Check Point ZoneAlarm Flaw Allows Privilege Escalation
A vulnerability in Check Point’s popular ZoneAlarm antivirus and firewall allows attackers to escalate their privileges on a system running the security software. The vendor has released an update that should address the flaw.
The issue was discovered last year by Illumant, a company that provides security assessment and compliance solutions. The firm said the vulnerability exists due to the way the application’s developers used Microsoft’s Windows Communication Foundation (WCF) framework. Since WCF was initially codenamed “Indigo,” Illumant has dubbed the vulnerability “OwnDigo.”
Illumant’s findings are based on previous research by Fabius Artrel on privilege escalation and code execution vulnerabilities in applications that use .NET-based WCF services, and research by Matt Graeber on code-signing attacks.
According to Illumant, the vulnerability allows an attacker with limited access to the targeted device to execute arbitrary commands with SYSTEM privileges by abusing a vulnerable ZoneAlarm service. This can be leveraged to add a low-privileged user account to the administrators group.
However, an attack can only be conducted if the attacker’s exploit and payload files are or appear to be signed by Check Point. In order to achieve this, Illumant researchers created a fake code-signing certificate that impersonates Check Point – a user with limited privileges can do this – and installed it on the targeted system. The certificate was then used to sign the exploit and payload code, which could then be executed to elevate privileges.
The company praised Check Point for the way it handled the vulnerability report. The vendor patched the security bug in October with the release of ZoneAlarm Free Antivirus + Firewall version 15.4.062.17802.
Check Point’s security acknowledgements page shows that only a handful of issues were discovered in ZoneAlarm in the past couple of years.
While Illumant demonstrated the attack against ZoneAlarm, the company warns that this is a new class of vulnerabilities that could impact any .NET application using WCF. It has advised software developers to assess their own apps and WCF implementations to ensure that they are not impacted.