• Welcome to the world's largest Chinese hacker forum

    Welcome to the world's largest Chinese hacker forum, our forum registration is open! You can now register for technical communication with us, this is a free and open to the world of the BBS, we founded the purpose for the study of network security, please don't release business of black/grey, or on the BBS posts, to seek help hacker if violations, we will permanently frozen your IP and account, thank you for your cooperation. Hacker attack and defense cracking or network Security

    business please click here: Creation Security  From CNHACKTEAM

ZoneAlarm TrueVector Internet监视器不安全的NTFS权限漏洞


This Wind

Recommended Posts

发布内容作者:Yorick Koster                                             漏洞危害等级:critlow_3.gif〔高〕
 

引用

 

描述:

在TrueVector Internet Monitor服务中发现了一个漏洞,该服务是作为Check Point ZoneAlarm防火墙的一部分安装的。此漏洞允许本地攻击者导致受影响的服务更改任意本地文件的文件权限。更改文件权限后,攻击者可以覆盖其内容,并最终在易受攻击的计算机上获得提升的特权。此漏洞已在ZoneAlarm Free Firewall版本15.8.023.18219和TrueVector Internet Monitor版本15.8.7.18219上成功验证。

 

------------------------------------------------------------------------<font></font>
ZoneAlarm TrueVector Internet Monitor service insecure NTFS permissions<font></font>
vulnerability<font></font>
<font></font>
------------------------------------------------------------------------<font></font>
Abstract<font></font>
------------------------------------------------------------------------<font></font>
A vulnerability was found in the TrueVector Internet Monitor service,<font></font>
which is installed as part of the Check Point ZoneAlarm firewall. This<font></font>
vulnerability allows a local attacker to cause the affected service to<font></font>
change the file permissions of arbitrary local files. After the file<font></font>
permissions have been changed, the attacker can then overwrite its<font></font>
content, and ultimately gain elevated privileges on the vulnerable<font></font>
machine.<font></font>
<font></font>
------------------------------------------------------------------------<font></font>
Tested version<font></font>
------------------------------------------------------------------------<font></font>
This vulnerability was successfully verified on ZoneAlarm Free Firewall<font></font>
v15.8.023.18219/TrueVector Internet Monitor v15.8.7.18219.<font></font>
<font></font>
------------------------------------------------------------------------<font></font>
Fix<font></font>
------------------------------------------------------------------------<font></font>
Check Point released new versions of ZoneAlarm Firewall that fix this<font></font>
vulnerability. The latest version of ZoneAlarm Free Firewall<font></font>
(v15.8.043.18324) can be obtained from<font></font>
https://www.zonealarm.com/software/free-firewall/download.<font></font>
<font></font>
The 2020-03 Cumulative Update [2] for Windows 10 adds hardlink<font></font>
mitigations. After installing this update, Windows will require write<font></font>
access on the target file otherwise the hardlink won't be created.<font></font>
Requiring write access on the target file also mitigates this issue.<font></font>
<font></font>
------------------------------------------------------------------------<font></font>
Introduction<font></font>
------------------------------------------------------------------------<font></font>
A vulnerability was found in the TrueVector Internet Monitor service,<font></font>
which is installed as part of the Check Point ZoneAlarm firewall. This<font></font>
vulnerability allows a local attacker to cause the affected service to<font></font>
change the file permissions of arbitrary local files. After the file<font></font>
permissions have been changed, the attacker can then overwrite its<font></font>
content, and ultimately gain elevated privileges on the vulnerable<font></font>
machine.<font></font>
<font></font>
------------------------------------------------------------------------<font></font>
Vulnerability details<font></font>
------------------------------------------------------------------------<font></font>
The TrueVector Internet Monitor service is running as LocalSystem, it<font></font>
periodically creates a number of backup files within the<font></font>
%ProgramData%\CheckPoint\ZoneAlarm\Data\ folder. When these files are<font></font>
created, their file permissions are explicitly set to Full Control for<font></font>
Authenticated Users. A local attacker can create a hardlink with the<font></font>
same name as the backup files, causing the permissions of another file<font></font>
to be changed.<font></font>
<font></font>
After the file permissions have been changed, the attacker can then<font></font>
overwrite its content, and ultimately gain elevated privileges on the<font></font>
vulnerable machine. Hardlinks can be created using James Forshaw's [3]<font></font>
CreateHardlink [4] tool.<font></font>
<font></font>
CreateHardlink.exe<font></font>
"%ProgramData%\CheckPoint\ZoneAlarm\Data\bu_tosave.ndb"<font></font>
"%SystemRoot%\win.ini"<font></font>
CreateHardlink.exe<font></font>
"%ProgramData%\CheckPoint\ZoneAlarm\Data\bu_todelete.ndb"<font></font>
"%SystemRoot%\win.ini"<font></font>
<font></font>
------------------------------------------------------------------------<font></font>
References<font></font>
------------------------------------------------------------------------<font></font>
[1] https://www.securify.nl/advisory/SFY20200317/zonealarm-truevector-internet-monitor-service-insecure-ntfs-permissions-vulnerability.html<font></font>
[2] https://www.catalog.update.microsoft.com/Search.aspx?q=KB4540673<font></font>
[3] https://twitter.com/tiraniddo<font></font>
[4] https://github.com/googleprojectzero/symboliclink-testing-tools/tree/master/CreateHardlink<font></font>
<font></font>
#  0day.today [2020-03-20]  #

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now