Privilege escalation in ZoneAlarm
Security service provider iDefense has reported vulnerabilities in multiple versions of ZoneAlarm security products from CheckPoint. Local users can exploit the vulnerabilities to elevate their system privileges and ultimately take complete control of the system.
One vulnerability affects ZoneAlarm 5.5 and 6.5. During installation, the software sets the access privileges of the files in the program directory in such a manner that they can be changed by anyone. Users with restricted privileges can thereby, for example, replace one of the software services with their own programme and execute it in kernel mode.
The second vulnerability affects the ZoneAlarm 6.5 TrueVector engine firewall driver vsdatant.sys. This does not correctly verify user-supplied data in Interrupt Request Packets (IRPs) to the Input-Output Controls (IOCTLs), whereby local attackers can overwrite arbitrary memory areas.
According to iDefense, with Version 7.0.362 CheckPoint eliminated the vulnerabilities in all products. The current version is, however, ZoneAlarm 7.1, which runs under Vista. Users of older ZoneAlarm versions should consider updating to Version 7.1, since attackers on the system can exploit the vulnerabilities to completely compromise the computer.
- Check Point Zone Labs Multiple Products Privilege Escalation Vulnerability, security advisory from iDefense
- Check Point Zone Labs VSDATANT Multiple IOCTL Privilege Escalation Vulnerabilities, security advisory from iDefense