荔园在线
荔园之美,在春之萌芽,在夏之绽放,在秋之收获,在冬之沉淀
[回到开始]
[上一篇][下一篇]
发信人: michaelx (水并不是这样灌的), 信区: Security
标 题: 「特洛依木馬」程式解除ZoneAlarm防駭軟體的防禦功能
发信站: 荔园晨风BBS站 (Sat Nov 24 15:16:19 2001), 转信
「特洛依木馬」程式解除ZoneAlarm防駭軟體的防禦功能
內容
這個漏洞是「特洛依木馬」程式可以藉由呼叫 CreateMutex API 來解除 ZoneAlarm 的
防禦功能。
漏洞系統:
現階段所有版本的 ZoneAlarm 都會受到影響
Zone Labs "ZoneAlarm" and "ZoneAlarm Pro" programs both use a Mutex - an eve
nt synchronization memory object - to determine if it has already loaded (to
prevent loading a second instance of the firewall).
By design, ZoneAlarm\ZoneAlarm Pro has no way of determining which program a
ctually set the Mutex, thus allowing a Trojan to use the Mutex and block bot
h ZoneAlarm and ZoneAlarm Pro from loading.
Exploit:
A Trojan can easily set this Mutex ("Zone Alarm Mutex") with one simple call
to the CreateMutex API (see msdn.microsoft.com for more information on Mute
xes). ZoneAlarm and ZoneAlarm Pro are then prevented from loading as long as
the Trojan is alive. If ZoneAlarm is running, all the Trojan has to do is t
erminate the processes of zonealarm.exe, vsmon.exe and minilog.exe first bef
ore creating the Mutex. Despite being services, vsmon.exe and minilog.exe ca
n both be killed by any program by setting its local process token privilege
s to SeDebugPrivilege, giving it the power to kill any process/service.
範例程式:
A harmless, simple, working executable to demonstrate the vulnerability, is
available at:
http://www.diamondcs.com.au/alerts/zonemutx.exe (16kb).
While the demo program is running, you will not be able to load ZoneAlarm or
ZoneAlarm Pro, and if it finds that ZoneAlarm\ZoneAlarm Pro is running, it
will terminate the ZoneAlarm processes and services first using SeDebugPrivi
lege before stealing the ZoneAlarm Mutex. The demo also opens an echo server
socket to listen on TCP 7, allowing you to test socket connectivity/data tr
ansfer (try telnetting to 127.0.0.1 on port 7 and saying hello).
非官方的修補程式(漏洞補丁):
你可以使用下列修補程式修補此漏洞,不過這個修補程式不是 Zone Labs 公司推出的官
方版本:
http://www.diamondcs.com.au/alerts/zamutex.exe.
Note: This patch is not an official patch from Zone Labs.
This patch re-hashes the Zone Alarm Mutex in both ZoneAlarm and ZoneAlarm Pr
o. It is a temporary "band-aid" patch, and as such it is not bulletproof and
it is possible that it could be undone. However, it still greatly improves
the local security of ZoneAlarm regarding this situation - its Mutex (as dem
onstrated by zonemutx.exe) can no longer be conventionally hijacked. Zone La
bs can only implement the real solution to this problem.
修補程式如何使用:
Download and run zamutex.exe (and needless to say, make sure you properly sh
ut down ZoneAlarm before running the patch) - it will ask you where the Zone
Alarm.exe/ZAPro.exe file you want to patch is located. Select the file, pres
s OK and the program will do the rest by safely patching that file and its a
ccompanying zoneband.dll file.
As with all patches, it is recommended that you make a backup of the files (
zoneband.dll and zonealarm.exe/zapro.exe) before applying the patch.
The information has been provided by Wayne of DiamondCS.
--
M.X的FTP SERVER
ftp://192.168.55.18
※ 来源:·荔园晨风BBS站 bbs.szu.edu.cn·[FROM: 203.93.19.1]
[回到开始]
[上一篇][下一篇]
荔园在线首页 友情链接:深圳大学 深大招生 荔园晨风BBS S-Term软件 网络书店