Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Finding and Exploiting the Check Point ZoneAlarm Anti-Virus for Local Privilege Esc
#1
Technical White Paper: Finding and Exploiting the Check Point ZoneAlarm Anti-Virus for Local Privilege Escalation

Quote:Introduction
Illumant has discovered a critical vulnerability in Check Point’s ZoneAlarm anti-virus software. This vulnerability allows a low-privileged user to escalate privileges to SYSTEM-level with the anti-virus software enabled. The vulnerability is due to insecure implementation of inter-process communications within the ZoneAlarm application itself, which allows a low-privilege user to inject and execute code by hijacking the insecure communications with a vulnerable .NET service. The affected .NET service is running with SYSTEM-level privileges; therefore, injected code is run at the SYSTEM-level, bypassing privilege restrictions and allowing the user to gain full control of the system.
This paper describes, at a technical level, how the exploit was discovered and how to exploit the vulnerability to attain local, unauthorized SYSTEM-level code execution.
[img=150x0]https://www.illumant.com/blog/wp-content/uploads/2019/01/Zero_Day_Video_play.png[/img]
Watch this video of the exploit in action.
Check out the exploit code on our GitHub repository.
......

Read more at: https://www.illumant.com/blog/2019/01/16...ite-paper/

Video here: https://www.illumant.com/blog/2019/01/17...oit-video/

Quote:General Overview
Illumant has discovered a critical vulnerability in Check Point’s ZoneAlarm anti-virus software. This vulnerability allows a low-privileged user to escalate to SYSTEM-level privileges. A service endpoint within ZoneAlarm exposes powerful functionality, including the ability to start new processes as SYSTEM. Efforts were made by the developers to ensure that only trusted processes could interact with the service. Trusted processes are identified using code signing, but on Windows it is possible for low-privilege users to sign code with a self-signed certificate and be trusted by the operating system. Thus, low-privilege users are able to interact with the service and run commands as SYSTEM.
Check Point’s ZoneAlarm anti-virus software is often cited among the top 10 most popular anti-virus applications, and as such, this vulnerability, before the patch was made available (here & here), affected millions of systems worldwide.
Furthermore, the vulnerability is an example of a class of vulnerabilities that exist within insecure implementations of Microsoft’s Windows Communication Foundation (WCF). Illumant is calling this bug class “OwnDigo,” a twist on the name “Indigo,” the former codename for WCF.
Illumant reported the vulnerability to Check Point, per Illumant’s responsible disclosure policy. Release of this information has been timed to ensure that a patch for this vulnerability is available from Check Point. We thank Check Point for their responsiveness in addressing this issue.

https://www.illumant.com/blog/2019/01/17...-zero-day/
[-] The following 2 users say Thank You to browneylad for this post:
  • dinosaur07, harlan4096
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)
[-]
Welcome
You have to register before you can post on our site.

Username/Email:


Password:





[-]
Recent Posts
AWZ Screen Recorder
AWZ Screen Recorder ...zevish — 11:05
Website X5 Go 2024.1
Website X5 Go 2024.1...zevish — 09:32
Apple's rules to allow third-party app ...
Apple has announ...alison30 — 09:28
Intel: Microsoft AI PCs need a Copilot K...
Microsoft hopes th...harlan4096 — 08:55
Synchredible 8 Professional Edition v8.2...
          Synchredib...zevish — 08:54

[-]
Birthdays
Today's Birthdays
No birthdays today.
Upcoming Birthdays
No upcoming birthdays.

[-]
Online Staff
There are no staff members currently online.

>