninstall
%windir%\system32\zonelabs\vsmon.exe -unload -uninstall
%windir%\system32\zonelabs\minilog.exe -unload -uninstall
@echo Finished
@echo on
---File ends---


--
DiamondCS would like to thank Steve Gibson of grc.com for his mutual
assistance to both DiamondCS and Zone Labs.

Publishing of this document is permitted providing the text is published in
it's entirety and with no modifications.

Copyright (C) 2000, Diamond Computer Systems Pty. Ltd. http://www.diamondcs.com.au - http://www.diamondcslabs.com


Diamond Computer Systems Security Advisory http://www.diamondcs.com.au/alerts/zonemutx.txt
VULNERABILITY:
ZoneAlarm and ZoneAlarm Pro can be stopped from loading by creating a
memory-resident Mutex (one call to the CreateMutex API).
Uninstalling\reinstalling ZoneAlarm in a different path has no effect.

SEVERITY:
Low-Medium, but as Zone Labs will not be fixing the problem it could be
considered Medium-High.

AFFECTED SOFTWARE:
"Zone Alarm" and "Zone Alarm Pro" (Zone Labs Inc. - www.zonelabs.com), (http://www.zonelabs.com),)
possibly all versions.

REMOTE EXPLOIT:
No.

RELEASE DATE:
Friday Dec 29, 2000

VENDOR NOTIFIED:
Zone Labs Inc. were notified 12th of October, 2000

---

DESCRIPTION:
Zone Labs "ZoneAlarm" and "ZoneAlarm Pro" programs both use a Mutex - an
event synchronisation memory object - to determine if it has already loaded
(to prevent loading a second instance of the firewall).

THE PROBLEM:
By design, ZoneAlarm\ZoneAlarm Pro has no way of determining WHICH program
actually set the Mutex, thus allowing a trojan to use the Mutex and block
both ZoneAlarm and ZoneAlarm Pro from loading.

THE EXPLOIT:
A trojan can easily set this Mutex ("Zone Alarm Mutex") with one simple call
to the CreateMutex API (see msdn.microsoft.com for more information on
Mutexes). ZoneAlarm\ZoneAlarm Pro are then be prevented from loading while
the trojan is alive. If ZoneAlarm is running, all the trojan has to do is
terminate the processes of zonealarm.exe, vsmon.exe and minilog.exe first
before creating the Mutex. Despite being services, vsmon.exe and minilog.exe
can both be killed by any program by setting it's local process token
privileges to SeDebugPrivilege, giving it the power to kill any
process/service.

SOLUTION:
We offered suggestions to Zone Labs Inc. in October/November, including
encryption/hashing of the Mutex, but all were dismissed, and none have been
implemented.

ZONE LABS RESPONSE:
From Conrad Hermann, VP of Engineering at Zone Labs, in regards to
encrypting the mutex:
"... the solution you propose is one of "security through obscurity", which
isn't really good enough for us--mainly because it means it will eventually
need to be re-implemented to be truly secure. It would not be impossible to
discover the same base information, re-implement the same encryption
algorithm, and use the same key we use to encrypt/hash the data--this is
precisely the methodology that most software crackers use, and most software
that anyone cares to crack has been cracked."

In other words, encryption isn't good enough for Zone Labs, so they have
opted to use plain-text. Even despite exhaustive correspondance to Zone Labs
between DiamondCS and Steve Gibson / GRC, they have expressed no desire in
fixing the vulnerability. Because of this, trojan authors are now free to
exploit it, knowing that the vendor will not be fixing the problem. This
alone escalates the magnitude of the problem.

DEMONSTRATION:
We have created a harmless, simple, working executable to demonstrate the
vulnerability, available at http://www.diamondcs.com.au/alerts/zonemutx.exe
(16kb).
While the demo program is running, you will not be able to load ZoneAlarm or
ZoneAlarm Pro, and if it finds that ZoneAlarm\ZoneAlarm Pro is running, it
will terminate the ZoneAlarm processes and services first using
SeDebugPrivilege before stealing the ZoneAlarm Mutex. The demo also opens an
echo server socket to listen on TCP 7, allowing you to test socket
connectivity/data transfer (try telnetting to 127.0.0.1 on port 7 and saying
hello).


--
DiamondCS would like to thank Steve Gibson of grc.com for his mutual
assistance to both DiamondCS and Zone Labs.

Publishing of this document is permitted providing the text is published in
it's entirety and with no modifications.

Copyright (C) 2000, Diamond Computer Systems Pty. Ltd. http://www.diamondcs.com.au - http://www.diamondcslabs.com

It sounds like they don't really care much! They're giving it away (standard version) so why fix it http://sysopt.earthweb.com/forum/frown.gif I'm sure they will patch the PRO version though!

Thank you for the heads up, Sal! Very interesting, indeed.

Looks like the moral of this story is: SET YOUR PASSWORDS.

I'm wondering if the activated trojan would cause the normally generated service errors in a running ZA/Pro to pop up when the services are killed, thus giving an indication of a problem, or is this somehow bypassed. Maybe running the demo will tell.

This needs to be seen by all ZA users. Up we go.

thanx Sala Tar

Its folks like you that make this group great.

I'm not dissing out great moderators

oksr

And people keep asking why I recommended Sygate over ZA in my recent review. However, as with any product, each have their strengths and weaknesses.

On a similar note, the guys over at TinySoftware recently notified me that Tiny Personal Firewall 2.0 Beta is ready for immediate download. I have not tested this package yet, so use at your own risk.

http://209.207.216.178/ftp/pf/pf2.exe

Later,
Robert Richmond

Tell me if I'm wrong( which has been more than once on occasion) Since the unistall feature seems to be the problem, how can this
" batch file" unistall Zone Alarm if the uninstall is deleted from the Zone Alarm folder???I just zipped the "Unistall" over to a Zip disc if I needed to remove this program in the future and sent it to the recycle bin where Norton removed it from my computer.Did I miss anything here?????
PS: Went to Start menu, Zone alarm, unistall
Zone Alarm....windows could not find the shotcut since it was removed. How could some batch file find something that's no longer there

Pickel, it sounds like you just came up with the perfect fix for ZA http://sysopt.earthweb.com/forum/smile.gif Unless the script kiddies add the "uninstall" to their batch file http://sysopt.earthweb.com/forum/frown.gif

Rob,
I used to run Sygate till I found Tiny http://sysopt.earthweb.com/forum/smile.gif
I run Win route Pro 4, And on clients I now run Tinys Personal Firewall as sygate failed Steve gibsons new nano probe.
I Like the beta..just toss the set rules and set it up right

OH BTW,
the new scuttlebutt, ALL software firewalls are now being thought susceptible to this exploit.

I'm not sure how that could work -- thru Javascript or VBscript? Nominal Internet security will always ask "Do you want to open this file or save it............" when presented with an .exe, .bat, .com, etc., type file. If so, just don't ever open any files from the Internet that way. Am I missing something?

[This message has been edited by BFlurie (edited 12-30-2000).]

Hmmm...an exploit I guess..but an INTERNAL one..ZA works on Internet connections allow/disallow incoming and outgoing...ZA doesn't stop me from playing Q3 LOCALLY..and neither will it prevent you from running an executable file on your machine..even if it shuts ZA down..ZA lets me turn it off any time I want..now..if that batch could be executed from outside..I would be moderately concerned...bottom line..know what you're running when you click on an exe file..
http://sysopt.earthweb.com/forum/wink.gif

Right, smokin, the report says it's not a remote exploit. The trojan must be planted first before it can be executed and cause the exploit.

If the trojan isn't there to begin with...

What gets me is they've known about this for almost 3 months, perhaps longer, and it's just coming out now.

[This message has been edited by socalgal (edited 12-31-2000).]

i might be missing something here ..... but any attatchments ( and zap scans them all) .exe .vbs ..... etc are locked down my zap and will not open until i go through 2 boxes asking if it is ok ........

I think this is basically a non-issue.

1) If your firewall is working, and you are using good antivirus software, and you are practicing "safe computing", how is that trojan going to get into your system?
2) The best firewall available isn't worth a **** if you've already got trojans on you system... right?
3) This issue seem to target ZoneAlarm, but couldn't the exact same type of trojan be use to un-install any program, including anti-virus software?
4) That little green and red icon in my taskbar is pretty obvious, I'd notice it's absence in a heartbeat if ZoneAlarm wasn't running.

Like socalgal said, "If the trojan isn't there to begin with..."

So true fingers...I would miss the icon, it's being gone would be very obvious.
I liked pickel's idea...but instead of deleting the uninstall, which I cannot bring myself to do, how about renaming it...that way who and what batch file could ever guess what it's called....sort of like a passworded uninstall program.
Oh I re-read pickel's post...you saved it elsewhere...that'll do it too http://sysopt.earthweb.com/forum/wink.gif

I simply like ZA too much and it is too highly rated to do without anymore. It will stay and I will keep my wits about me on here (I dont run an anti-virus...slows me down). I check in on PC-Cillin's house call site now & then to get a checkup. Someone will always find a way to beat any system, it's human nature.

[This message has been edited by shadow (edited 01-04-2001).]

Here's some info from Steve Gibson (http://grc.com/lt/howtouse.htm) I thought might be interesting:
As you have seen, the Symantec/Norton firewalls stand out due to their indefensible and incredibly insecure default "Automatic Rule Creation" feature. Other firewalls stand out due to their poor network-level design that renders them trivial to circumvent. And other firewalls such as BlackICE Defender, Conseal PC Firewall, and Lockdown 2000 were not even mentioned here because they offer NO PROTECTION and control against the very real threat represented by outbound Trojan, virus, and spyware communications. (LeakTest (http://grc.com/files/LeakTest.exe) merrily communicates out through these firewalls without any trouble.)

Good info, but ya' just resurrected a thread from nearly nine months ago.........

what passwords ?

Rob,
Actually it was SoCal that "resurrected" it in another thread
HERE (http://www.sysopt.com/forum/showthread.php?s=&postid=504443&t=8647#post504443) but then, so what? What's your point? It's still relevant info and part and parcel to on on-going discussion and a thread that I and probably a lot of others hadn't seen. As a matter of fact, has ZA done this encryption fix talked about in the other thread?

Club Med - the password you enter to 'log in' to ZA to configure and allow / disallow app connection ( I think it's with the ZA Pro only, not sure)

Rob, I posted a link to this thread in the off-chance it might be related to an issue that bobcat is having with ZA in this thread (http://www.sysopt.com/forum/showthread.php?s=&threadid=83762)

I don't know if it even applies, but I remembered this ZA issue and figured, wth... ;)

hhmm, currently my firewall is "turning off my computer when I'm not on it!" :rolleyes: and also, my modem sits right next to me, so if it's a flashin away and shouldn't be, then I know somethings up! Luckily so far I have never had a problem by not having a firewall (I'll keep my fingers crossed!!), but when I can afford it I think I'll try to go with a hardware version. The less apps running, the better my piddly little 500 will run!! :p


oh, and TOAD6147, sweet avatar!!! :D

You guys got me scared for a min there. Yes this doesn't seem to important. Most people that even know about ZA or any firewall know enough not to open any unknown email files.

Wasn't being offensive, nor trying to prove any point. Just didn't know if ya' knew the original date on this thread (maybe a search or something)..... has happened before, even by me. :)

The info is still good, and I agree with bhess that most of us would likely never open an untrusted email anyway.

ZoneLab's did fix application tracking by adding MD5, plus finally got around to fixing most of the ICMP blocking issues. ZA, however, is still easily hackable without a trojan or a script. NMAP scanning during the system boot process for those with a permanent net connection provides interesting results. ;)

Robert Richmond

Thanks for clarifying the vulnerability issue, Rob. :)

One question though, re the NMAP scans: What is your opinion of the level of compromise, or possibly of being hacked, if same permanent 'net connection is accessed via a NAT hardwall? I would think the router would render this possibility moot, no?

Thanks

Yes, a NAT firewall should protect the system, as the attack would have to bypass the NAT filer before reaching ZA. However, NAT is hackable, though trying to cooridinate a combined NAT and ZA attack upon a system while booting would be nearly impossible without some form of advanced scripting, and then it would be hit or miss because of latency and a ton of other network issues.

The situation I'm referencing above would be for a direct connection.

Robert Richmond

Thanks again, Rob! :)

I dont have ZA-Pro, am I screwed ?

Nah. You're only screwed if you look in the system tray and DON'T see the ZA icon

hehe ok thanks

I dont have ZA-Pro, am I screwed ?
The assurance by strangerstill that you aren't until you don't see it active in the systray is of course too late by that time. Here is what the Zone Labs engeineer had to say about the exploit and the difference between ZA and ZA Pro:
ZONE LABS RESPONSE:ZONE LABS RESPONSE:
From Conrad Hermann, VP of Engineering at Zone Labs:
"...Of course, you are intended to be able to uninstall ZoneAlarm--as I'm
sure you can tell, this is a very important thing to be able to do, since it
is an introductory product for new users. In testing ZoneAlarm Pro, it seems
you did not set a password, or else you would have reported that the
password would be required to shut down using VSMON -unload. Without the
password, vsmon -unload doesn't disable security."

In other words, if you get the buy-before-you-try version of ZA (ZoneAlarm
Pro) AND you set passwords, you won't be vulnerable. As a matter of
convenience, the majority of ZoneAlarm Pro users would _NOT_ use passwords -
and by default there is no need for them to do so.

Thanks for the info Toad6147