ICEBREAKER101010 Posted March 9, 2010 Report Share Posted March 9, 2010 Hi,During my (in)security research, I've discovered what appears initially to bea design oversight and not necessarily a vulnerability, affecting ZoneAlarmand various other security vendors. I've tested this on various XP platformssuccessfully, please feel free to notify the vendor as you wish and/or topublish whatever you feel appropriate under the circumstances.NOTE:Certain vendors (including ZoneAlarm) implement self-defence/self-protectionmeasures (see below for clarification), so as to prevent inadvertent &malicious tampering with their software, and ultimately circumventing theirsecurity controls. This extends to certain administrative privileges.The following illustrates how one can easily disable ZoneAlarm's security forwhatever malevolent purposes. This "vector" so to speak, is merely "abusing" aparticular branch of the Windows registry, by registering this securityservice as disabled. When "exploiting" this "vector" (administrativeprivileges are assumed, see below for clarification) and the system rebooted,this security service will be disarmed. That said, this particular "vector"opens the door for "exploitation" via social means, thus unwitting victims maynot even realise that their security has been disabled, leaving them exposedand unprotected.Step-by-step illustrationHow to easily circumvent ZoneAlarm's security, by disabling ZoneAlarm'sservice (vsmon.exe) aka "TrueVector Internet Monitor". ZoneAlarm doesn'tprotect this option, thus this is a good starting point for now.i.e.[HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_VSMON\0000]"CSConfigFlags"=dword:00000001NOTE:The next step is not required, especially seeing as ZoneAlarm's service(vsmon.exe) was disabled in the previous step. However, should you also wishto reconfigure ZoneAlarm's services, especially seeing as they are nowunprotected, to start manually or even disable completely;i.e. Command PromptC:\> sc config vsmon start= disabledThe following helps to clarify the misconceptions and assumptions aroundsecurity software, especially in the context of administrator privileges. Thefollowing project from 'Matousec' examines security software for Windows OSthat implement application-based security model.Introduction:Introduction - www.matousec.comionhttp://www.matousec.com/projects/proactive-security-challenge/level.php?num=1#testsMethodology and rules:Self-defense test: This category of tests include various attacks against thesecurity product itself. Termination tests are the first subtype of tests thatbelongs in this category. These tests attempt to terminate or somehow damageprocesses, or their parts, of the tested product. The termination test usuallysucceeds if at least one of the target processes, or at least one of theirparts, was terminated or damaged. Besides processes and threads, the securitysoftware usually relies on various files and registry entries. Tests thatattempt to remove, destroy or corrupt these critical objects for the securityproduct also belong to this category.Administrator's or limited account:Frequently asked questions - www.matousec.comministrators-limited-accountCheersAndrew Barkley Quote Link to comment Share on other sites More sharing options...