CVE-2005-2932
CVSS7.2
发布时间 :2005-12-31 00:00:00
修订时间 :2011-03-07 21:25:18
NMCOP    

[原文]Multiple Check Point Zone Labs ZoneAlarm products before 7.0.362, including ZoneAlarm Security Suite 5.5.062.004 and 6.5.737, use insecure default permissions for critical files, which allows local users to gain privileges or bypass security controls.


[CNNVD]ZoneAlarm产品多个本地权限提升漏洞(CNNVD-200512-767)

        ZoneAlarm是一款个人电脑防火墙,能保护个人数据和隐私安全。
        ZoneAlarm的实现和安装上存在多个安全漏洞,本地攻击者可能利用此漏洞提升自己的权限。
        ZoneAlarm产品vsdatant.sys设备驱动的IOCTL处理代码没有验证传送给IOCTL 0x8400000F和IOCTL 0x84000013的用户域提供的地址。由于没有正确地验证IRQ参数,攻击者可以利用这些IOCTL使用常数双字值0x60001或ZwQuerySystemInformation返回的缓冲区内容覆盖任意内存,包括内核内存及所运行进程的代码段。
        ZoneAlarm产品在安装期间没有设置安全的默认访问控制列表(ACL)。如果管理员安装了任何ZoneAlarm工具的话,默认的ACL允许任意用户修改所安装的文件。由于有些程序是以系统服务运行的,因此攻击者可以使用自己的代码替换所安装的ZoneAlarm文件,之后代码会以系统级权限执行。

- CVSS (基础分值)

CVSS分值: 7.2 [严重(HIGH)]
机密性影响: COMPLETE [完全的信息泄露导致所有系统文件暴露]
完整性影响: COMPLETE [系统完整性可被完全破坏]
可用性影响: COMPLETE [可能导致系统完全宕机]
攻击复杂度: LOW [漏洞利用没有访问限制 ]
攻击向量: LOCAL [漏洞利用需要具有物理访问权限或本地帐户]
身份认证: NONE [漏洞利用无需身份认证]

- CWE (弱点类目)

CWE-264 [权限、特权与访问控制]

- CPE (受影响的平台与产品)

cpe:/a:checkpoint:zonealarm_security_suite:6.5.737Checkpoint ZoneAlarm Security Suite 6.5.737
cpe:/a:checkpoint:zonealarm:7.0.337.0Checkpoint ZoneAlarm 7.0.337.0
cpe:/a:checkpoint:zonealarm_security_suite:5.5.062.004Checkpoint ZoneAlarm Security Suite 5.5.062.004

- OVAL (用于检测的技术细节)

未找到相关OVAL定义

- 官方数据库链接

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2932
(官方数据源) MITRE
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-2932
(官方数据源) NVD
http://www.cnnvd.org.cn/vulnerability/show/cv_cnnvdid/CNNVD-200512-767
(官方数据源) CNNVD

- 其它链接及资源

http://xforce.iss.net/xforce/xfdb/36110
(UNKNOWN)  XF  zonealarm-acl-privilege-escalation(36110)
http://www.vupen.com/english/advisories/2007/2929
(UNKNOWN)  VUPEN  ADV-2007-2929
http://www.securityfocus.com/bid/25377
(UNKNOWN)  BID  25377
http://www.securityfocus.com/bid/25365
(UNKNOWN)  BID  25365
http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=53
(UNKNOWN)  MISC  http://www.reversemode.com/index.php?option=com_remository&Itemid=2&func=fileinfo&id=53
http://securitytracker.com/id?1018588
(UNKNOWN)  SECTRACK  1018588
http://secunia.com/advisories/26513
(VENDOR_ADVISORY)  SECUNIA  26513
http://labs.idefense.com/intelligence/vulnerabilities/display.php?id=584
(VENDOR_ADVISORY)  IDEFENSE  20070820 Check Point Zone Labs Multiple Products Privilege Escalation Vulnerability

- 漏洞信息

ZoneAlarm产品多个本地权限提升漏洞
高危 资料不足
2005-12-31 00:00:00 2007-08-21 00:00:00
本地  
        ZoneAlarm是一款个人电脑防火墙,能保护个人数据和隐私安全。
        ZoneAlarm的实现和安装上存在多个安全漏洞,本地攻击者可能利用此漏洞提升自己的权限。
        ZoneAlarm产品vsdatant.sys设备驱动的IOCTL处理代码没有验证传送给IOCTL 0x8400000F和IOCTL 0x84000013的用户域提供的地址。由于没有正确地验证IRQ参数,攻击者可以利用这些IOCTL使用常数双字值0x60001或ZwQuerySystemInformation返回的缓冲区内容覆盖任意内存,包括内核内存及所运行进程的代码段。
        ZoneAlarm产品在安装期间没有设置安全的默认访问控制列表(ACL)。如果管理员安装了任何ZoneAlarm工具的话,默认的ACL允许任意用户修改所安装的文件。由于有些程序是以系统服务运行的,因此攻击者可以使用自己的代码替换所安装的ZoneAlarm文件,之后代码会以系统级权限执行。

- 公告与补丁

        目前厂商已经发布了升级补丁以修复此安全问题,补丁获取链接:
        http://www.zonealarm.com/store/content/catalog/products/trial_zaFamily/trial_zaFamily.jsp

- 漏洞信息 (F58735)

iDEFENSE Security Advisory 2007-08-20.1 (PacketStormID:F58735)
2007-08-21 00:00:00
iDefense Labs  idefense.com
advisory,local
CVE-2005-2932
[点击下载]

iDefense Security Advisory 08.20.07 - Local exploitation of an insecure permission vulnerability in multiple Check Point Zone Labs products allows attackers to escalate privileges or disable protection. The vulnerability specifically exists in the default file Access Control List (ACL) settings that are applied during installation. When an administrator installs any of the Zone Labs ZoneAlarm tools, the default ACL allows any user to modify the installed files. Some of the programs run as system services. This allows a user to simply replace an installed ZoneAlarm file with their own code that will later be executed with system-level privileges. iDefense has confirmed the existence of this vulnerability in ZoneAlarm Security Suite 5.5.062.004 and 6.5.737. It is strongly suspected that other versions of ZoneAlarm and other Zone Labs products are affected by this.

Check Point Zone Labs Multiple Products Privilege Escalation Vulnerability

iDefense Security Advisory 08.20.07
http://labs.idefense.com/intelligence/vulnerabilities/
Aug 20, 2007

I. BACKGROUND

Zone Alarm products provide security solutions such as anti-virus,
firewall, spy-ware, and ad-ware protection. More information is
available at the Zone Labs web site at the following URL.

http://www.zonelabs.com/

II. DESCRIPTION

Local exploitation of an insecure permission vulnerability in multiple
Check Point Zone Labs products allows attackers to escalate privileges
or disable protection.

The vulnerability specifically exists in the default file Access Control
List (ACL) settings that are applied during installation. When an
administrator installs any of the Zone Labs ZoneAlarm tools, the
default ACL allows any user to modify the installed files. Some of the
programs run as system services. This allows a user to simply replace
an installed ZoneAlarm file with their own code that will later be
executed with system-level privileges.

III. ANALYSIS

Exploitation allows local attackers to escalate privileges to the system
level. It is also possible to use this vulnerability to simply disable
protection by moving all of the executable files so that they cannot
start on a reboot.

IV. DETECTION

iDefense has confirmed the existence of this vulnerability in ZoneAlarm
Security Suite 5.5.062.004 and 6.5.737. It is strongly suspected that
other versions of ZoneAlarm and other Zone Labs products are affected
by this.

V. WORKAROUND

Apply proper Access Control List settings to the directory that
ZoneAlarm Security Suite is installed in. The ACL rules should make
sure that no regular users can modify files in the directory.

VI. VENDOR RESPONSE

Check Point Zone Labs has addressed this vulnerability in version
7.0.362 of their ZoneAlarm products. For more information, consult the
Check Point Zone Labs download page at the following URL.

http://www.zonealarm.com/store/content/catalog/products/trial_zaFamily/trial_zaFamily.jsp

VII. CVE INFORMATION

The Common Vulnerabilities and Exposures (CVE) project has assigned the
name CVE-2005-2932 to this issue. This is a candidate for inclusion in
the CVE list (http://cve.mitre.org/), which standardizes names for
security problems.

VIII. DISCLOSURE TIMELINE

09/29/2005  Initial vendor notification
09/29/2005  Initial vendor response
10/19/2006  Second vendor notification
08/20/2007  Coordinated public disclosure

IX. CREDIT

The discoverer of this vulnerability wishes to remain anonymous.

Get paid for vulnerability research
http://labs.idefense.com/methodology/vulnerability/vcp.php

Free tools, research and upcoming events
http://labs.idefense.com/

X. LEGAL NOTICES

Copyright     

- 漏洞信息

37385
ZoneAlarm Multiple Products File Permission Weakness Local Privilege Escalation
Local Access Required
Loss of Integrity
Exploit Private

- 漏洞描述

- 时间线

2007-08-20 Unknow
Unknow Unknow

- 解决方案

Upgrade to version 7.0.362 or higher, as it has been reported to fix this vulnerability. It is also possible to temporarily work around the flaw by implementing the following workaround: Apply proper Access Control List settings to the directory that ZoneAlarm Security Suite is installed in. The ACL rules should make sure that no regular users can modify files in the directory.

- 相关参考

- 漏洞作者

Unknown or Incomplete
 

 

关于SCAP中文社区

SCAP中文社区是国内第一个以SCAP为主题的中文开放社区。了解更多信息,请查阅[关于本站]

版权声明

CVE/CWE/OVAL均为MITRE公司的注册商标,它们的官方数据源均保存在MITRE公司的相关网站