Skip Navigation

  • Home
  • Contact us
  • FAQ
  • Glossary
  • Public key
  • Sitemap
  • Cymraeg
  • What's new
CPNI - Centre for the Protection of National Infastructure

Advanced search

  • About CPNI
  • The threats
  • Security planning
  • Methods of attack
  • Protecting your assets
  • Products and services
    • CSIRTUK advisories
      • Advisories archive
    • General protective security publications
    • InfoSec briefings
    • InfoSec technical notes
    • InfoSec vulnerability disclosures
    • Good practice guidelines
    • Viewpoints
    • Information exchanges
    • Risk Management Delivery Group
  • Research
Home > Products and services > CSIRTUK advisories > Advisories archive > March 2006 > Statement Regarding Reported Local Escalation of Privileges Vulnerability for ZoneAlarm

March 2006

Statement Regarding Reported Local Escalation of Privileges Vulnerability for ZoneAlarm

ID: 00202
Ref: 202/2006
Date: 13 March 2006:15:45:24
Version: 1
Title: Statement Regarding Reported Local Escalation of Privileges Vulnerability for ZoneAlarm
Abstract: A local escalation of privileges issue in ZoneAlarm products does exist.
Vendors affected: Zone Labs
Operating systems affected: Zone Labs
Applications affected: Zone Labs

Title
=====


-----BEGIN PGP SIGNED MESSAGE-----

Statement Regarding Reported Local Escalation of Privileges Vulnerability
for ZoneAlarm

-----BEGIN PGP SIGNATURE-----
Version: PGP 8.1

iQCVAwUBRBWOhIpao72zK539AQHxgQP+K/kB+uSs3cIUuiH29ED60s5rHny4tLLo
U4BdrCl3DteHbPM7hhSJr6LOy7ho8ijmceN/YDaPccpHA46wKpiAP1yzOZ4AC3Vk
cKg3c9ncp1mvQn/O/IK8gGM/sSJYtDcjjwtR60+E8Emo/7OfEIAG1mvuTyOtjhfz
E3tb4YU4gsw=
=o9bL
-----END PGP SIGNATURE-----

Detail
======

A local escalation of privileges issue in ZoneAlarm products does exist.


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Statement Regarding Reported Local Escalation of Privileges Vulnerability for ZoneAlarm

Severity:
Low

Impact:
Local escalation of privileges

Remotely exploitable:
No

Affected software:
ZoneAlarm and its variations (6.x confirmed, other versions may be susceptible)
Integrity (specific versions affected not yet determined)

Description:
A local escalation of privileges issue in ZoneAlarm products does exist.

The TrueVector service (VSMON.exe), which runs under the local SYSTEM account,
loads several DLLs (Dynamically Linked Libraries) as part of its startup process - which by default happens
automatically when a user starts Windows.
In some cases, DLLs may not be present in a given installation but will be searched for anyway.
If a DLL matching one of those names appears in the set of directories searched,
it may be loaded with the same privileges as the TrueVector service (SYSTEM level account).
Internal testing of the issue is still ongoing, and additional symptoms may be undiscovered at this stage.

How an attacker may exploit this:
An attacker who succeeds placing a malicious DLL in a folder, which appears in the PATH before the ZoneAlarm folder,
might run the malicious DLL under the SYSTEM local account privileges.
Any software program that runs with SYSTEM privileges and dynamically loads DLLs from the PATH
could be subjected to a similar issue.

Mitigating factors:
An attacker must first place, or convince the user to place, a malicious DLL in a folder
that appears in the path before the ZoneAlarm folder.
In order to accomplish this, the machine would already be compromised through another hacking method,
either Trojan-like malware or through social engineering.

Patch Release:
This issue has been given a high priority and a fix is currently under development.
As soon as it is finished and tested, it will be released through a special product update.

We encourage security researchers and users to report security related issues to security@zonelabs.com.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.2 (MingW32) - WinPT 0.11.8

iD8DBQFEELoCUPFfDYizeYsRAo4xAJ9h5TvAo398UE8B8CQJYFwL8K16pwCeKE1I
Rx18vVgdWbGMh+KXxE1OIqQ=
=EaU6
-----END PGP SIGNATURE-----
  • Accessibility |
  • Terms and conditions |
  • Privacy statement |
  • Data protection act |
  • Freedom of information |