In association with heise online

24 April 2007, 18:38

Multiple Zone Alarm Vulnerabilities Grant System Privileges

  • Twitter
  • Facebook
  • submit to slashdot
  • StumbleUpon
  • submit to reddit

As reported to iDefense by Ruben Santamarta of Reversemode, the srescan.sys device driver used by the Spyware Removal Engine has a flaw in the way it validates IOCTL requests. As a result, user-land side requests containing crafted data can overwrite memory, with the possibility of executing arbitrary code in the context of the kernel.

Two exploitable request codes are identified in the advisory. IOCTL 0x2220CF permits a constant double word to be written, but, much more seriously, IOCTL 0x22208F permits the content of a buffer returned from the ZwQuerySystemInformation function to be written. This can be exploited to directly raise an attacker's privileges to SYSTEM, although no assessment is offered in the advisory of the practical feasibility of exploitation in the field.

iDefense has determined that this problem affects version of the srescan.sys driver used in Zone Alarm Free, and other Zone Alarm products are also suspect. It was first reported in December to Zone Labs, who apparently made no public comment. It has however been silently fixed from version of the Spyware Removal Engine. Version is current.

See also:


Print Version | Send by email | Permalink:

  • July's Community Calendar

The H Open

The H Security

The H Developer

The H Internet Toolkit