COMMAND

    ZoneAlarm

SYSTEMS AFFECTED

    ZoneAlarm (Pro)

PROBLEM

    Following is based  on a Diamond  Computer Systems Sec.  Advisory.
    ZoneAlarm and ZoneAlarm  Pro can be  taken down with  a tiny batch
    file.   This is  Low-Medium risk,  but as  Zone Labs  will not  be
    fixing the problem it could be considered Medium-High.

    Zone Labs  Inc. were  notified on  Wednesday Dec  27, 2000, but as
    Zone  Labs  have  given  a  final  response  to  this   particular
    vulnerability, it can now be disclosed to the public.

    ZoneAlarm and ZoneAlarm Pro,  like all good multi-filed  programs,
    supports an  Uninstall feature.   The Uninstall  routine  executes
    zonealarm.exe (or  zapro.exe in  the Pro  version), vsmon.exe, and
    minilog.exe, passing  special uninstall  and unload  parameters to
    each  program.   By  doing  this,  ZoneAlarm  shuts down it's user
    interface and services.

    By design, ZoneAlarm\ZoneAlarm Pro has no way of determining WHICH
    program is calling it to unload, thus allowing a trojan to execute
    the ZoneAlarm programs in the same way to shut down the firewall.

    A very trivial exploit - all a trojan has to do is look in

        HKEY_LOCAL_MACHINE\SOFTWARE\Zone Labs\ZoneAlarm\InstallDirectory

    to  locate  ZoneAlarm.exe  (as  just  one  of  many ways to locate
    ZoneAlarm),  then  locate  the  Windows  System32 directory before
    executing zonealarm.exe, vsmon.exe  and minilog.exe, parsing  each
    one  the  uninstall   and  unload  parameters   as  specified   in
    ZoneAlarm's Manual Uninstall.

    Running    following    batch    file    will    shut-down    your
    ZoneAlarm\ZoneAlarm Pro firewall.  The batch file assumes that you
    have  installed   ZoneAlarm\ZoneAlarm  Pro   into  their   default
    directory locations.  Needless to say, this isn't a very efficient
    way of using the exploit, and  a trojan would be a lot  smarter in
    determining the  locations of  the four  ZA executables,  but this
    batch file demonstrates the simplicity of the vulnerability.

        @echo off
        @echo Shutting down ZoneAlarm and ZoneAlarm Pro, one moment...
        c:\progra~1\zonela~1\zoneal~1\zapro.exe -unload
        c:\progra~1\zonela~1\zoneal~1\zoneal~1.exe -unload
        %windir%\system\zonelabs\vsmon.exe -unload -uninstall
        %windir%\system\zonelabs\minilog.exe -unload -uninstall
        %windir%\system32\zonelabs\vsmon.exe -unload -uninstall
        %windir%\system32\zonelabs\minilog.exe -unload -uninstall
        @echo Finished
        @echo on

SOLUTION

    According to Zone Labs, if you get the buy-before-you-try  version
    of  ZA  (ZoneAlarm  Pro)  AND  you  set  passwords,  you  won't be
    vulnerable.  As a matter of convenience, the majority of ZoneAlarm
    Pro users would _NOT_ use passwords  - and by default there is  no
    need for them to do so.  It appears those who don't set  passwords
    and regular ZoneAlarm users are left out in the cold with this one.