ZoneAlarm Security Circumvention

[ICEBREAKER101010]

Hi,

During my (in)security research, I've discovered what appears initially to be

a design oversight and not necessarily a vulnerability, affecting ZoneAlarm

and various other security vendors. I've tested this on various XP platforms

successfully, please feel free to notify the vendor as you wish and/or to

publish whatever you feel appropriate under the circumstances.

NOTE:

Certain vendors (including ZoneAlarm) implement self-defence/self-protection

measures (see below for clarification), so as to prevent inadvertent &

malicious tampering with their software, and ultimately circumventing their

security controls. This extends to certain administrative privileges.

The following illustrates how one can easily disable ZoneAlarm's security for

whatever malevolent purposes. This "vector" so to speak, is merely "abusing" a

particular branch of the Windows registry, by registering this security

service as disabled. When "exploiting" this "vector" (administrative

privileges are assumed, see below for clarification) and the system rebooted,

this security service will be disarmed. That said, this particular "vector"

opens the door for "exploitation" via social means, thus unwitting victims may

not even realise that their security has been disabled, leaving them exposed

and unprotected.

Step-by-step illustration

How to easily circumvent ZoneAlarm's security, by disabling ZoneAlarm's

service (vsmon.exe) aka "TrueVector Internet Monitor". ZoneAlarm doesn't

protect this option, thus this is a good starting point for now.

i.e.

[HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_VSMON\000

0]

"CSConfigFlags"=dword:00000001

NOTE:

The next step is not required, especially seeing as ZoneAlarm's service

(vsmon.exe) was disabled in the previous step. However, should you also wish

to reconfigure ZoneAlarm's services, especially seeing as they are now

unprotected, to start manually or even disable completely;

i.e. Command Prompt

C:\> sc config vsmon start= disabled

The following helps to clarify the misconceptions and assumptions around

security software, especially in the context of administrator privileges. The

following project from 'Matousec' examines security software for Windows OS

that implement application-based security model.

Introduction:

Introduction - www.matousec.com

ion

http://www.matousec.com/projects/proactive-security-challenge/level.php?

num=1#tests

Methodology and rules:

Self-defense test: This category of tests include various attacks against the

security product itself. Termination tests are the first subtype of tests that

belongs in this category. These tests attempt to terminate or somehow damage

processes, or their parts, of the tested product. The termination test usually

succeeds if at least one of the target processes, or at least one of their

parts, was terminated or damaged. Besides processes and threads, the security

software usually relies on various files and registry entries. Tests that

attempt to remove, destroy or corrupt these critical objects for the security

product also belong to this category.

Administrator's or limited account:

Frequently asked questions - www.matousec.com

ministrators-limited-account

Cheers

Andrew Barkley