Multiple Zone Alarm Vulnerabilities Grant System Privileges
As reported to iDefense by Ruben Santamarta of Reversemode, the srescan.sys device driver used by the Spyware Removal Engine has a flaw in the way it validates IOCTL requests. As a result, user-land side requests containing crafted data can overwrite memory, with the possibility of executing arbitrary code in the context of the kernel.
Two exploitable request codes are identified in the advisory. IOCTL 0x2220CF permits a constant double word to be written, but, much more seriously, IOCTL 0x22208F permits the content of a buffer returned from the ZwQuerySystemInformation function to be written. This can be exploited to directly raise an attacker's privileges to SYSTEM, although no assessment is offered in the advisory of the practical feasibility of exploitation in the field.
iDefense has determined that this problem affects version 126.96.36.199 of the srescan.sys driver used in Zone Alarm Free, and other Zone Alarm products are also suspect. It was first reported in December to Zone Labs, who apparently made no public comment. It has however been silently fixed from version 188.8.131.52 of the Spyware Removal Engine. Version 184.108.40.206 is current.
- Check Point Zone Labs SRESCAN IOCTL Local Privieges Escalation Vulnerability, iDefense Advisory