Home    |    View Topics    |    Search    |    Contact Us    |   



Category:   Application (Firewall)  >   ZoneAlarm Vendors:   Zone Labs
(Vendor Confirms and Responds) Re: ZoneAlarm Buffer Overflow in VSDATANT Device Driver Yields System Privileges to Local Users
SecurityTracker Alert ID:  1007461
SecurityTracker URL:
CVE Reference:   GENERIC-MAP-NOMATCH   (Links to External Site)
Date:  Aug 11 2003
Impact:   Execution of arbitrary code via local system, Root access via local system
Vendor Confirmed:  Yes  
Version(s): Tested on 3.1
Description:   A buffer overflow vulnerability was reported in the ZoneAlarm firewall in the device driver. A local user can execute arbitrary code with full privileges.

Lord YuP of sec-labs reported that a local user can send a specially crafted message to the VSDATANT TrueVector Device Driver to overwrite memory. A local user can reportedly gain ring0 privileges (full system control).

The local user can send one signal to overwrite a specific memory location (to contain the local user's arbitrary code) and then send second signal to cause the system to jump to the user-supplied arbitrary code.

Some exploit example details are provided in the Source Message.

Additional details about exploiting device driver flaws is available at:

Impact:   A local user can execute arbitrary code with ring0 (system) privileges.
Solution:   The vendor has confirmed the flaw and is working on a fix. The vendor reports that the risk due to this flaw is low. The vendor's complete response is provided in the Source Message.
Vendor URL: (Links to External Site)
Cause:   Boundary error, Input validation error
Underlying OS:  Windows (Any)

Message History:   This archive entry is a follow-up to the message listed below.
Aug 5 2003 ZoneAlarm Buffer Overflow in VSDATANT Device Driver Yields System Privileges to Local Users

 Source Message Contents

Subject:  Vendor response to "Zone Labs Buffer Overflow..."

Zone Labs response to Device Driver Attack

OVERVIEW:  This vulnerability describes a way to send unauthorized commands to a Zone Labs 
device driver and potentially cause unexpected behavior. This proof-of-concept exploit 
represents a relatively low risk to Zone Labs users.  It is a “secondary” exploit that 
requires physical access to a machine or circumvention of other security measures included 
in Zone Labs consumer and enterprise products to exploit. We are working on a fix and will 
release it within 10 days.

EXPLOIT: The demonstration code is a proof-of-concept example that describes a potential 
attack against the Zone Labs device driver that is part of the TrueVector client security 
engine. In the exploit, a malicious application sends unauthorized commands to this device 
driver. The author also claims that this could potentially compromise system security. 
While we have verified that unauthorized commands could be sent to the device driver, we 
have not been able to verify that this exploit can actually affect system security. The 
code sample published was intentionally incomplete, to prevent malicious hackers from 
using it.

RISK: We believe that the immediate risk to users from this exploit is low, for several 
reasons: this is a secondary attack, not a primary vulnerability created or allowed by our 
product. Successful exploitation of this vulnerability would require bypassing several 
other layers of protection in our products, including the stealth firewall and/or MailSafe 
email protection. To our knowledge, there are no examples of malicious software exploiting 
this vulnerability. Further, the code sample was written specifically to attack ZoneAlarm 
3.1, an older version of our software.

SOLUTION: Security for our users is our first concern, and we take reports of this kind 
seriously. We will be updating our products to address this issue by further strengthening 
protection for our device driver and will make these updates available in the next 10 
days. Registered users who have enabled the "Check for Update" feature in ZoneAlarm, 
ZoneAlarm Plus, or ZoneAlarm Pro are informed by the software automatically whenever a new 
software update is released. Zone Labs will provide guidance to Integrity administrators 
regarding updating their client software.

CONTACT: Zone Labs customers who are concerned about the proof-of-concept Device Driver 
Attack or have additional technical questions may reach our Technical Support group at: 

ACKNOWLEDGEMENTS: Zone Labs would like to thank Lord YuP for bringing this issue to our 
attention. However, we would prefer to be contacted at 
<>  prior to publication, in order to allow us to address any 
security issues up front.


Go to the Top of This SecurityTracker Archive Page

Home   |    View Topics   |    Search   |    Contact Us

This web site uses cookies for web analytics. Learn More

Copyright 2022, LLC